'[PHP-CVS] cvs: php-src(PHP_5_3) / NEWS /ext/phar tar.c /ext/phar/tests/tar tar_openssl_hash.phpt'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       php-cvs
Subject:    [PHP-CVS] cvs: php-src(PHP_5_3) / NEWS  /ext/phar tar.c  /ext/phar/tests/tar tar_openssl_hash.phpt
From:       "Greg Beaver" <cellog () php ! net>
Date:       2009-06-30 14:49:12
Message-ID: cvscellog1246373352 () cvsserver
[Download RAW message or body]

cellog		Tue Jun 30 14:49:12 2009 UTC

  Added files:                 (Branch: PHP_5_3)
    /php-src/ext/phar/tests/tar	tar_openssl_hash.phpt 
    /php-src/ext/phar/tests/tar/files	P1-1.0.0.tgz P1-1.0.0.tgz.pubkey 

  Modified files:              
    /php-src	NEWS 
    /php-src/ext/phar	tar.c 
  Log:
  fixed bug #48681 (openssl signature verification for tar archives broken)
  
http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.965.2.657&r2=1.2027.2.547.2.965.2.658&diff_format=u
                
Index: php-src/NEWS
diff -u php-src/NEWS:1.2027.2.547.2.965.2.657 php-src/NEWS:1.2027.2.547.2.965.2.658
--- php-src/NEWS:1.2027.2.547.2.965.2.657	Tue Jun 30 11:39:15 2009
+++ php-src/NEWS	Tue Jun 30 14:49:11 2009
@@ -2,6 +2,8 @@
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2009, PHP 5.3.1
 
+- Fixed bug #48681 (openssl signature verification for tar archives broken).
+  (Greg)
 - Fixed bug #38091 (Mail() does not use FQDN when sending SMTP helo). 
   (Kalle, Rick Yorgason)
 
http://cvs.php.net/viewvc.cgi/php-src/ext/phar/tar.c?r1=1.55.2.29&r2=1.55.2.30&diff_format=u
                
Index: php-src/ext/phar/tar.c
diff -u php-src/ext/phar/tar.c:1.55.2.29 php-src/ext/phar/tar.c:1.55.2.30
--- php-src/ext/phar/tar.c:1.55.2.29	Thu Jun  4 19:59:09 2009
+++ php-src/ext/phar/tar.c	Tue Jun 30 14:49:12 2009
@@ -255,6 +255,8 @@
 			phar_tar_number(hdr->size, sizeof(hdr->size));
 
 		if (((!old && hdr->prefix[0] == 0) || old) && strlen(hdr->name) == \
sizeof(".phar/signature.bin")-1 && !strncmp(hdr->name, ".phar/signature.bin", \
sizeof(".phar/signature.bin")-1)) { +			off_t curloc;
+
 			if (size > 511) {
 				if (error) {
 					spprintf(error, 4096, "phar error: tar-based phar \"%s\" has signature that is \
larger than 511 bytes, cannot process", fname); @@ -264,6 +266,7 @@
 				phar_destroy_phar_data(myphar TSRMLS_CC);
 				return FAILURE;
 			}
+			curloc = php_stream_tell(fp);
 			read = php_stream_read(fp, buf, size);
 			if (read != size) {
 				if (error) {
@@ -280,7 +283,7 @@
 #else
 # define PHAR_GET_32(buffer) (php_uint32) *(buffer)
 #endif
-			if (FAILURE == phar_verify_signature(fp, php_stream_tell(fp) - size - 512, \
PHAR_GET_32(buf), buf + 8, PHAR_GET_32(buf + 4), fname, &myphar->signature, \
&myphar->sig_len, error TSRMLS_CC)) { +			if (FAILURE == phar_verify_signature(fp, \
php_stream_tell(fp) - size - 512, PHAR_GET_32(buf), buf + 8, size - 8, fname, \
&myphar->signature, &myphar->sig_len, error TSRMLS_CC)) {  if (error) {
 					char *save = *error;
 					spprintf(error, 4096, "phar error: tar-based phar \"%s\" signature cannot be \
verified: %s", fname, save); @@ -288,11 +291,11 @@
 				}
 				goto bail;
 			}
+			php_stream_seek(fp, curloc + 512, SEEK_SET);
 			/* signature checked out, let's ensure this is the last file in the phar */
-			size = ((size+511)&~511) + 512;
 			if (((hdr->typeflag == '\0') || (hdr->typeflag == TAR_FILE)) && size > 0) {
 				/* this is not good enough - seek succeeds even on truncated tars */
-				php_stream_seek(fp, size, SEEK_CUR);
+				php_stream_seek(fp, 512, SEEK_CUR);
 				if ((uint)php_stream_tell(fp) > totalsize) {
 					if (error) {
 						spprintf(error, 4096, "phar error: \"%s\" is a corrupted tar file \
(truncated)", fname);

http://cvs.php.net/viewvc.cgi/php-src/ext/phar/tests/tar/tar_openssl_hash.phpt?view=markup&rev=1.1
                
Index: php-src/ext/phar/tests/tar/tar_openssl_hash.phpt
+++ php-src/ext/phar/tests/tar/tar_openssl_hash.phpt
--TEST--
Phar: tar archive, require_hash=1, OpenSSL hash
--SKIPIF--
<?php if (!extension_loaded('phar')) die('skip'); ?>
<?php if (!extension_loaded("spl")) die("skip SPL not available"); ?>
<?php if (!extension_loaded("zlib")) die("skip zlib not available"); ?>
<?php if (!extension_loaded("openssl")) die("skip openssl not available"); ?>
--INI--
phar.readonly=1
phar.require_hash=1
--FILE--
<?php
try {
	$phar = new PharData(dirname(__FILE__) . '/files/P1-1.0.0.tgz');
} catch (Exception $e) {
	echo $e->getMessage()."\n";
}

?>
===DONE===
--EXPECT--
===DONE===

http://cvs.php.net/viewvc.cgi/php-src/ext/phar/tests/tar/files/P1-1.0.0.tgz.pubkey?view=markup&rev=1.1
                
Index: php-src/ext/phar/tests/tar/files/P1-1.0.0.tgz.pubkey
+++ php-src/ext/phar/tests/tar/files/P1-1.0.0.tgz.pubkey
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4drcwddPs6LmIbdT1ifT
Ev8HXh1Fk1yNusCDoCX6mYkgqvCmx02F/9k5q7n6CPblTcF5mdDI8kcRrUHmyXtD
9X0d7RN7BakZMPH5KPaNkXiXsI9YGSb39AnZgYw01n6u0W6Ohha+KwOsrxkKCF4u
LjPLQAlM+3uD8y9Tz2fF+pAE901kHrd3ue7a5i5EtW0bzl5QfxnwFZXAO0StQ9dF
slzibRH+1pFjMRxDnlgYmLQF6jMWm9Ty6x9UH9HZ3E3F9QZEQVXWT9y/pe30HcAX
YxAGZjPIx19UNPF5C+Nps6MjxNRht0pGXTL9sptYoiNjRiXAS0y4FM+8K6xvBIOF
ZQIDAQAB
-----END PUBLIC KEY-----



-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic