'[PHP-CVS] com php-src: Added =?UTF-8?Q?opcache=2Erestrict=5Fapi=20configuration=20d?= =?UTF-8?Q?irec'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       php-cvs
Subject:    [PHP-CVS] com php-src: Added =?UTF-8?Q?opcache=2Erestrict=5Fapi=20configuration=20d?= =?UTF-8?Q?irec
From:       Dmitry Stogov <dmitry () php ! net>
Date:       2013-07-31 10:20:56
Message-ID: php-mail-d97840d2136ed27007b0689a4b145f031835392853 () git ! php ! net
[Download RAW message or body]

Commit:    d69b3d8f5955a51ec688a52ceb925705d393821d
Author:    Dmitry Stogov <dmitry@zend.com>         Wed, 31 Jul 2013 14:20:56 +0400
Parents:   d9e2dc80844e0f371a3a7f5b40933a5938a240f4
Branches:  PHP-5.5 master

Link:       http://git.php.net/?p=php-src.git;a=commitdiff;h=d69b3d8f5955a51ec688a52ceb925705d393821d


Log:
Added opcache.restrict_api configuration directive that may limit usage of OPcahce \
API functions only to patricular script(s)

Changed paths:
  M  NEWS
  M  ext/opcache/README
  M  ext/opcache/ZendAccelerator.h
  M  ext/opcache/zend_accelerator_module.c


Diff:
diff --git a/NEWS b/NEWS
index 60b2760..19e33d8 100644
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,8 @@ PHP                                                                 \
NEWS  limited case). (Arpad)
 
 - OPcahce:
+  . Added opcache.restrict_api configuration directive that may limit
+    usage of OPcahce API functions only to patricular script(s). (Dmitry)
   . Added support for glob symbols in blacklist entries (?, *, **).
     (Terry Elison, Dmitry)
   . Fixed bug #65338 (Enabling both php_opcache and php_wincache AVs on
diff --git a/ext/opcache/README b/ext/opcache/README
index 3110012..6c3cc74 100644
--- a/ext/opcache/README
+++ b/ext/opcache/README
@@ -199,6 +199,10 @@ opcache.protect_memory (default "0")
 	Protect the shared memory from unexpected writing during script execution.
 	Useful for internal debugging only.
 
+opcache.restrict_api (default "")
+	Allows calling OPcache API functions only from PHP scripts which path is
+	started from specified string. The default "" means no restriction.
+
 opcache.mmap_base
 	Mapping base of shared memory segments (for Windows only). All the PHP
 	processes have to map shared memory into the same address space. This
diff --git a/ext/opcache/ZendAccelerator.h b/ext/opcache/ZendAccelerator.h
index 57e2e7a..361b60b 100644
--- a/ext/opcache/ZendAccelerator.h
+++ b/ext/opcache/ZendAccelerator.h
@@ -232,6 +232,7 @@ typedef struct _zend_accel_directives {
 #if ZEND_EXTENSION_API_NO > PHP_5_3_X_API_NO
 	long           interned_strings_buffer;
 #endif
+	char          *restrict_api;
 } zend_accel_directives;
 
 typedef struct _zend_accel_globals {
diff --git a/ext/opcache/zend_accelerator_module.c \
b/ext/opcache/zend_accelerator_module.c index 2287d13..f9ddaa9 100644
--- a/ext/opcache/zend_accelerator_module.c
+++ b/ext/opcache/zend_accelerator_module.c
@@ -71,6 +71,21 @@ static zend_function_entry accel_functions[] = {
 	{ NULL, NULL, NULL, 0, 0 }
 };
 
+static int validate_api_restriction(TSRMLS_D)
+{
+	if (ZCG(accel_directives).restrict_api && *ZCG(accel_directives).restrict_api) {
+		int len = strlen(ZCG(accel_directives).restrict_api);
+
+		if (!SG(request_info).path_translated ||
+		    strlen(SG(request_info).path_translated) < len ||
+		    memcmp(SG(request_info).path_translated, ZCG(accel_directives).restrict_api, \
len) != 0) { +			zend_error(E_WARNING, ACCELERATOR_PRODUCT_NAME " API is restricted \
by \"restrict_api\" configuration directive"); +			return 0;
+		}
+	}       
+	return 1;
+}
+
 static ZEND_INI_MH(OnUpdateMemoryConsumption)
 {
 	long *p;
@@ -251,6 +266,7 @@ ZEND_INI_BEGIN()
 	STD_PHP_INI_BOOLEAN("opcache.enable_file_override"	, "0"   , PHP_INI_SYSTEM, \
OnUpdateBool,              accel_directives.file_override_enabled,     \
zend_accel_globals, accel_globals)  STD_PHP_INI_BOOLEAN("opcache.enable_cli"          \
, "0"   , PHP_INI_SYSTEM, OnUpdateBool,              accel_directives.enable_cli,     \
zend_accel_globals, accel_globals)  STD_PHP_INI_ENTRY("opcache.error_log"             \
, ""    , PHP_INI_SYSTEM, OnUpdateString,	         accel_directives.error_log,        \
zend_accel_globals, accel_globals) +	STD_PHP_INI_ENTRY("opcache.restrict_api"         \
, ""    , PHP_INI_SYSTEM, OnUpdateString,	         accel_directives.restrict_api,     \
zend_accel_globals, accel_globals)  
 #ifdef ZEND_WIN32
 	STD_PHP_INI_ENTRY("opcache.mmap_base", NULL, PHP_INI_SYSTEM,	OnUpdateString,	       \
accel_directives.mmap_base,                 zend_accel_globals, accel_globals) @@ \
-517,6 +533,10 @@ static ZEND_FUNCTION(opcache_get_status)  return;
 	}
 	
+	if (!validate_api_restriction(TSRMLS_C)) {
+		RETURN_FALSE;
+	}
+
 	if (!accel_startup_ok) {
 		RETURN_FALSE;
 	}
@@ -587,6 +607,10 @@ static ZEND_FUNCTION(opcache_get_configuration)
 	}
 #endif
 
+	if (!validate_api_restriction(TSRMLS_C)) {
+		RETURN_FALSE;
+	}
+
 	array_init(return_value);
 
 	/* directives */
@@ -651,6 +675,10 @@ static ZEND_FUNCTION(opcache_reset)
 	}
 #endif
 
+	if (!validate_api_restriction(TSRMLS_C)) {
+		RETURN_FALSE;
+	}
+
 	if (!ZCG(enabled) || !accel_startup_ok || !ZCSG(accelerator_enabled)) {
 		RETURN_FALSE;
 	}
@@ -671,6 +699,10 @@ static ZEND_FUNCTION(opcache_invalidate)
 		return;
 	}
 
+	if (!validate_api_restriction(TSRMLS_C)) {
+		RETURN_FALSE;
+	}
+
 	if (zend_accel_invalidate(script_name, script_name_len, force TSRMLS_CC) == \
SUCCESS) {  RETURN_TRUE;
 	} else {


--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic