php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69197 $extracerts param in openssl_pkcs7_sign handles default values incorrectly
Submitted: 2015-03-06 17:16 UTC Modified: 2015-03-06 18:25 UTC
From: marcus at synchromedia dot co dot uk Assigned: rdlowrey
Status: Closed Package: OpenSSL related
PHP Version: 5.6.6 OS:
Private report: No CVE-ID:
 [2015-03-06 17:16 UTC] marcus at synchromedia dot co dot uk
Description:
------------
This is the signature for the openssl_pkcs7_sign function:

function openssl_pkcs7_sign($infilename, $outfilename, $signcert, $privkey, array $headers, $flags = PKCS7_DETACHED, $extracerts = null) { }

The problem I've found is that if you provide the $extracerts param *at all*, even if it's null (i.e. the same as its default value), it tries to open it as a file, resulting in this error:

Warning: openssl_pkcs7_sign(): error opening the file

To behave like other PHP functions, I would expect this value to be ignored when passwed with the same value as the default. It appears to be checking for the presence of the parameter rather than its value.

It's easy enough to work around - you can check whether you need the extracerts param and have two different calls - but it's still a bug!

There are also issues with documentation of the parameters for this function - I've found the $signcert and $privkey params require that you prepend the pathname with 'file://', but, inconsistently, the $extracerts param does not.

Test script:
---------------
Example script to demonstrate the bug:
https://gist.github.com/Synchro/b9e4625013077def0cf7

A successful run should produce no output at all

Actual result:
--------------
Warning: openssl_pkcs7_sign(): error opening the file, in openssl_pkcs7_sign_bug.php on line 46

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-03-06 17:30 UTC] marcus at synchromedia dot co dot uk
Just to be clear, in my actual code I'm not passing a literal null, but a variable that may contain null or an empty string. It behaves the same way as passing the literal values, so I chose not to complicate it by including that.
 [2015-03-06 18:25 UTC] rdlowrey@php.net
-Status: Open +Status: Analyzed -Assigned To: +Assigned To: rdlowrey
 [2015-03-06 18:31 UTC] rdlowrey@php.net
Automatic comment on behalf of rdlowrey
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0928bad9ac9110a8a321c334444b7026bffad5f7
Log: Fixed bug #69197 (openssl_pkcs7_sign handles default value incorrectly)
 [2015-03-06 18:31 UTC] rdlowrey@php.net
-Status: Analyzed +Status: Closed
 [2015-03-06 18:32 UTC] rdlowrey@php.net
Automatic comment on behalf of rdlowrey
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0928bad9ac9110a8a321c334444b7026bffad5f7
Log: Fixed bug #69197 (openssl_pkcs7_sign handles default value incorrectly)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Feb 28 01:01:35 2017 UTC