|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76929 zip-based phar does not respect phar.require_hash
Submitted: 2018-09-24 19:56 UTC Modified: 2021-01-04 16:40 UTC
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: david at bamsoftware dot com Assigned: cmb (profile)
Status: Closed Package: PHAR related
PHP Version: master-Git-2018-09-24 (Git) OS: Linux 4.18.0-1-amd64
Private report: No CVE-ID: None
 [2018-09-24 19:56 UTC] david at bamsoftware dot com
Phar files in the zip format do not raise an error when phar.require_hash is true and the file lacks a signature (.phar/signature.bin), unlike the phar and tar formats.

The attached patch adds a test, copied with adjustments from ext/phar/tests/tar/require_hash.phpt; and a check for require_hash, copied with adjustments from ext/phar/tar.c.

This bug could allow you to bypass the signature check on openssl-signed phars by rewriting them as zip files without a signature. I didn't mark the bug "Security" though, because you can accomplish the same thing more easily by rewriting the phar with e.g. an md5 signature.

commit 152dc924c565330619a90f99dc1f223bb22ac420

./configure --with-openssl --with-zlib --with-bz2 --enable-zip

Test script:
$zip = new ZipArchive;
$zip->open('zip.phar', ZIPARCHIVE::CREATE);
$zip->addFromString('zip.php', '<?php var_dump(__FILE__);');
$zip->addFromString('.phar/stub.php', '__HALT_COMPILER();');

$phar = new Phar('zip.phar');
echo $phar->getStub();

Expected result:
Fatal error: Uncaught UnexpectedValueException: zip-based phar "zip.phar" does not have a signature in zip.php:8

Actual result:


zip_phar_require_hash.diff (last revision 2018-09-24 19:56 UTC by )

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2020-12-16 11:40 UTC]
-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb
 [2020-12-16 11:40 UTC]
Good work!  Unfortunately, that appears to have been overlooked.
 [2020-12-16 11:41 UTC]
The following pull request has been associated:

Patch Name: Fix #76929: zip-based phar does not respect phar.require_hash
On GitHub:
 [2021-01-04 16:40 UTC]
Given that phar.require_hash doesn't really add security, and that
the fix for this bug could break some code (it did break several
of the tests in phar's test suite), I think it is best to fix for
PHP-8.0+ only.
 [2021-01-04 16:49 UTC]
Automatic comment on behalf of
Log: Fix #76929: zip-based phar does not respect phar.require_hash
 [2021-01-04 16:49 UTC]
-Status: Verified +Status: Closed
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Apr 19 20:01:29 2024 UTC