|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76929 zip-based phar does not respect phar.require_hash
Submitted: 2018-09-24 19:56 UTC Modified: -
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: david at bamsoftware dot com Assigned:
Status: Open Package: PHAR related
PHP Version: master-Git-2018-09-24 (Git) OS: Linux 4.18.0-1-amd64
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2018-09-24 19:56 UTC] david at bamsoftware dot com
Phar files in the zip format do not raise an error when phar.require_hash is true and the file lacks a signature (.phar/signature.bin), unlike the phar and tar formats.

The attached patch adds a test, copied with adjustments from ext/phar/tests/tar/require_hash.phpt; and a check for require_hash, copied with adjustments from ext/phar/tar.c.

This bug could allow you to bypass the signature check on openssl-signed phars by rewriting them as zip files without a signature. I didn't mark the bug "Security" though, because you can accomplish the same thing more easily by rewriting the phar with e.g. an md5 signature.

commit 152dc924c565330619a90f99dc1f223bb22ac420

./configure --with-openssl --with-zlib --with-bz2 --enable-zip

Test script:
$zip = new ZipArchive;
$zip->open('zip.phar', ZIPARCHIVE::CREATE);
$zip->addFromString('zip.php', '<?php var_dump(__FILE__);');
$zip->addFromString('.phar/stub.php', '__HALT_COMPILER();');

$phar = new Phar('zip.phar');
echo $phar->getStub();

Expected result:
Fatal error: Uncaught UnexpectedValueException: zip-based phar "zip.phar" does not have a signature in zip.php:8

Actual result:


zip_phar_require_hash.diff (last revision 2018-09-24 19:56 UTC by )

Add a Patch

Pull Requests

Add a Pull Request

PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Tue Oct 20 00:01:24 2020 UTC