php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-03-24 00:02:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'PHP-8.2'

Browse Source 
* PHP-8.2:
  Fix GH-10964: Improve `man` page about the built-in server
  Fix GH-11438: mysqlnd fails to authenticate with sha256_password accounts using passwords longer than 19 characters
This commit is contained in:
Niels Dossche
2023-08-03 20:33:07 +02:00
parent 47e490a2cf 75441d71d8
commit 50bb380594
3 changed files with 97 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

84
ext/mysqli/tests/gh11438.phpt Normal file
View File

@@ -0,0 +1,84 @@
--TEST--
GH-11438 (mysqlnd fails to authenticate with sha256_password accounts using passwords longer than 19 characters)
--EXTENSIONS--
mysqli
--SKIPIF--
<?php
require_once 'skipifconnectfailure.inc';
ob_start();
phpinfo(INFO_MODULES);
$tmp = ob_get_contents();
ob_end_clean();
if (!stristr($tmp, "auth_plugin_sha256_password"))
die("skip SHA256 auth plugin not built-in to mysqlnd");
if (!$link = my_mysqli_connect($host, $user, $passwd, $db, $port, $socket))
die(printf("skip: [%d] %s\n", mysqli_connect_errno(), mysqli_connect_error()));
if (mysqli_get_server_version($link) < 50606)
die("skip: SHA-256 requires MySQL 5.6.6+");
if (!($res = $link->query("SHOW PLUGINS"))) {
die(sprintf("skip [%d] %s\n", $link->errno, $link->error));
}
$found = false;
while ($row = $res->fetch_assoc()) {
if (($row['Name'] == 'sha256_password') && ($row['Status'] == 'ACTIVE')) {
$found = true;
break;
}
}
if (!$found)
die("skip SHA-256 server plugin unavailable");
// Ignore errors because this variable exists only in MySQL 5.6 and 5.7
$link->query("SET @@session.old_passwords=2");
$link->query('DROP USER shatest');
$link->query("DROP USER shatest@localhost");
if (!$link->query('CREATE USER shatest@"%" IDENTIFIED WITH sha256_password') ||
!$link->query('CREATE USER shatest@"localhost" IDENTIFIED WITH sha256_password')) {
die(sprintf("skip CREATE USER failed [%d] %s", $link->errno, $link->error));
}
// Password of length 52, more than twice the length of the scramble data to ensure scramble is repeated correctly
if (!$link->query('SET PASSWORD FOR shatest@"%" = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"') ||
!$link->query('SET PASSWORD FOR shatest@"localhost" = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"')) {
die(sprintf("skip SET PASSWORD failed [%d] %s", $link->errno, $link->error));
}
echo "nocache";
?>
--FILE--
<?php
require_once 'connect.inc';
$link = new mysqli($host, 'shatest', 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ', null, $port, $socket);
if ($link->connect_errno) {
printf("[001] [%d] %s\n", $link->connect_errno, $link->connect_error);
} else {
if (!$res = $link->query("SELECT USER()"))
printf("[002] [%d] %s\n", $link->errno, $link->error);
if (!$row = mysqli_fetch_assoc($res)) {
printf("[003] [%d] %s\n", $link->errno, $link->error);
}
if (!is_string($row['USER()']) || !str_starts_with($row['USER()'], 'shatest')) {
printf("[004] Expecting 1 got %s/'%s'", gettype($row['USER()']), $row['USER()']);
}
}
print "done!";
?>
--CLEAN--
<?php
require_once 'connect.inc';
$link->query('DROP USER shatest');
$link->query('DROP USER shatest@localhost');
?>
--EXPECTF--
done!

5
ext/mysqlnd/mysqlnd_auth.c
View File

@@ -927,7 +927,10 @@ mysqlnd_sha256_auth_get_auth_data(struct st_mysqlnd_authentication_plugin * self
char *xor_str = do_alloca(passwd_len + 1, use_heap); char *xor_str = do_alloca(passwd_len + 1, use_heap);
memcpy(xor_str, passwd, passwd_len); memcpy(xor_str, passwd, passwd_len);
xor_str[passwd_len] = '\0'; xor_str[passwd_len] = '\0';
mysqlnd_xor_string(xor_str, passwd_len, (char *) auth_plugin_data, auth_plugin_data_len); /* https://dev.mysql.com/doc/dev/mysql-server/latest/page_caching_sha2_authentication_exchanges.html
* This tells us that the nonce is 20 (==SCRAMBLE_LENGTH) bytes long.
* In a 5.5+ server we might get additional scramble data in php_mysqlnd_greet_read, not used by this authentication method. */
mysqlnd_xor_string(xor_str, passwd_len, (char *) auth_plugin_data, SCRAMBLE_LENGTH);
ret = mysqlnd_sha256_public_encrypt(conn, server_public_key, passwd_len, auth_data_len, xor_str); ret = mysqlnd_sha256_public_encrypt(conn, server_public_key, passwd_len, auth_data_len, xor_str);
free_alloca(xor_str, use_heap); free_alloca(xor_str, use_heap);
} }

9
sapi/cli/php.1.in
View File

@@ -92,6 +92,15 @@ point to a local address and port PHP will listen to HTTP requests on that addre
.B docroot .B docroot
passed by the \-t option. passed by the \-t option.
.LP .LP
If a PHP file is provided to the command line when the
built-in web server is used, it will be used as the router script. This script
will be started at each HTTP request. The script output is returned to the
browser, unless the router script returns the
.B false
value. If so, the built-in server falls back to the default behaviour, returning
the requested resource as-is by looking up the files relative to the document
root specified by the \-t option, if provided.
.LP
If none of \-r \-f \-B \-R \-F \-E or \-S is present but a single parameter is given If none of \-r \-f \-B \-R \-F \-E or \-S is present but a single parameter is given
then this parameter is taken as the filename to parse and execute (same as then this parameter is taken as the filename to parse and execute (same as
with \-f). If no parameter is present then the standard input is read and with \-f). If no parameter is present then the standard input is read and