MFH: oci8: flush persistent connection after password change

diff --git a/ext/oci8/oci8.c b/ext/oci8/oci8.c
index 051e177c1dd98b7e0387ee9cea3a883f7cf5f714..befb3a43b1ad39133bfe2e68853608eeb8c15b8c 100644 (file)
--- a/ext/oci8/oci8.c
+++ b/ext/oci8/oci8.c
@@ -1203,6 +1203,9 @@ open:
                /* -1 means "Off" */
                connection->next_ping = 0;
        }
+
+       /* mark password as unchanged by PHP during the duration of the database session */
+       connection->passwd_changed = 0;
        
        smart_str_free_ex(&hashed_details, 0);
 
@@ -1399,7 +1402,7 @@ open:
        
        /* mark it as open */
        connection->is_open = 1;
-
+       
        /* add to the appropriate hash */
        if (connection->is_persistent) {
                new_le.ptr = connection;
@@ -1571,6 +1574,7 @@ int php_oci_password_change(php_oci_connection *connection, char *user, int user
                PHP_OCI_HANDLE_ERROR(connection, connection->errcode);
                return 1;
        }
+       connection->passwd_changed = 1;
        return 0;
 } /* }}} */
 
@@ -1790,7 +1794,7 @@ static int php_oci_persistent_helper(zend_rsrc_list_entry *le TSRMLS_DC)
 
                if (connection->used_this_request) {
                        if ((PG(connection_status) & PHP_CONNECTION_TIMEOUT) || OCI_G(in_call)) {
-                               return 1;
+                               return ZEND_HASH_APPLY_REMOVE;
                        }
 
                        if (connection->descriptors) {
@@ -1803,6 +1807,18 @@ static int php_oci_persistent_helper(zend_rsrc_list_entry *le TSRMLS_DC)
                                php_oci_connection_rollback(connection TSRMLS_CC);
                        }
                        
+                       /* If oci_password_change() changed the password of a
+                        * persistent connection, close the connection and remove
+                        * it from the persistent connection cache.  This means
+                        * subsequent scripts will be prevented from being able to
+                        * present the old (now invalid) password to a usable
+                        * connection to the database; they must use the new
+                        * password.
+                        */
+                       if (connection->passwd_changed) {
+                               return ZEND_HASH_APPLY_REMOVE;
+                       }
+
                        if (OCI_G(persistent_timeout) > 0) {
                                connection->idle_expiry = timestamp + OCI_G(persistent_timeout);
                        }
@@ -1815,14 +1831,15 @@ static int php_oci_persistent_helper(zend_rsrc_list_entry *le TSRMLS_DC)
                        }
 
                        connection->used_this_request = 0;
+
                } else if (OCI_G(persistent_timeout) != -1) {
                        if (connection->idle_expiry < timestamp) {
                                /* connection has timed out */
-                               return 1;
+                               return ZEND_HASH_APPLY_REMOVE;
                        }
                }
        }
-       return 0;
+       return ZEND_HASH_APPLY_KEEP;
 } /* }}} */
 
 #ifdef ZTS

diff --git a/ext/oci8/php_oci8_int.h b/ext/oci8/php_oci8_int.h
index e05a0fb840ed5acbf98318d805de76bab0025519..33b94aced0a4dfae7ff02cd873c31a813f590fd3 100644 (file)
--- a/ext/oci8/php_oci8_int.h
+++ b/ext/oci8/php_oci8_int.h
@@ -112,6 +112,7 @@ typedef struct { /* php_oci_connection {{{ */
        unsigned is_persistent:1;       /* self-descriptive */
        unsigned used_this_request:1; /* helps to determine if we should reset connection's next ping time and check its timeout */
        unsigned needs_commit:1;        /* helps to determine if we should rollback this connection on close/shutdown */
+       unsigned passwd_changed:1;      /* helps determine if a persistent connection hash should be invalidated after a password change */
        int rsrc_id;                            /* resource ID */
        time_t idle_expiry;                     /* time when the connection will be considered as expired */
        time_t next_ping;                       /* time of the next ping */