Added opcache.restrict_api configuration directive that may limit usage of OPcahce...

diff --git a/NEWS b/NEWS
index 60b2760b390fd9d2b7b8492f457546c9baee7c19..19e33d84ca44755ad4b034ca53632aab18f84736 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,8 @@ PHP                                                                        NEWS
     limited case). (Arpad)
 
 - OPcahce:
+  . Added opcache.restrict_api configuration directive that may limit
+    usage of OPcahce API functions only to patricular script(s). (Dmitry)
   . Added support for glob symbols in blacklist entries (?, *, **).
     (Terry Elison, Dmitry)
   . Fixed bug #65338 (Enabling both php_opcache and php_wincache AVs on

diff --git a/ext/opcache/README b/ext/opcache/README
index 311001224adae0b17d334b7eb64d80265bca847e..6c3cc746e77c0647e8b768b1f13b4dace72c4170 100644 (file)
--- a/ext/opcache/README
+++ b/ext/opcache/README
@@ -199,6 +199,10 @@ opcache.protect_memory (default "0")
        Protect the shared memory from unexpected writing during script execution.
        Useful for internal debugging only.
 
+opcache.restrict_api (default "")
+       Allows calling OPcache API functions only from PHP scripts which path is
+       started from specified string. The default "" means no restriction.
+
 opcache.mmap_base
        Mapping base of shared memory segments (for Windows only). All the PHP
        processes have to map shared memory into the same address space. This

diff --git a/ext/opcache/ZendAccelerator.h b/ext/opcache/ZendAccelerator.h
index 57e2e7a0c5d73662030e939d54572e1eab799575..361b60b08f1c40b48ebc180abc12a5b7ec3a8061 100644 (file)
--- a/ext/opcache/ZendAccelerator.h
+++ b/ext/opcache/ZendAccelerator.h
@@ -232,6 +232,7 @@ typedef struct _zend_accel_directives {
 #if ZEND_EXTENSION_API_NO > PHP_5_3_X_API_NO
        long           interned_strings_buffer;
 #endif
+       char          *restrict_api;
 } zend_accel_directives;
 
 typedef struct _zend_accel_globals {

diff --git a/ext/opcache/zend_accelerator_module.c b/ext/opcache/zend_accelerator_module.c
index 2287d1353ced0d8d42ab3926dd04c889f42949e5..f9ddaa98b8ba0159a7851ef51f86f37385cec7c9 100644 (file)
--- a/ext/opcache/zend_accelerator_module.c
+++ b/ext/opcache/zend_accelerator_module.c
@@ -71,6 +71,21 @@ static zend_function_entry accel_functions[] = {
        { NULL, NULL, NULL, 0, 0 }
 };
 
+static int validate_api_restriction(TSRMLS_D)
+{
+       if (ZCG(accel_directives).restrict_api && *ZCG(accel_directives).restrict_api) {
+               int len = strlen(ZCG(accel_directives).restrict_api);
+
+               if (!SG(request_info).path_translated ||
+                   strlen(SG(request_info).path_translated) < len ||
+                   memcmp(SG(request_info).path_translated, ZCG(accel_directives).restrict_api, len) != 0) {
+                       zend_error(E_WARNING, ACCELERATOR_PRODUCT_NAME " API is restricted by \"restrict_api\" configuration directive");
+                       return 0;
+               }
+       }       
+       return 1;
+}
+
 static ZEND_INI_MH(OnUpdateMemoryConsumption)
 {
        long *p;
@@ -251,6 +266,7 @@ ZEND_INI_BEGIN()
        STD_PHP_INI_BOOLEAN("opcache.enable_file_override"      , "0"   , PHP_INI_SYSTEM, OnUpdateBool,              accel_directives.file_override_enabled,     zend_accel_globals, accel_globals)
        STD_PHP_INI_BOOLEAN("opcache.enable_cli"             , "0"   , PHP_INI_SYSTEM, OnUpdateBool,              accel_directives.enable_cli,                zend_accel_globals, accel_globals)
        STD_PHP_INI_ENTRY("opcache.error_log"                , ""    , PHP_INI_SYSTEM, OnUpdateString,           accel_directives.error_log,                 zend_accel_globals, accel_globals)
+       STD_PHP_INI_ENTRY("opcache.restrict_api"             , ""    , PHP_INI_SYSTEM, OnUpdateString,           accel_directives.restrict_api,              zend_accel_globals, accel_globals)
 
 #ifdef ZEND_WIN32
        STD_PHP_INI_ENTRY("opcache.mmap_base", NULL, PHP_INI_SYSTEM,    OnUpdateString,                              accel_directives.mmap_base,                 zend_accel_globals, accel_globals)
@@ -517,6 +533,10 @@ static ZEND_FUNCTION(opcache_get_status)
                return;
        }
        
+       if (!validate_api_restriction(TSRMLS_C)) {
+               RETURN_FALSE;
+       }
+
        if (!accel_startup_ok) {
                RETURN_FALSE;
        }
@@ -587,6 +607,10 @@ static ZEND_FUNCTION(opcache_get_configuration)
        }
 #endif
 
+       if (!validate_api_restriction(TSRMLS_C)) {
+               RETURN_FALSE;
+       }
+
        array_init(return_value);
 
        /* directives */
@@ -651,6 +675,10 @@ static ZEND_FUNCTION(opcache_reset)
        }
 #endif
 
+       if (!validate_api_restriction(TSRMLS_C)) {
+               RETURN_FALSE;
+       }
+
        if (!ZCG(enabled) || !accel_startup_ok || !ZCSG(accelerator_enabled)) {
                RETURN_FALSE;
        }
@@ -671,6 +699,10 @@ static ZEND_FUNCTION(opcache_invalidate)
                return;
        }
 
+       if (!validate_api_restriction(TSRMLS_C)) {
+               RETURN_FALSE;
+       }
+
        if (zend_accel_invalidate(script_name, script_name_len, force TSRMLS_CC) == SUCCESS) {
                RETURN_TRUE;
        } else {