php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #76929 zip-based phar does not respect phar.require_hash
Submitted: 2018-09-24 19:56 UTC Modified: 2021-01-04 16:40 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: david at bamsoftware dot com Assigned: cmb (profile)
Status: Closed Package: PHAR related
PHP Version: master-Git-2018-09-24 (Git) OS: Linux 4.18.0-1-amd64
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: david at bamsoftware dot com
New email:
PHP Version: OS:

 

 [2018-09-24 19:56 UTC] david at bamsoftware dot com 
Description:
------------
Phar files in the zip format do not raise an error when phar.require_hash is true and the file lacks a signature (.phar/signature.bin), unlike the phar and tar formats.

The attached patch adds a test, copied with adjustments from ext/phar/tests/tar/require_hash.phpt; and a check for require_hash, copied with adjustments from ext/phar/tar.c.

This bug could allow you to bypass the signature check on openssl-signed phars by rewriting them as zip files without a signature. I didn't mark the bug "Security" though, because you can accomplish the same thing more easily by rewriting the phar with e.g. an md5 signature.

commit 152dc924c565330619a90f99dc1f223bb22ac420

./configure --with-openssl --with-zlib --with-bz2 --enable-zip

Test script:
---------------
<?
$zip = new ZipArchive;
$zip->open('zip.phar', ZIPARCHIVE::CREATE);
$zip->addFromString('zip.php', '<?php var_dump(__FILE__);');
$zip->addFromString('.phar/stub.php', '__HALT_COMPILER();');
$zip->close();

$phar = new Phar('zip.phar');
echo $phar->getStub();

Expected result:
----------------
Fatal error: Uncaught UnexpectedValueException: zip-based phar "zip.phar" does not have a signature in zip.php:8

Actual result:
--------------
__HALT_COMPILER();

Patches

zip_phar_require_hash.diff (last revision 2018-09-24 19:56 UTC by )

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-12-16 11:40 UTC] cmb@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb
 [2020-12-16 11:40 UTC] cmb@php.net 
Good work!  Unfortunately, that appears to have been overlooked.
 [2020-12-16 11:41 UTC] cmb@php.net 
The following pull request has been associated:

Patch Name: Fix #76929: zip-based phar does not respect phar.require_hash
On GitHub:  https://github.com/php/php-src/pull/6517
Patch:      https://github.com/php/php-src/pull/6517.patch
 [2021-01-04 16:40 UTC] cmb@php.net 
Given that phar.require_hash doesn't really add security, and that
the fix for this bug could break some code (it did break several
of the tests in phar's test suite), I think it is best to fix for
PHP-8.0+ only.
 [2021-01-04 16:49 UTC] cmb@php.net 
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9f96b2bdc8f9109c53ac6121fb3adca517afd133
Log: Fix #76929: zip-based phar does not respect phar.require_hash
 [2021-01-04 16:49 UTC] cmb@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 11:01:29 2024 UTC