| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When extracting compressed files from an uncompressed Phar, we must not
use the direct file pointer, but rather get an uncompressed file
pointer.
We also add a test to show that deflated and stored entries are
properly extracted.
This also fixes #79912, which appears to be a duplicate of #69279.
Co-authored-by: Anna Filina <afilina@gmail.com>
Closes GH-6599.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We must not assume that the first end of central dir signature in a ZIP
archive actually designates the end of central directory record, since
the data in the archive may contain arbitrary byte patterns. Thus, we
better search from the end of the data, what is also slightly more
efficient.
There is, however, no way to detect the end of central directory
signature by searching from the end of the ZIP archive with absolute
certainty, since the signature could be part of the trailing comment.
To mitigate, we check that the comment length fits to the found
position, but that might still not be the correct position in rare
cases.
Closes GH-6507.
|
|
|
|
| |
Closes GH-6574.
|
|
|
|
|
|
|
| |
`phar_path_check()` already strips a leading slash, so we must not
attempt to strip the trailing slash from an now empty directory name.
Closes GH-6508.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Apparently, there are broken tarballs out there which are actually in
ustar format, but did not write the `ustar` marker. Since popular tar
tools like GNU tar and 7zip have no issues dealing with such tarballs,
Phar should also be more resilient.
Thus, when the first checksum check of a tarball in (presumed) in old-
style format fails, we check whether the checksum would be suitable for
ustar format; if so, we treat the tarball as being in ustar format.
Closes GH-6479.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Phar signatures practically are of limited size; for the MD5 and SHA
hashes the size is fixed (at most 64 bytes for SHA512); for OpenSSL
public keys there is no size limit in theory, but "64 KiB ought to be
good enough for anybody". So we check for that limit, to avoid fatal
errors due to out of memory conditions.
Since it is neither possible to have the signature compressed in the
ZIP archive, nor is it possible to manually add a signature via Phar,
we use ZipArchive to create a suitable archive for the test on the fly.
Closes GH-6474.
|
|\
| |
| |
| |
| | |
* PHP-7.3:
Skip test if A: drive exists
|
| |
| |
| |
| | |
Otherwise the test case will fail for a very different reason.
|
| |\
| | |
| | |
| | |
| | |
| | | |
* PHP-7.2:
Fix #79877: getimagesize function silently truncates after a null byte
Fix #79797: Use of freed hash key in the phar_parse_zipfile function
|
| | |
| | |
| | |
| | | |
We must not use heap memory after we freed it.
|
| | |
| | |
| | |
| | | |
all-access permissions
|
| | |
| | |
| | |
| | | |
We must not use heap memory after we freed it.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
"poo" was only used in the opendir_edgecases test, but rmdir'ed
in some other tests as well.
I've also taken the liberty of renaming this directory...
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Currently ./configure --enable-phar --program-suffix=7.4 will
result in binaries named php7.4 and phar but should instead
result in php7.4 and phar7.4
Closes GH-5650.
|
|\ \ \
| |/ /
| | |
| | |
| | | |
* PHP-7.3:
Fix #79503: Memory leak on duplicate metadata
|
| | |
| | |
| | |
| | |
| | | |
Duplicate metadata can only happen if someone tampers with the phar, so
we can and should treat that as error.
|
| | |
| | |
| | |
| | | |
We must not access memory outside of the allocated buffer.
|
| | |
| | |
| | |
| | | |
all-access permissions
|
| | |
| | |
| | |
| | | |
We must not access memory outside of the allocated buffer.
|
| | |
| | |
| | |
| | | |
all-access permissions
|
| | |
| | |
| | |
| | | |
Mostly reindent PHP scripts to spaces.
|
|\ \ \
| |/ /
| | |
| | |
| | | |
* PHP-7.3:
Fix #76584: PharFileInfo::decompress not working
|
| | |
| | |
| | |
| | | |
We actually have to decompress, when told to do so.
|
| | |
| | |
| | |
| | |
| | |
| | | |
without MSHUTDOWN callback.
Extensions with MSHUTDOWN should use UNREGISTER_INI_ENTRIES().
|
| | | |
|
|\ \ \
| |/ / |
|
| |\ \
| | |/ |
|
| | | |
|
|\ \ \
| |/ /
| | |
| | |
| | |
| | |
| | |
| | | |
* PHP-7.3:
Fix #77919: Potential UAF in Phar RSHUTDOWN
Update NEWS
Fix bug #78256 (heap-buffer-overflow on exif_process_user_comment)
Fix bug #78222 (heap-buffer-overflow on exif_scan_thumbnail)
|
| |\ \
| | |/
| | |
| | |
| | |
| | |
| | |
| | | |
* PHP-7.2:
Fix #77919: Potential UAF in Phar RSHUTDOWN
Update NEWS
Fix bug #78256 (heap-buffer-overflow on exif_process_user_comment)
Fix bug #78222 (heap-buffer-overflow on exif_scan_thumbnail)
|
| | |\
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* PHP-7.1:
Fix #77919: Potential UAF in Phar RSHUTDOWN
Update NEWS
Fix bug #78256 (heap-buffer-overflow on exif_process_user_comment)
Fix bug #78222 (heap-buffer-overflow on exif_scan_thumbnail)
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
We have to properly clean up in case phar_flush() is failing.
We also make the expectation of the respective test case less liberal
to avoid missing such bugs in the future.
|
| | | |
| | | |
| | | |
| | | | |
- switch from strncpy to memcpy for -Wstringop-truncation
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This reverts commit e0eca262852dba1a78afcde64a49126c81fead1a.
free_filename is used by the wincache extension, restore this
field for PHP 7.4.
|
| | | | |
|
| | | | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The php_stream_read() and php_stream_write() functions now return
an ssize_t value, with negative results indicating failure. Functions
like fread() and fwrite() will return false in that case.
As a special case, EWOULDBLOCK and EAGAIN on non-blocking streams
should not be regarded as error conditions, and be reported as
successful zero-length reads/writes instead. The handling of EINTR
remains unclear and is internally inconsistent (e.g. some code-paths
will automatically retry on EINTR, while some won't).
I'm landing this now to make sure the stream wrapper ops API changes
make it into 7.4 -- however, if the user-facing changes turn out to
be problematic we have the option of clamping negative returns to
zero in php_stream_read() and php_stream_write() to restore the
old behavior in a relatively non-intrusive manner.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
- when $status is boolean, E_NOTICE appears and tests fail
- opcache is never enabled on these tests anyway.
- Add opcache.revalidate_freq=0 to testing script
Instead of checking this in the tests files it can be used directly in
the main testing script. Also this fixes failed tests.
- Use opcache_invalidate() instead of sleep() delay in some tests. Some
delays are still used since the opcache_invalidate seems to be buggy
and not working as expected.
Closes GH-4392
|
| | | |
| | | |
| | | |
| | | | |
Closes GH-4436
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This reverts commit 5a90dc77b8f244f603082aea022fadc0ce2c009c.
Let's try to go with the reverse direction here and actually trust
the reported size...
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
If we're including a file via PHP streams, we're not going to trust
the reported file size anyway and populate in a loop -- so don't
bother determining the file size in the first place. Only do this
for non-tty HANDLE_FP now, which is the only case where this
information was used.
|
| | | |
| | | |
| | | |
| | | |
| | | | |
The buf/len members are now simply used in addition to the main
stream, without changing the handle kind.
|
| | | |
| | | |
| | | |
| | | | |
free_filename was always zero.
|
| | | |
| | | |
| | | |
| | | | |
Avoid more ad-hoc initialization of zend_file_handle structures.
|
| | | |
| | | |
| | | |
| | | | |
This handle type was unused.
|
| | | | |
|
| | | |
| | | |
| | | |
| | | |
| | | | |
There is also a php_strtok_r() function, which is actually used,
but nothing uses the tsrm_strtok_r() variant...
|
| | | | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
- The hash extension is now always available.
- Remove unfinished test
The Phar::PGP currently doesn't exist yet.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The hash extension is always available since PHP-7.4. The symbol
HAVE_HASH_EXT is kept for BC reasons and removed in PHP-8.0.
This patch also removes the PHAR_HASH_OK since it is no longer
relevant.
|