php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76929 zip-based phar does not respect phar.require_hash
Submitted: 2018-09-24 19:56 UTC Modified: 2021-01-04 16:40 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: david at bamsoftware dot com Assigned: cmb (profile)
Status: Closed Package: PHAR related
PHP Version: master-Git-2018-09-24 (Git) OS: Linux 4.18.0-1-amd64
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: david at bamsoftware dot com
New email:
PHP Version: OS:

 

 [2018-09-24 19:56 UTC] david at bamsoftware dot com
Description:
------------
Phar files in the zip format do not raise an error when phar.require_hash is true and the file lacks a signature (.phar/signature.bin), unlike the phar and tar formats.

The attached patch adds a test, copied with adjustments from ext/phar/tests/tar/require_hash.phpt; and a check for require_hash, copied with adjustments from ext/phar/tar.c.

This bug could allow you to bypass the signature check on openssl-signed phars by rewriting them as zip files without a signature. I didn't mark the bug "Security" though, because you can accomplish the same thing more easily by rewriting the phar with e.g. an md5 signature.

commit 152dc924c565330619a90f99dc1f223bb22ac420

./configure --with-openssl --with-zlib --with-bz2 --enable-zip

Test script:
---------------
<?
$zip = new ZipArchive;
$zip->open('zip.phar', ZIPARCHIVE::CREATE);
$zip->addFromString('zip.php', '<?php var_dump(__FILE__);');
$zip->addFromString('.phar/stub.php', '__HALT_COMPILER();');
$zip->close();

$phar = new Phar('zip.phar');
echo $phar->getStub();

Expected result:
----------------
Fatal error: Uncaught UnexpectedValueException: zip-based phar "zip.phar" does not have a signature in zip.php:8

Actual result:
--------------
__HALT_COMPILER();

Patches

zip_phar_require_hash.diff (last revision 2018-09-24 19:56 UTC by )

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-12-16 11:40 UTC] cmb@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb
 [2020-12-16 11:40 UTC] cmb@php.net
Good work!  Unfortunately, that appears to have been overlooked.
 [2020-12-16 11:41 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fix #76929: zip-based phar does not respect phar.require_hash
On GitHub:  https://github.com/php/php-src/pull/6517
Patch:      https://github.com/php/php-src/pull/6517.patch
 [2021-01-04 16:40 UTC] cmb@php.net
Given that phar.require_hash doesn't really add security, and that
the fix for this bug could break some code (it did break several
of the tests in phar's test suite), I think it is best to fix for
PHP-8.0+ only.
 [2021-01-04 16:49 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9f96b2bdc8f9109c53ac6121fb3adca517afd133
Log: Fix #76929: zip-based phar does not respect phar.require_hash
 [2021-01-04 16:49 UTC] cmb@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Wed Jan 27 15:01:24 2021 UTC