From 5010fec2f09b5ea4fe867b3950ee2a9435a4b756 Mon Sep 17 00:00:00 2001
From: Greg Beaver <cellog@php.net>
Date: Wed, 24 Jun 2009 22:19:47 +0000
Subject: [PATCH] fix Bug #48681: openssl signature verification for tar
 archives broken in ext/phar, merge small fixes to phar.phar generation from
 PHP_5_3

---
 ext/phar/phar/pharcommand.inc                |  28 +++++++++++++------
 ext/phar/tar.c                               |   9 ++++--
 ext/phar/tests/tar/files/P1-1.0.0.tgz        | Bin 0 -> 1284 bytes
 ext/phar/tests/tar/files/P1-1.0.0.tgz.pubkey |   9 ++++++
 ext/phar/tests/tar/tar_openssl_hash.phpt     |  22 +++++++++++++++
 5 files changed, 57 insertions(+), 11 deletions(-)
 create mode 100644 ext/phar/tests/tar/files/P1-1.0.0.tgz
 create mode 100644 ext/phar/tests/tar/files/P1-1.0.0.tgz.pubkey
 create mode 100644 ext/phar/tests/tar/tar_openssl_hash.phpt

diff --git a/ext/phar/phar/pharcommand.inc b/ext/phar/phar/pharcommand.inc
index e50637b241..bae6aae8f0 100755
--- a/ext/phar/phar/pharcommand.inc
+++ b/ext/phar/phar/pharcommand.inc
@@ -210,16 +210,28 @@ class PharCommand extends CLICommand
 	 */
 	static function cli_arg_typ_loader($arg, $cfg, $key)
 	{
-		if (($arg == '0' || $arg == '1') && !file_exists($arg)) {
+		if (($arg == '0' || $arg == '1') && !file_exists($arg) && substr(PHP_OS, 0, 3) != 'WIN') {
 			$found = NULL;
-			$apiver = `pear -q info PHP_Archive 2>/dev/null|grep 'API Version'`;
-			$apiver = trim(substr($apiver, strlen('API Version')));
+			$apiver = false;
+			$path = explode(PATH_SEPARATOR, $_ENV['PATH']);
+			$pear = false;
+			foreach ($path as $component) {
+				if (file_exists($component . DIRECTORY_SEPARATOR . 'pear')
+					&& is_executable($component . DIRECTORY_SEPARATOR . 'pear'))) {
+					$pear = true;
+					break;
+				}
+			}
+			if ($pear) {
+				$apiver = `pear -q info PHP_Archive 2>/dev/null|grep 'API Version'`;
+				$apiver = trim(substr($apiver, strlen('API Version')));
+			}
 			if ($apiver) {
-				self::notice("Pear package PHP_Archive: API Version: $apiver.\n");
+				self::notice("PEAR package PHP_Archive: API Version: $apiver.\n");
 				$files  = explode("\n", `pear list-files PHP_Archive`);
 				$phpdir = `pear config-get php_dir 2>/dev/null`;
 				$phpdir = trim($phpdir);
-				self::notice("Pear package PHP_Archive: $phpdir.\n");
+				self::notice("PEAR package PHP_Archive: $phpdir.\n");
 				if (is_dir($phpdir)) {
 					foreach($files as $ent) {
 						$matches = NULL;
@@ -234,13 +246,13 @@ class PharCommand extends CLICommand
 						}
 					}
 				} else {
-					self::notice("Pear package PHP_Archive: corrupt or inaccessible base dir: $php_dir.\n");
+					self::notice("PEAR package PHP_Archive: corrupt or inaccessible base dir: $php_dir.\n");
 				}
 			}
 			if (isset($found)) {
-				self::notice("Pear package PHP_Archive: $found.\n");
+				self::notice("PEAR package PHP_Archive: $found.\n");
 			} else {
-				$msg = "Pear package PHP_Archive or Archive.php class file not found.\n";
+				$msg = "PEAR package PHP_Archive not installed: generated phar will require PHP's phar extension be enabled.\n";
 				if ($arg == '0') {
 					self::notice($msg);
 				} else {
diff --git a/ext/phar/tar.c b/ext/phar/tar.c
index 85c0649900..1869e5c6ea 100644
--- a/ext/phar/tar.c
+++ b/ext/phar/tar.c
@@ -255,6 +255,8 @@ int phar_parse_tarfile(php_stream* fp, char *fname, int fname_len, char *alias,
 			phar_tar_number(hdr->size, sizeof(hdr->size));
 
 		if (((!old && hdr->prefix[0] == 0) || old) && strlen(hdr->name) == sizeof(".phar/signature.bin")-1 && !strncmp(hdr->name, ".phar/signature.bin", sizeof(".phar/signature.bin")-1)) {
+			off_t curloc;
+
 			if (size > 511) {
 				if (error) {
 					spprintf(error, 4096, "phar error: tar-based phar \"%s\" has signature that is larger than 511 bytes, cannot process", fname);
@@ -264,6 +266,7 @@ bail:
 				phar_destroy_phar_data(myphar TSRMLS_CC);
 				return FAILURE;
 			}
+			curloc = php_stream_tell(fp);
 			read = php_stream_read(fp, buf, size);
 			if (read != size) {
 				if (error) {
@@ -280,7 +283,7 @@ bail:
 #else
 # define PHAR_GET_32(buffer) (php_uint32) *(buffer)
 #endif
-			if (FAILURE == phar_verify_signature(fp, php_stream_tell(fp) - size - 512, PHAR_GET_32(buf), buf + 8, PHAR_GET_32(buf + 4), fname, &myphar->signature, &myphar->sig_len, error TSRMLS_CC)) {
+			if (FAILURE == phar_verify_signature(fp, php_stream_tell(fp) - size - 512, PHAR_GET_32(buf), buf + 8, size - 8, fname, &myphar->signature, &myphar->sig_len, error TSRMLS_CC)) {
 				if (error) {
 					char *save = *error;
 					spprintf(error, 4096, "phar error: tar-based phar \"%s\" signature cannot be verified: %s", fname, save);
@@ -288,11 +291,11 @@ bail:
 				}
 				goto bail;
 			}
+			php_stream_seek(fp, curloc + 512, SEEK_SET);
 			/* signature checked out, let's ensure this is the last file in the phar */
-			size = ((size+511)&~511) + 512;
 			if (((hdr->typeflag == '\0') || (hdr->typeflag == TAR_FILE)) && size > 0) {
 				/* this is not good enough - seek succeeds even on truncated tars */
-				php_stream_seek(fp, size, SEEK_CUR);
+				php_stream_seek(fp, 512, SEEK_CUR);
 				if ((uint)php_stream_tell(fp) > totalsize) {
 					if (error) {
 						spprintf(error, 4096, "phar error: \"%s\" is a corrupted tar file (truncated)", fname);
diff --git a/ext/phar/tests/tar/files/P1-1.0.0.tgz b/ext/phar/tests/tar/files/P1-1.0.0.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..1d9cae43984f90a1097b5ba38d350be01974aeb6
GIT binary patch
literal 1284
zcmV+f1^fCRiwFP!000001MOK`XdG1-Ua^Qx6-Dqu1(_~V)56Y~%U+swGHKQ(X=)Nu
z6GaqFCo`wnA+s~<oY`CmEd{{@!3R@HD?%RHB1KVXv9{oYH?)GahAN8GHV;y$4Vs2N
zSc4({b9VL?V`9@}qh!8^<edL<{(sK@e`hYs_N5FPcj?5j`%zj^yOl0XP#P<?z^0RF
z*2E5K<q^+vEEn?hEcgU&0vsS3jm{|t2qMP?cwP`VQRJeL2*~+pnBy4kW`Zmh8R955
zge*s_{~)9qC??Z`ZK7Ldbr9+tWU#4Pnr?Pg2cK@Q4{Zt7$Q6=T`humv@<9fCO;R09
zI!-!{XxHSMMsu`WKZOdmaYrHD^LS8oh-Q(s?<0ENy0^EN?G;(e?m`0e2zs`;sZCAd
zloHZSsG_N2@FIGgP+^m$Dh^F`!C;Jw1+CaVqRnerbh-c5&RsLecmlg<bAfI_xq^{Q
zC57cyUP5#L0yU|aCN|^}ib^Oa1`Co&r4+kgb}(_EiW15RK&N4%+IrgE7dfdjMN<hC
z>%i2&iU$9^6dK@=U=mn?6!W<-Qifn#R<U7N5Qa`%DQv!Oc;c=346{;Kuc(gRgXMlq
zB;<`D9`XW8n&My?3S1T9q9H+q#9RR=938?6VmuOwb5#<eQxJQ*MwhlRtU|C%&npS#
zrZj3=mpRyR5W7P+V!=~_{^`^W-RUn`#+4fQ@9QW=I;j-aDR!0&UBxEBOvWzlTq_M?
zD`TsecCcqgP$$ts-o!0uP;SA!OrmWY)07oTIaAsW7F1PE^)qw;m7sICEiBW)rbB3o
znr<_0jjDslZ6c8D)(woP4uO&;UE~360m*5=dmR&R176DLHrBG<kQN;<Qc5@F2rIao
z=nknC<<yeflaz{vk!=OfgSNB6m-x&!bvHR5({09*jNBBwBEV%xISR=YD}8?c-vKSB
z*oaMGM**5CY^QE6c?|D9|4(v`2OU>HfJ*qNfB!E7NIVja2iZkF1qL5q>HK}%8lbwU
zwXXIlVHsn%q>ja6bINm^FMa;!qVU4NM3yn9JXSgX^Yury8OJg#MRN(iv@sTV{{x7#
z-~YHUAM?-uG9an@k5H=_1^zc@3`eiCZObN0d;~0l|2!}H&wu5B&;QkpIr)$3`czCm
z1TD!)un_-wPMFPqk&A_W{+9t#4OF;7H55V^+6Ns)ebABb0|xgw*wk`11^K|9mA(QW
zw}JxymzMLzSj_W(l#BTMF9ZDh|LR8e`!CVEOvTCAc-g-H&d2{SU-<qL6Gh5@A?*MD
zTMpdo{<$p>Sa;^w#i8p}8@{eTI@CP1`Os(QuRNAM{6>4zmc2WEI`~}l;pcxl*?#tc
zZTEf9^WLRh4YxNOn!fnWz?mn88{Zj!;k)g>4&InLdjH!a+EpQZZvE({@cSe&HgLSQ
zn%_C`qxxWT%Z2MB&z$(AN9-IN*zx4|uYCB`&*x8#y!KJTh+RAI(5DBsH*W0c{{7&Q
zKXxbV3-A8P@BjGln}d}BMsC`Cs(WVt=*;-Jw##F8Umm-%c5PMS#t)-c_pYC+oX~o|
z7@F9#Z_TyTTf>!|U%q_j=pA<r@7&lj#?}v=e)a6G%E|O;@yI=sqg%(BlWPJq)4x2T
uY`XOM<cSSJ<BR+F!H!4QC67-Z`}WA|D_jO2K79BnJN^O(Mey(dCIA4QJ%6JB

literal 0
HcmV?d00001

diff --git a/ext/phar/tests/tar/files/P1-1.0.0.tgz.pubkey b/ext/phar/tests/tar/files/P1-1.0.0.tgz.pubkey
new file mode 100644
index 0000000000..eb59bdd26a
--- /dev/null
+++ b/ext/phar/tests/tar/files/P1-1.0.0.tgz.pubkey
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4drcwddPs6LmIbdT1ifT
+Ev8HXh1Fk1yNusCDoCX6mYkgqvCmx02F/9k5q7n6CPblTcF5mdDI8kcRrUHmyXtD
+9X0d7RN7BakZMPH5KPaNkXiXsI9YGSb39AnZgYw01n6u0W6Ohha+KwOsrxkKCF4u
+LjPLQAlM+3uD8y9Tz2fF+pAE901kHrd3ue7a5i5EtW0bzl5QfxnwFZXAO0StQ9dF
+slzibRH+1pFjMRxDnlgYmLQF6jMWm9Ty6x9UH9HZ3E3F9QZEQVXWT9y/pe30HcAX
+YxAGZjPIx19UNPF5C+Nps6MjxNRht0pGXTL9sptYoiNjRiXAS0y4FM+8K6xvBIOF
+ZQIDAQAB
+-----END PUBLIC KEY-----
diff --git a/ext/phar/tests/tar/tar_openssl_hash.phpt b/ext/phar/tests/tar/tar_openssl_hash.phpt
new file mode 100644
index 0000000000..49ef77a44b
--- /dev/null
+++ b/ext/phar/tests/tar/tar_openssl_hash.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Phar: tar archive, require_hash=1, OpenSSL hash
+--SKIPIF--
+<?php if (!extension_loaded('phar')) die('skip'); ?>
+<?php if (!extension_loaded("spl")) die("skip SPL not available"); ?>
+<?php if (!extension_loaded("zlib")) die("skip zlib not available"); ?>
+<?php if (!extension_loaded("openssl")) die("skip openssl not available"); ?>
+--INI--
+phar.readonly=1
+phar.require_hash=1
+--FILE--
+<?php
+try {
+	$phar = new PharData(dirname(__FILE__) . '/files/P1-1.0.0.tgz');
+} catch (Exception $e) {
+	echo $e->getMessage()."\n";
+}
+
+?>
+===DONE===
+--EXPECT--
+===DONE===
-- 
2.50.1