|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
Patcheszip_phar_require_hash.diff (last revision 2018-09-24 19:56 UTC by )Pull Requests
Pull requests:
HistoryAllCommentsChangesGit/SVN commits
[2020-12-16 11:40 UTC] cmb@php.net
-Status: Open
+Status: Verified
-Assigned To:
+Assigned To: cmb
[2020-12-16 11:40 UTC] cmb@php.net
[2020-12-16 11:41 UTC] cmb@php.net
[2021-01-04 16:40 UTC] cmb@php.net
[2021-01-04 16:49 UTC] cmb@php.net
[2021-01-04 16:49 UTC] cmb@php.net
-Status: Verified
+Status: Closed
|
|||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sun Oct 26 10:00:01 2025 UTC |
Description: ------------ Phar files in the zip format do not raise an error when phar.require_hash is true and the file lacks a signature (.phar/signature.bin), unlike the phar and tar formats. The attached patch adds a test, copied with adjustments from ext/phar/tests/tar/require_hash.phpt; and a check for require_hash, copied with adjustments from ext/phar/tar.c. This bug could allow you to bypass the signature check on openssl-signed phars by rewriting them as zip files without a signature. I didn't mark the bug "Security" though, because you can accomplish the same thing more easily by rewriting the phar with e.g. an md5 signature. commit 152dc924c565330619a90f99dc1f223bb22ac420 ./configure --with-openssl --with-zlib --with-bz2 --enable-zip Test script: --------------- <? $zip = new ZipArchive; $zip->open('zip.phar', ZIPARCHIVE::CREATE); $zip->addFromString('zip.php', '<?php var_dump(__FILE__);'); $zip->addFromString('.phar/stub.php', '__HALT_COMPILER();'); $zip->close(); $phar = new Phar('zip.phar'); echo $phar->getStub(); Expected result: ---------------- Fatal error: Uncaught UnexpectedValueException: zip-based phar "zip.phar" does not have a signature in zip.php:8 Actual result: -------------- __HALT_COMPILER();