From: Christoph M. Becker <cmbecker69@gmx.de>
Date: Wed, 16 Dec 2020 11:35:38 +0000 (+0100)
Subject: Fix #76929: zip-based phar does not respect phar.require_hash
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=9f96b2bdc8f9109c53ac6121fb3adca517afd133;p=php

Fix #76929: zip-based phar does not respect phar.require_hash

Based on the patch provided by david at bamsoftware.

Closes GH-6517.
---

diff --git a/NEWS b/NEWS
index 446dd9be21..57572a1417 100644
--- a/NEWS
+++ b/NEWS
@@ -28,6 +28,10 @@ PHP                                                                        NEWS
   . Fixed bug #80521 (Parameters with underscores no longer recognized). (cmb,
     Simonov Denis)
 
+- Phar:
+  . Fixed bug #76929 (zip-based phar does not respect phar.require_hash).
+    (david at bamsoftware, cmb)
+
 07 Jan 2021, PHP 8.0.1
 
 - Core:
diff --git a/ext/phar/tests/zip/badalias.phpt b/ext/phar/tests/zip/badalias.phpt
index 9e7fdf8091..81e5be55fd 100644
--- a/ext/phar/tests/zip/badalias.phpt
+++ b/ext/phar/tests/zip/badalias.phpt
@@ -1,5 +1,7 @@
 --TEST--
 Phar: invalid aliases
+--INI--
+phar.require_hash=0
 --SKIPIF--
 <?php if (!extension_loaded("phar")) die("skip"); ?>
 <?php if (!extension_loaded("zlib")) die("skip no zlib"); ?>
diff --git a/ext/phar/tests/zip/bzip2.phpt b/ext/phar/tests/zip/bzip2.phpt
index 13bdde3ea6..3a51c52957 100644
--- a/ext/phar/tests/zip/bzip2.phpt
+++ b/ext/phar/tests/zip/bzip2.phpt
@@ -1,5 +1,7 @@
 --TEST--
 Phar: process bzip2-compressed zip entry
+--INI--
+phar.require_hash=0
 --SKIPIF--
 <?php if (!extension_loaded("phar")) die("skip"); ?>
 <?php if (!extension_loaded("bz2")) die("skip bz2 not available"); ?>
diff --git a/ext/phar/tests/zip/frontcontroller1.phar.phpt b/ext/phar/tests/zip/frontcontroller1.phar.phpt
index b4ace60869..bbd5208b64 100644
--- a/ext/phar/tests/zip/frontcontroller1.phar.phpt
+++ b/ext/phar/tests/zip/frontcontroller1.phar.phpt
@@ -1,5 +1,7 @@
 --TEST--
 Phar front controller other zip-based
+--INI--
+phar.require_hash=0
 --SKIPIF--
 <?php if (!extension_loaded("phar")) die("skip"); ?>
 <?php if (!extension_loaded("zlib")) die("skip zlib not available"); ?>
diff --git a/ext/phar/tests/zip/frontcontroller11.phar.phpt b/ext/phar/tests/zip/frontcontroller11.phar.phpt
index 15534d02c5..ce36f32f04 100644
--- a/ext/phar/tests/zip/frontcontroller11.phar.phpt
+++ b/ext/phar/tests/zip/frontcontroller11.phar.phpt
@@ -2,6 +2,7 @@
 Phar front controller mime type extension is not a string zip-based
 --INI--
 default_charset=
+phar.require_hash=0
 --SKIPIF--
 <?php if (!extension_loaded("phar")) die("skip phar extension not loaded"); ?>
 <?php if (!extension_loaded("zlib")) die("skip zlib not available"); ?>
diff --git a/ext/phar/tests/zip/frontcontroller12.phar.phpt b/ext/phar/tests/zip/frontcontroller12.phar.phpt
index b0caca91ac..9f5b0a13aa 100644
--- a/ext/phar/tests/zip/frontcontroller12.phar.phpt
+++ b/ext/phar/tests/zip/frontcontroller12.phar.phpt
@@ -2,6 +2,7 @@
 Phar front controller mime type unknown int zip-based
 --INI--
 default_charset=UTF-8
+phar.require_hash=0
 --SKIPIF--
 <?php if (!extension_loaded("phar")) die("skip"); ?>
 <?php if (!extension_loaded("zlib")) die("skip zlib not available"); ?>
diff --git a/ext/phar/tests/zip/frontcontroller13.phar.phpt b/ext/phar/tests/zip/frontcontroller13.phar.phpt
index 18a1c1fd2f..5d2a77e4ac 100644
--- a/ext/phar/tests/zip/frontcontroller13.phar.phpt
+++ b/ext/phar/tests/zip/frontcontroller13.phar.phpt
@@ -2,6 +2,7 @@
 Phar front controller mime type not string/int zip-based
 --INI--
 default_charset=UTF-8
+phar.require_hash=0
 --SKIPIF--
 <?php if (!extension_loaded("phar")) die("skip"); ?>
 <?php if (!extension_loaded("zlib")) die("skip zlib not available"); ?>
diff --git a/ext/phar/tests/zip/frontcontroller14.phar.phpt b/ext/phar/tests/zip/frontcontroller14.phar.phpt
index 496160b12f..9a3e34a90f 100644
--- a/ext/phar/tests/zip/frontcontroller14.phar.phpt
+++ b/ext/phar/tests/zip/frontcontroller14.phar.phpt
@@ -1,5 +1,7 @@
 --TEST--
 Phar front controller mime type override, other zip-based
+--INI--
+phar.require_hash=0
 --SKIPIF--
 <?php if (!extension_loaded("phar")) die("skip"); ?>
 <?php if (!extension_loaded("zlib")) die("skip zlib not available"); ?>
diff --git a/ext/phar/tests/zip/frontcontroller15.phar.phpt b/ext/phar/tests/zip/frontcontroller15.phar.phpt
index f6468ee521..04fdc57ef0 100644
--- a/ext/phar/tests/zip/frontcontroller15.phar.phpt
+++ b/ext/phar/tests/zip/frontcontroller15.phar.phpt
@@ -2,6 +2,7 @@
 Phar front controller mime type override, Phar::PHPS zip-based
 --INI--
 default_charset=UTF-8
+phar.require_hash=0
 --SKIPIF--
 <?php if (!extension_loaded("phar")) die("skip"); ?>
 <?php if (!extension_loaded("zlib")) die("skip zlib not available"); ?>
diff --git a/ext/phar/tests/zip/frontcontroller16.phar.phpt b/ext/phar/tests/zip/frontcontroller16.phar.phpt
index 890eb5d0e2..6c75f7df51 100644
--- a/ext/phar/tests/zip/frontcontroller16.phar.phpt
+++ b/ext/phar/tests/zip/frontcontroller16.phar.phpt
@@ -2,6 +2,7 @@
 Phar front controller mime type override, Phar::PHP zip-based
 --INI--
 default_charset=UTF-8
+phar.require_hash=0
 --SKIPIF--
 <?php if (!extension_loaded("phar")) die("skip"); ?>
 <?php if (!extension_loaded("zlib")) die("skip zlib not available"); ?>
diff --git a/ext/phar/tests/zip/frontcontroller17.phar.phpt b/ext/phar/tests/zip/frontcontroller17.phar.phpt
index d6ccdc6dfc..b4bce3dced 100644
--- a/ext/phar/tests/zip/frontcontroller17.phar.phpt
+++ b/ext/phar/tests/zip/frontcontroller17.phar.phpt
@@ -1,5 +1,7 @@
 --TEST--
 Phar front controller mime type unknown zip-based
+--INI--
+phar.require_hash=0
 --SKIPIF--
 <?php if (!extension_loaded("phar")) die("skip"); ?>
 <?php if (!extension_loaded("zlib")) die("skip zlib not available"); ?>
diff --git a/ext/phar/tests/zip/frontcontroller18.phar.phpt b/ext/phar/tests/zip/frontcontroller18.phar.phpt
index 3d01527122..963170949e 100644
--- a/ext/phar/tests/zip/frontcontroller18.phar.phpt
+++ b/ext/phar/tests/zip/frontcontroller18.phar.phpt
@@ -1,5 +1,7 @@
 --TEST--
 Phar front controller $_SERVER munging failure zip-based
+--INI--
+phar.require_hash=0
 --SKIPIF--
 <?php if (!extension_loaded("phar")) die("skip"); ?>
 <?php if (!extension_loaded("zlib")) die("skip zlib not available"); ?>
diff --git a/ext/phar/tests/zip/frontcontroller19.phar.phpt b/ext/phar/tests/zip/frontcontroller19.phar.phpt
index db66ea48b0..c478f428e5 100644
--- a/ext/phar/tests/zip/frontcontroller19.phar.phpt
+++ b/ext/phar/tests/zip/frontcontroller19.phar.phpt
@@ -1,5 +1,7 @@
 --TEST--
 Phar front controller $_SERVER munging failure 2 zip-based
+--INI--
+phar.require_hash=0
 --SKIPIF--
 <?php if (!extension_loaded("phar")) die("skip"); ?>
 <?php if (!extension_loaded("zlib")) die("skip zlib not available"); ?>
diff --git a/ext/phar/tests/zip/frontcontroller2.phar.phpt b/ext/phar/tests/zip/frontcontroller2.phar.phpt
index e143e79f3f..d4910e4f7d 100644
--- a/ext/phar/tests/zip/frontcontroller2.phar.phpt
+++ b/ext/phar/tests/zip/frontcontroller2.phar.phpt
@@ -2,6 +2,7 @@
 Phar front controller PHP test zip-based
 --INI--
 default_charset=UTF-8
+phar.require_hash=0
 --SKIPIF--
 <?php if (!extension_loaded("phar")) die("skip"); ?>
 <?php if (!extension_loaded("zlib")) die("skip zlib not available"); ?>
diff --git a/ext/phar/tests/zip/frontcontroller20.phar.phpt b/ext/phar/tests/zip/frontcontroller20.phar.phpt
index 3bab3bfd80..fde3590a28 100644
--- a/ext/phar/tests/zip/frontcontroller20.phar.phpt
+++ b/ext/phar/tests/zip/frontcontroller20.phar.phpt
@@ -1,5 +1,7 @@
 --TEST--
 Phar front controller $_SERVER munging failure 3 zip-based
+--INI--
+phar.require_hash=0
 --SKIPIF--
 <?php if (!extension_loaded("phar")) die("skip"); ?>
 <?php if (!extension_loaded("zlib")) die("skip zlib not available"); ?>
diff --git a/ext/phar/tests/zip/frontcontroller3.phar.phpt b/ext/phar/tests/zip/frontcontroller3.phar.phpt
index 88a8a2490d..a9f5990d58 100644
--- a/ext/phar/tests/zip/frontcontroller3.phar.phpt
+++ b/ext/phar/tests/zip/frontcontroller3.phar.phpt
@@ -2,6 +2,7 @@
 Phar front controller phps zip-based
 --INI--
 default_charset=UTF-8
+phar.require_hash=0
 --SKIPIF--
 <?php if (!extension_loaded("phar")) die("skip"); ?>
 <?php if (!extension_loaded("zlib")) die("skip zlib not available"); ?>
diff --git a/ext/phar/tests/zip/frontcontroller4.phar.phpt b/ext/phar/tests/zip/frontcontroller4.phar.phpt
index ff85eb6ab6..fe49598695 100644
--- a/ext/phar/tests/zip/frontcontroller4.phar.phpt
+++ b/ext/phar/tests/zip/frontcontroller4.phar.phpt
@@ -1,5 +1,7 @@
 --TEST--
 Phar front controller index.php relocate (no /) zip-based
+--INI--
+phar.require_hash=0
 --SKIPIF--
 <?php if (!extension_loaded("phar")) die("skip"); ?>
 <?php if (!extension_loaded("zlib")) die("skip zlib not available"); ?>
diff --git a/ext/phar/tests/zip/frontcontroller5.phar.phpt b/ext/phar/tests/zip/frontcontroller5.phar.phpt
index 1705fac4c4..4aefdf5b08 100644
--- a/ext/phar/tests/zip/frontcontroller5.phar.phpt
+++ b/ext/phar/tests/zip/frontcontroller5.phar.phpt
@@ -1,5 +1,7 @@
 --TEST--
 Phar front controller index.php relocate zip-based
+--INI--
+phar.require_hash=0
 --SKIPIF--
 <?php if (!extension_loaded("phar")) die("skip"); ?>
 <?php if (!extension_loaded("zlib")) die("skip zlib not available"); ?>
diff --git a/ext/phar/tests/zip/frontcontroller6.phar.phpt b/ext/phar/tests/zip/frontcontroller6.phar.phpt
index 8188caf7c9..bbf702d1d2 100644
--- a/ext/phar/tests/zip/frontcontroller6.phar.phpt
+++ b/ext/phar/tests/zip/frontcontroller6.phar.phpt
@@ -1,5 +1,7 @@
 --TEST--
 Phar front controller 404 zip-based
+--INI--
+phar.require_hash=0
 --SKIPIF--
 <?php if (!extension_loaded("phar")) die("skip"); ?>
 <?php if (!extension_loaded("zlib")) die("skip zlib not available"); ?>
diff --git a/ext/phar/tests/zip/frontcontroller7.phar.phpt b/ext/phar/tests/zip/frontcontroller7.phar.phpt
index 828da0aeb4..0a67802c7f 100644
--- a/ext/phar/tests/zip/frontcontroller7.phar.phpt
+++ b/ext/phar/tests/zip/frontcontroller7.phar.phpt
@@ -1,5 +1,7 @@
 --TEST--
 Phar front controller alternate index file zip-based
+--INI--
+phar.require_hash=0
 --SKIPIF--
 <?php if (!extension_loaded("phar")) die("skip"); ?>
 <?php if (!extension_loaded("zlib")) die("skip zlib not available"); ?>
diff --git a/ext/phar/tests/zip/getalias.phpt b/ext/phar/tests/zip/getalias.phpt
index e8ab8494cf..63ce629ef4 100644
--- a/ext/phar/tests/zip/getalias.phpt
+++ b/ext/phar/tests/zip/getalias.phpt
@@ -4,6 +4,7 @@ Phar: getAlias() with an existing phar.zip
 <?php if (!extension_loaded("phar")) die("skip"); ?>
 --INI--
 phar.readonly=0
+phar.require_hash=0
 --FILE--
 <?php
 
diff --git a/ext/phar/tests/zip/require_hash.phpt b/ext/phar/tests/zip/require_hash.phpt
new file mode 100644
index 0000000000..23943550ae
--- /dev/null
+++ b/ext/phar/tests/zip/require_hash.phpt
@@ -0,0 +1,56 @@
+--TEST--
+Phar: zip-based phar, require_hash=1, no signature
+--SKIPIF--
+<?php if (!extension_loaded('phar')) die('skip'); ?>
+--INI--
+phar.readonly=1
+phar.require_hash=0
+--FILE--
+<?php
+ini_set('phar.require_hash', 1);
+include __DIR__ . '/files/zipmaker.php.inc';
+$fname = __DIR__ . '/require_hash.phar.zip';
+$alias = 'phar://' . $fname;
+$fname2 = __DIR__ . '/require_hash.zip';
+
+$zip = new zipmaker($fname);
+$zip->init();
+$zip->addFile('zip_001.php', '<?php var_dump(__FILE__);');
+$zip->addFile('internal/file/here', "hi there!\n");
+$zip->addFile('.phar/stub.php', "__HALT_COMPILER();");
+$zip->close();
+
+try {
+	$phar = new Phar($fname);
+	var_dump($phar->getStub());
+} catch (Exception $e) {
+	echo $e->getMessage()."\n";
+}
+ini_set('phar.require_hash', 0);
+try {
+	$phar = new PharData($fname2);
+	$phar['file'] = 'hi';
+	var_dump($phar->getSignature());
+	$phar->setSignatureAlgorithm(Phar::MD5);
+	var_dump($phar->getSignature());
+} catch (Exception $e) {
+	echo $e->getMessage()."\n";
+}
+
+?>
+===DONE===
+--CLEAN--
+<?php
+@unlink(__DIR__ . '/require_hash.phar.zip');
+@unlink(__DIR__ . '/require_hash.zip');
+?>
+--EXPECTF--
+zip-based phar "%srequire_hash.phar.zip" does not have a signature
+bool(false)
+array(2) {
+  ["hash"]=>
+  string(32) "%s"
+  ["hash_type"]=>
+  string(3) "MD5"
+}
+===DONE===
diff --git a/ext/phar/tests/zip/zlib.phpt b/ext/phar/tests/zip/zlib.phpt
index 96b63e73a6..a51ad5e5fd 100644
--- a/ext/phar/tests/zip/zlib.phpt
+++ b/ext/phar/tests/zip/zlib.phpt
@@ -1,5 +1,7 @@
 --TEST--
 Phar: process zlib-compressed zip alias
+--INI--
+phar.require_hash=0
 --SKIPIF--
 <?php if (!extension_loaded("phar")) die("skip"); ?>
 <?php if (!extension_loaded("zlib")) die("skip zlib not available"); ?>
diff --git a/ext/phar/zip.c b/ext/phar/zip.c
index 1d7c5b2217..1b94943ad3 100644
--- a/ext/phar/zip.c
+++ b/ext/phar/zip.c
@@ -673,6 +673,16 @@ foundit:
 		mydata->is_data = 1;
 	}
 
+	/* ensure signature set */
+	if (!mydata->is_data && PHAR_G(require_hash) && !mydata->signature) {
+		php_stream_close(fp);
+		phar_destroy_phar_data(mydata);
+		if (error) {
+			spprintf(error, 0, "zip-based phar \"%s\" does not have a signature", fname);
+		}
+		return FAILURE;
+	}
+
 	zend_hash_str_add_ptr(&(PHAR_G(phar_fname_map)), mydata->fname, fname_len, mydata);
 
 	if (actual_alias) {