[prev in list] [next in list] [prev in thread] [next in thread]
List: php-cvs
Subject: [PHP-CVS] com php-src: Added =?UTF-8?Q?opcache=2Erestrict=5Fapi=20configuration=20d?= =?UTF-8?Q?irec
From: Dmitry Stogov <dmitry () php ! net>
Date: 2013-07-31 10:20:56
Message-ID: php-mail-d97840d2136ed27007b0689a4b145f031835392853 () git ! php ! net
[Download RAW message or body]
Commit: d69b3d8f5955a51ec688a52ceb925705d393821d
Author: Dmitry Stogov <dmitry@zend.com> Wed, 31 Jul 2013 14:20:56 +0400
Parents: d9e2dc80844e0f371a3a7f5b40933a5938a240f4
Branches: PHP-5.5 master
Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=d69b3d8f5955a51ec688a52ceb925705d393821d
Log:
Added opcache.restrict_api configuration directive that may limit usage of OPcahce \
API functions only to patricular script(s)
Changed paths:
M NEWS
M ext/opcache/README
M ext/opcache/ZendAccelerator.h
M ext/opcache/zend_accelerator_module.c
Diff:
diff --git a/NEWS b/NEWS
index 60b2760..19e33d8 100644
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,8 @@ PHP \
NEWS limited case). (Arpad)
- OPcahce:
+ . Added opcache.restrict_api configuration directive that may limit
+ usage of OPcahce API functions only to patricular script(s). (Dmitry)
. Added support for glob symbols in blacklist entries (?, *, **).
(Terry Elison, Dmitry)
. Fixed bug #65338 (Enabling both php_opcache and php_wincache AVs on
diff --git a/ext/opcache/README b/ext/opcache/README
index 3110012..6c3cc74 100644
--- a/ext/opcache/README
+++ b/ext/opcache/README
@@ -199,6 +199,10 @@ opcache.protect_memory (default "0")
Protect the shared memory from unexpected writing during script execution.
Useful for internal debugging only.
+opcache.restrict_api (default "")
+ Allows calling OPcache API functions only from PHP scripts which path is
+ started from specified string. The default "" means no restriction.
+
opcache.mmap_base
Mapping base of shared memory segments (for Windows only). All the PHP
processes have to map shared memory into the same address space. This
diff --git a/ext/opcache/ZendAccelerator.h b/ext/opcache/ZendAccelerator.h
index 57e2e7a..361b60b 100644
--- a/ext/opcache/ZendAccelerator.h
+++ b/ext/opcache/ZendAccelerator.h
@@ -232,6 +232,7 @@ typedef struct _zend_accel_directives {
#if ZEND_EXTENSION_API_NO > PHP_5_3_X_API_NO
long interned_strings_buffer;
#endif
+ char *restrict_api;
} zend_accel_directives;
typedef struct _zend_accel_globals {
diff --git a/ext/opcache/zend_accelerator_module.c \
b/ext/opcache/zend_accelerator_module.c index 2287d13..f9ddaa9 100644
--- a/ext/opcache/zend_accelerator_module.c
+++ b/ext/opcache/zend_accelerator_module.c
@@ -71,6 +71,21 @@ static zend_function_entry accel_functions[] = {
{ NULL, NULL, NULL, 0, 0 }
};
+static int validate_api_restriction(TSRMLS_D)
+{
+ if (ZCG(accel_directives).restrict_api && *ZCG(accel_directives).restrict_api) {
+ int len = strlen(ZCG(accel_directives).restrict_api);
+
+ if (!SG(request_info).path_translated ||
+ strlen(SG(request_info).path_translated) < len ||
+ memcmp(SG(request_info).path_translated, ZCG(accel_directives).restrict_api, \
len) != 0) { + zend_error(E_WARNING, ACCELERATOR_PRODUCT_NAME " API is restricted \
by \"restrict_api\" configuration directive"); + return 0;
+ }
+ }
+ return 1;
+}
+
static ZEND_INI_MH(OnUpdateMemoryConsumption)
{
long *p;
@@ -251,6 +266,7 @@ ZEND_INI_BEGIN()
STD_PHP_INI_BOOLEAN("opcache.enable_file_override" , "0" , PHP_INI_SYSTEM, \
OnUpdateBool, accel_directives.file_override_enabled, \
zend_accel_globals, accel_globals) STD_PHP_INI_BOOLEAN("opcache.enable_cli" \
, "0" , PHP_INI_SYSTEM, OnUpdateBool, accel_directives.enable_cli, \
zend_accel_globals, accel_globals) STD_PHP_INI_ENTRY("opcache.error_log" \
, "" , PHP_INI_SYSTEM, OnUpdateString, accel_directives.error_log, \
zend_accel_globals, accel_globals) + STD_PHP_INI_ENTRY("opcache.restrict_api" \
, "" , PHP_INI_SYSTEM, OnUpdateString, accel_directives.restrict_api, \
zend_accel_globals, accel_globals)
#ifdef ZEND_WIN32
STD_PHP_INI_ENTRY("opcache.mmap_base", NULL, PHP_INI_SYSTEM, OnUpdateString, \
accel_directives.mmap_base, zend_accel_globals, accel_globals) @@ \
-517,6 +533,10 @@ static ZEND_FUNCTION(opcache_get_status) return;
}
+ if (!validate_api_restriction(TSRMLS_C)) {
+ RETURN_FALSE;
+ }
+
if (!accel_startup_ok) {
RETURN_FALSE;
}
@@ -587,6 +607,10 @@ static ZEND_FUNCTION(opcache_get_configuration)
}
#endif
+ if (!validate_api_restriction(TSRMLS_C)) {
+ RETURN_FALSE;
+ }
+
array_init(return_value);
/* directives */
@@ -651,6 +675,10 @@ static ZEND_FUNCTION(opcache_reset)
}
#endif
+ if (!validate_api_restriction(TSRMLS_C)) {
+ RETURN_FALSE;
+ }
+
if (!ZCG(enabled) || !accel_startup_ok || !ZCSG(accelerator_enabled)) {
RETURN_FALSE;
}
@@ -671,6 +699,10 @@ static ZEND_FUNCTION(opcache_invalidate)
return;
}
+ if (!validate_api_restriction(TSRMLS_C)) {
+ RETURN_FALSE;
+ }
+
if (zend_accel_invalidate(script_name, script_name_len, force TSRMLS_CC) == \
SUCCESS) { RETURN_TRUE;
} else {
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic