PageRenderTime 26ms CodeModel.GetById 14ms RepoModel.GetById 0ms app.codeStats 1ms

/CRUD Lab Exam/vendor/composer/ca-bundle/src/CaBundle.php

https://gitlab.com/imamul68e/137619_PHP31
PHP | 291 lines | 152 code | 39 blank | 100 comment | 43 complexity | ce2de2d0d2ac7d0035333c47f062f7f3 MD5 | raw file
    

  1. <?php
    2. 

  2. 

  3. /*
    4. 

  4.  * This file is part of composer/ca-bundle.
    5. 

  5.  *
    6. 

  6.  * (c) Composer <https://github.com/composer>
    7. 

  7.  *
    8. 

  8.  * For the full copyright and license information, please view
    9. 

  9.  * the LICENSE file that was distributed with this source code.
    10. 

  10.  */
    11. 

  11. 

  12. namespace Composer\CaBundle;
    13. 

  13. 

  14. use Psr\Log\LoggerInterface;
    15. 

  15. use Symfony\Component\Process\PhpProcess;
    16. 

  16. 

  17. /**
    18. 

  18.  * @author Chris Smith <chris@cs278.org>
    19. 

  19.  * @author Jordi Boggiano <j.boggiano@seld.be>
    20. 

  20.  */
    21. 

  21. class CaBundle
    22. 

  22. {
    23. 

  23.     private static $caPath;
    24. 

  24.     private static $caFileValidity = array();
    25. 

  25.     private static $useOpensslParse;
    26. 

  26. 

  27.     /**
    28. 

  28.      * Returns the system CA bundle path, or a path to the bundled one
    29. 

  29.      *
    30. 

  30.      * This method was adapted from Sslurp.
    31. 

  31.      * https://github.com/EvanDotPro/Sslurp
    32. 

  32.      *
    33. 

  33.      * (c) Evan Coury <me@evancoury.com>
    34. 

  34.      *
    35. 

  35.      * For the full copyright and license information, please see below:
    36. 

  36.      *
    37. 

  37.      * Copyright (c) 2013, Evan Coury
    38. 

  38.      * All rights reserved.
    39. 

  39.      *
    40. 

  40.      * Redistribution and use in source and binary forms, with or without modification,
    41. 

  41.      * are permitted provided that the following conditions are met:
    42. 

  42.      *
    43. 

  43.      *     * Redistributions of source code must retain the above copyright notice,
    44. 

  44.      *       this list of conditions and the following disclaimer.
    45. 

  45.      *
    46. 

  46.      *     * Redistributions in binary form must reproduce the above copyright notice,
    47. 

  47.      *       this list of conditions and the following disclaimer in the documentation
    48. 

  48.      *       and/or other materials provided with the distribution.
    49. 

  49.      *
    50. 

  50.      * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
    51. 

  51.      * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
    52. 

  52.      * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
    53. 

  53.      * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
    54. 

  54.      * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
    55. 

  55.      * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
    56. 

  56.      * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
    57. 

  57.      * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
    58. 

  58.      * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
    59. 

  59.      * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    60. 

  60.      *
    61. 

  61.      * @param  LoggerInterface $logger optional logger for information about which CA files were loaded
    62. 

  62.      * @return string          path to a CA bundle file or directory
    63. 

  63.      */
    64. 

  64.     public static function getSystemCaRootBundlePath(LoggerInterface $logger = null)
    65. 

  65.     {
    66. 

  66.         if (self::$caPath !== null) {
    67. 

  67.             return self::$caPath;
    68. 

  68.         }
    69. 

  69. 

  70.         // If SSL_CERT_FILE env variable points to a valid certificate/bundle, use that.
    71. 

  71.         // This mimics how OpenSSL uses the SSL_CERT_FILE env variable.
    72. 

  72.         $envCertFile = getenv('SSL_CERT_FILE');
    73. 

  73.         if ($envCertFile && is_readable($envCertFile) && static::validateCaFile($envCertFile, $logger)) {
    74. 

  74.             return self::$caPath = $envCertFile;
    75. 

  75.         }
    76. 

  76. 

  77.         // If SSL_CERT_DIR env variable points to a valid certificate/bundle, use that.
    78. 

  78.         // This mimics how OpenSSL uses the SSL_CERT_FILE env variable.
    79. 

  79.         $envCertDir = getenv('SSL_CERT_DIR');
    80. 

  80.         if ($envCertDir && is_dir($envCertDir) && is_readable($envCertDir)) {
    81. 

  81.             return self::$caPath = $envCertDir;
    82. 

  82.         }
    83. 

  83. 

  84.         $configured = ini_get('openssl.cafile');
    85. 

  85.         if ($configured && strlen($configured) > 0 && is_readable($configured) && static::validateCaFile($configured, $logger)) {
    86. 

  86.             return self::$caPath = $configured;
    87. 

  87.         }
    88. 

  88. 

  89.         $configured = ini_get('openssl.capath');
    90. 

  90.         if ($configured && is_dir($configured) && is_readable($configured)) {
    91. 

  91.             return self::$caPath = $configured;
    92. 

  92.         }
    93. 

  93. 

  94.         $caBundlePaths = array(
    95. 

  95.             '/etc/pki/tls/certs/ca-bundle.crt', // Fedora, RHEL, CentOS (ca-certificates package)
    96. 

  96.             '/etc/ssl/certs/ca-certificates.crt', // Debian, Ubuntu, Gentoo, Arch Linux (ca-certificates package)
    97. 

  97.             '/etc/ssl/ca-bundle.pem', // SUSE, openSUSE (ca-certificates package)
    98. 

  98.             '/usr/local/share/certs/ca-root-nss.crt', // FreeBSD (ca_root_nss_package)
    99. 

  99.             '/usr/ssl/certs/ca-bundle.crt', // Cygwin
    100. 

  100.             '/opt/local/share/curl/curl-ca-bundle.crt', // OS X macports, curl-ca-bundle package
    101. 

  101.             '/usr/local/share/curl/curl-ca-bundle.crt', // Default cURL CA bunde path (without --with-ca-bundle option)
    102. 

  102.             '/usr/share/ssl/certs/ca-bundle.crt', // Really old RedHat?
    103. 

  103.             '/etc/ssl/cert.pem', // OpenBSD
    104. 

  104.             '/usr/local/etc/ssl/cert.pem', // FreeBSD 10.x
    105. 

  105.             '/usr/local/etc/openssl/cert.pem', // OS X homebrew, openssl package
    106. 

  106.         );
    107. 

  107. 

  108.         foreach ($caBundlePaths as $caBundle) {
    109. 

  109.             if (@is_readable($caBundle) && static::validateCaFile($caBundle, $logger)) {
    110. 

  110.                 return self::$caPath = $caBundle;
    111. 

  111.             }
    112. 

  112.         }
    113. 

  113. 

  114.         foreach ($caBundlePaths as $caBundle) {
    115. 

  115.             $caBundle = dirname($caBundle);
    116. 

  116.             if (@is_dir($caBundle) && glob($caBundle.'/*')) {
    117. 

  117.                 return self::$caPath = $caBundle;
    118. 

  118.             }
    119. 

  119.         }
    120. 

  120. 

  121.         return self::$caPath = static::getBundledCaBundlePath(); // Bundled CA file, last resort
    122. 

  122.     }
    123. 

  123. 

  124.     /**
    125. 

  125.      * Returns the path to the bundled CA file
    126. 

  126.      *
    127. 

  127.      * In case you don't want to trust the user or the system, you can use this directly
    128. 

  128.      *
    129. 

  129.      * @return string path to a CA bundle file
    130. 

  130.      */
    131. 

  131.     public static function getBundledCaBundlePath()
    132. 

  132.     {
    133. 

  133.         return __DIR__.'/../res/cacert.pem';
    134. 

  134.     }
    135. 

  135. 

  136.     /**
    137. 

  137.      * Validates a CA file using opensl_x509_parse only if it is safe to use
    138. 

  138.      *
    139. 

  139.      * @param string          $filename
    140. 

  140.      * @param LoggerInterface $logger   optional logger for information about which CA files were loaded
    141. 

  141.      *
    142. 

  142.      * @return bool
    143. 

  143.      */
    144. 

  144.     public static function validateCaFile($filename, LoggerInterface $logger = null)
    145. 

  145.     {
    146. 

  146.         static $warned = false;
    147. 

  147. 

  148.         if (isset(self::$caFileValidity[$filename])) {
    149. 

  149.             return self::$caFileValidity[$filename];
    150. 

  150.         }
    151. 

  151. 

  152.         $contents = file_get_contents($filename);
    153. 

  153. 

  154.         // assume the CA is valid if php is vulnerable to
    155. 

  155.         // https://www.sektioneins.de/advisories/advisory-012013-php-openssl_x509_parse-memory-corruption-vulnerability.html
    156. 

  156.         if (!static::isOpensslParseSafe()) {
    157. 

  157.             if (!$warned && $logger) {
    158. 

  158.                 $logger->warning(sprintf(
    159. 

  159.                     'Your version of PHP, %s, is affected by CVE-2013-6420 and cannot safely perform certificate validation, we strongly suggest you upgrade.',
    160. 

  160.                     PHP_VERSION
    161. 

  161.                 ));
    162. 

  162.                 $warned = true;
    163. 

  163.             }
    164. 

  164. 

  165.             $isValid = !empty($contents);
    166. 

  166.         } else {
    167. 

  167.             $isValid = (bool) openssl_x509_parse($contents);
    168. 

  168.         }
    169. 

  169. 

  170.         if ($logger) {
    171. 

  171.             $logger->debug('Checked CA file '.realpath($filename).': '.($isValid ? 'valid' : 'invalid'));
    172. 

  172.         }
    173. 

  173. 

  174.         return self::$caFileValidity[$filename] = $isValid;
    175. 

  175.     }
    176. 

  176. 

  177.     /**
    178. 

  178.      * Test if it is safe to use the PHP function openssl_x509_parse().
    179. 

  179.      *
    180. 

  180.      * This checks if OpenSSL extensions is vulnerable to remote code execution
    181. 

  181.      * via the exploit documented as CVE-2013-6420.
    182. 

  182.      *
    183. 

  183.      * @return bool
    184. 

  184.      */
    185. 

  185.     public static function isOpensslParseSafe()
    186. 

  186.     {
    187. 

  187.         if (null !== self::$useOpensslParse) {
    188. 

  188.             return self::$useOpensslParse;
    189. 

  189.         }
    190. 

  190. 

  191.         if (PHP_VERSION_ID >= 50600) {
    192. 

  192.             return self::$useOpensslParse = true;
    193. 

  193.         }
    194. 

  194. 

  195.         // Vulnerable:
    196. 

  196.         // PHP 5.3.0 - PHP 5.3.27
    197. 

  197.         // PHP 5.4.0 - PHP 5.4.22
    198. 

  198.         // PHP 5.5.0 - PHP 5.5.6
    199. 

  199.         if (
    200. 

  200.                (PHP_VERSION_ID < 50400 && PHP_VERSION_ID >= 50328)
    201. 

  201.             || (PHP_VERSION_ID < 50500 && PHP_VERSION_ID >= 50423)
    202. 

  202.             || (PHP_VERSION_ID < 50600 && PHP_VERSION_ID >= 50507)
    203. 

  203.         ) {
    204. 

  204.             // This version of PHP has the fix for CVE-2013-6420 applied.
    205. 

  205.             return self::$useOpensslParse = true;
    206. 

  206.         }
    207. 

  207. 

  208.         if (defined('PHP_WINDOWS_VERSION_BUILD')) {
    209. 

  209.             // Windows is probably insecure in this case.
    210. 

  210.             return self::$useOpensslParse = false;
    211. 

  211.         }
    212. 

  212. 

  213.         $compareDistroVersionPrefix = function ($prefix, $fixedVersion) {
    214. 

  214.             $regex = '{^'.preg_quote($prefix).'([0-9]+)$}';
    215. 

  215. 

  216.             if (preg_match($regex, PHP_VERSION, $m)) {
    217. 

  217.                 return ((int) $m[1]) >= $fixedVersion;
    218. 

  218.             }
    219. 

  219. 

  220.             return false;
    221. 

  221.         };
    222. 

  222. 

  223.         // Hard coded list of PHP distributions with the fix backported.
    224. 

  224.         if (
    225. 

  225.             $compareDistroVersionPrefix('5.3.3-7+squeeze', 18) // Debian 6 (Squeeze)
    226. 

  226.             || $compareDistroVersionPrefix('5.4.4-14+deb7u', 7) // Debian 7 (Wheezy)
    227. 

  227.             || $compareDistroVersionPrefix('5.3.10-1ubuntu3.', 9) // Ubuntu 12.04 (Precise)
    228. 

  228.         ) {
    229. 

  229.             return self::$useOpensslParse = true;
    230. 

  230.         }
    231. 

  231. 

  232.         // Symfony Process component is missing so we assume it is unsafe at this point
    233. 

  233.         if (!class_exists('Symfony\Component\Process\PhpProcess')) {
    234. 

  234.             return self::$useOpensslParse = false;
    235. 

  235.         }
    236. 

  236. 

  237.         // This is where things get crazy, because distros backport security
    238. 

  238.         // fixes the chances are on NIX systems the fix has been applied but
    239. 

  239.         // it's not possible to verify that from the PHP version.
    240. 

  240.         //
    241. 

  241.         // To verify exec a new PHP process and run the issue testcase with
    242. 

  242.         // known safe input that replicates the bug.
    243. 

  243. 

  244.         // Based on testcase in https://github.com/php/php-src/commit/c1224573c773b6845e83505f717fbf820fc18415
    245. 

  245.         // changes in https://github.com/php/php-src/commit/76a7fd893b7d6101300cc656058704a73254d593
    246. 

  246.         $cert = 'LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVwRENDQTR5Z0F3SUJBZ0lKQUp6dThyNnU2ZUJjTUEwR0NTcUdTSWIzRFFFQkJRVUFNSUhETVFzd0NRWUQKVlFRR0V3SkVSVEVjTUJvR0ExVUVDQXdUVG05eVpISm9aV2x1TFZkbGMzUm1ZV3hsYmpFUU1BNEdBMVVFQnd3SApTOE9Ed3Jac2JqRVVNQklHQTFVRUNnd0xVMlZyZEdsdmJrVnBibk14SHpBZEJnTlZCQXNNRmsxaGJHbGphVzkxCmN5QkRaWEowSUZObFkzUnBiMjR4SVRBZkJnTlZCQU1NR0cxaGJHbGphVzkxY3k1elpXdDBhVzl1WldsdWN5NWsKWlRFcU1DZ0dDU3FHU0liM0RRRUpBUlliYzNSbFptRnVMbVZ6YzJWeVFITmxhM1JwYjI1bGFXNXpMbVJsTUhVWQpaREU1TnpBd01UQXhNREF3TURBd1dnQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBCkFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUEKQUFBQUFBQVhEVEUwTVRFeU9ERXhNemt6TlZvd2djTXhDekFKQmdOVkJBWVRBa1JGTVJ3d0dnWURWUVFJREJOTwpiM0prY21obGFXNHRWMlZ6ZEdaaGJHVnVNUkF3RGdZRFZRUUhEQWRMdzRQQ3RteHVNUlF3RWdZRFZRUUtEQXRUClpXdDBhVzl1UldsdWN6RWZNQjBHQTFVRUN3d1dUV0ZzYVdOcGIzVnpJRU5sY25RZ1UyVmpkR2x2YmpFaE1COEcKQTFVRUF3d1liV0ZzYVdOcGIzVnpMbk5sYTNScGIyNWxhVzV6TG1SbE1Tb3dLQVlKS29aSWh2Y05BUWtCRmh0egpkR1ZtWVc0dVpYTnpaWEpBYzJWcmRHbHZibVZwYm5NdVpHVXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRRERBZjNobDdKWTBYY0ZuaXlFSnBTU0RxbjBPcUJyNlFQNjV1c0pQUnQvOFBhRG9xQnUKd0VZVC9OYSs2ZnNnUGpDMHVLOURaZ1dnMnRIV1dvYW5TYmxBTW96NVBINlorUzRTSFJaN2UyZERJalBqZGhqaAowbUxnMlVNTzV5cDBWNzk3R2dzOWxOdDZKUmZIODFNTjJvYlhXczROdHp0TE11RDZlZ3FwcjhkRGJyMzRhT3M4CnBrZHVpNVVhd1Raa3N5NXBMUEhxNWNNaEZHbTA2djY1Q0xvMFYyUGQ5K0tBb2tQclBjTjVLTEtlYno3bUxwazYKU01lRVhPS1A0aWRFcXh5UTdPN2ZCdUhNZWRzUWh1K3ByWTNzaTNCVXlLZlF0UDVDWm5YMmJwMHdLSHhYMTJEWAoxbmZGSXQ5RGJHdkhUY3lPdU4rblpMUEJtM3ZXeG50eUlJdlZBZ01CQUFHalFqQkFNQWtHQTFVZEV3UUNNQUF3CkVRWUpZSVpJQVliNFFnRUJCQVFEQWdlQU1Bc0dBMVVkRHdRRUF3SUZvREFUQmdOVkhTVUVEREFLQmdnckJnRUYKQlFjREFqQU5CZ2txaGtpRzl3MEJBUVVGQUFPQ0FRRUFHMGZaWVlDVGJkajFYWWMrMVNub2FQUit2SThDOENhRAo4KzBVWWhkbnlVNGdnYTBCQWNEclk5ZTk0ZUVBdTZacXljRjZGakxxWFhkQWJvcHBXb2NyNlQ2R0QxeDMzQ2tsClZBcnpHL0t4UW9oR0QySmVxa2hJTWxEb214SE83a2EzOStPYThpMnZXTFZ5alU4QVp2V01BcnVIYTRFRU55RzcKbFcyQWFnYUZLRkNyOVRuWFRmcmR4R1ZFYnY3S1ZRNmJkaGc1cDVTanBXSDErTXEwM3VSM1pYUEJZZHlWODMxOQpvMGxWajFLRkkyRENML2xpV2lzSlJvb2YrMWNSMzVDdGQwd1lCY3BCNlRac2xNY09QbDc2ZHdLd0pnZUpvMlFnClpzZm1jMnZDMS9xT2xOdU5xLzBUenprVkd2OEVUVDNDZ2FVK1VYZTRYT1Z2a2NjZWJKbjJkZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K';
    247. 

  247.         $script = <<<'EOT'
    248. 

  248. 

  249. error_reporting(-1);
    250. 

  250. $info = openssl_x509_parse(base64_decode('%s'));
    251. 

  251. var_dump(PHP_VERSION, $info['issuer']['emailAddress'], $info['validFrom_time_t']);
    252. 

  252. 

  253. EOT;
    254. 

  254.         $script = '<'."?php\n".sprintf($script, $cert);
    255. 

  255. 

  256.         try {
    257. 

  257.             $process = new PhpProcess($script);
    258. 

  258.             $process->mustRun();
    259. 

  259.         } catch (\Exception $e) {
    260. 

  260.             // In the case of any exceptions just accept it is not possible to
    261. 

  261.             // determine the safety of openssl_x509_parse and bail out.
    262. 

  262.             return self::$useOpensslParse = false;
    263. 

  263.         }
    264. 

  264. 

  265.         $output = preg_split('{\r?\n}', trim($process->getOutput()));
    266. 

  266.         $errorOutput = trim($process->getErrorOutput());
    267. 

  267. 

  268.         if (
    269. 

  269.             count($output) === 3
    270. 

  270.             && $output[0] === sprintf('string(%d) "%s"', strlen(PHP_VERSION), PHP_VERSION)
    271. 

  271.             && $output[1] === 'string(27) "stefan.esser@sektioneins.de"'
    272. 

  272.             && $output[2] === 'int(-1)'
    273. 

  273.             && preg_match('{openssl_x509_parse\(\): illegal (?:ASN1 data type for|length in) timestamp in - on line \d+}', $errorOutput)
    274. 

  274.         ) {
    275. 

  275.             // This PHP has the fix backported probably by a distro security team.
    276. 

  276.             return self::$useOpensslParse = true;
    277. 

  277.         }
    278. 

  278. 

  279.         return self::$useOpensslParse = false;
    280. 

  280.     }
    281. 

  281. 

  282.     /**
    283. 

  283.      * Resets the static caches
    284. 

  284.      */
    285. 

  285.     public static function reset()
    286. 

  286.     {
    287. 

  287.         self::$caFileValidity = array();
    288. 

  288.         self::$caPath = null;
    289. 

  289.         self::$useOpensslParse = null;
    290. 

  290.     }
    291. 

  291. }
    292. 

  292.