Merge pull request #1259 from sjinks/1.2.4

Fix #1258

.travis.yml

@@ -25,6 +25,7 @@ before_script:
  - ulimit -c unlimited || true
 
 script:
+ - (cd ext; NO_INTERACTION=1 make test)
  - $(phpenv which php) ./unit-tests/ci/phpunit.php --debug -c unit-tests/phpunit.xml
 
 after_failure:
@@ -35,4 +36,5 @@ notifications:
   email:
     - andres@phalconphp.com
     - eduar@phalconphp.com
-    - nikos@phalconphp.com
+    - nikos@phalconphp.com
+    - vladimir@phalconphp.com

CHANGELOG

@@ -16,6 +16,7 @@
  - Implemented \Phalcon\Cache\Backend\Memory::queryKeys() (#1093)
  - Redirects use status descriptions from RFC 2616 (#1175)
  - \Phalcon\Config::merge now works with derived classes (#1024)
+ - \Phalcon\Security::checkHash() allows to restrict the length of the password to avoid attacks like https://www.djangoproject.com/weblog/2013/sep/15/security/
  - Other bug fixes (#947, #1040, backported patches from 1.3.0 etc)
 
 1.2.3

build/32bits/phalcon.c

@@ -36931,7 +36931,7 @@ static PHP_METHOD(Phalcon_Acl_Adapter_Memory, isAllowed){
 		}
 	}
 
-	PHALCON_INIT_VAR(have_access);
+	PHALCON_INIT_NVAR(have_access);
 	ZVAL_BOOL(have_access, allow_access);
 
 	phalcon_update_property_this_quick(this_ptr, SL("_accessGranted"), have_access, 3188809627UL TSRMLS_CC);
@@ -92800,12 +92800,27 @@ static PHP_METHOD(Phalcon_Security, hash){
 
 static PHP_METHOD(Phalcon_Security, checkHash){
 
-	zval *password, *password_hash, *hash;
+	zval *password, *password_hash, *hash, *max_pass_length = NULL;
 
-	PHALCON_MM_GROW();
-
-	phalcon_fetch_params(1, 2, 0, &password, &password_hash);
+	phalcon_fetch_params(0, 2, 1, &password, &password_hash, &max_pass_length);
 
+	if (Z_TYPE_P(password) != IS_STRING) {
+		PHALCON_SEPARATE_PARAM_NMO(password);
+		convert_to_string(password);
+	}
+
+	if (max_pass_length) {
+		if (Z_TYPE_P(max_pass_length) != IS_LONG) {
+			PHALCON_SEPARATE_PARAM_NMO(max_pass_length);
+			convert_to_long(max_pass_length);
+		}
+
+		if (Z_LVAL_P(max_pass_length) > 0 && Z_STRLEN_P(password) > Z_LVAL_P(max_pass_length)) {
+			RETURN_FALSE;
+		}
+	}
+
+	PHALCON_MM_GROW();
 	PHALCON_INIT_VAR(hash);
 	phalcon_call_func_p2(hash, "crypt", password, password_hash);
 	is_equal_function(return_value, hash, password_hash TSRMLS_CC);

build/32bits/phalcon.h

@@ -8309,6 +8309,7 @@ ZEND_END_ARG_INFO()
 ZEND_BEGIN_ARG_INFO_EX(arginfo_phalcon_security_checkhash, 0, 0, 2)
 	ZEND_ARG_INFO(0, password)
 	ZEND_ARG_INFO(0, passwordHash)
+	ZEND_ARG_INFO(0, maxPasswordLength)
 ZEND_END_ARG_INFO()
 
 ZEND_BEGIN_ARG_INFO_EX(arginfo_phalcon_security_islegacyhash, 0, 0, 1)

build/64bits/phalcon.c

@@ -36931,7 +36931,7 @@ static PHP_METHOD(Phalcon_Acl_Adapter_Memory, isAllowed){
 		}
 	}
 
-	PHALCON_INIT_VAR(have_access);
+	PHALCON_INIT_NVAR(have_access);
 	ZVAL_BOOL(have_access, allow_access);
 
 	phalcon_update_property_this_quick(this_ptr, SL("_accessGranted"), have_access, 8897148297292111771UL TSRMLS_CC);
@@ -92800,12 +92800,27 @@ static PHP_METHOD(Phalcon_Security, hash){
 
 static PHP_METHOD(Phalcon_Security, checkHash){
 
-	zval *password, *password_hash, *hash;
+	zval *password, *password_hash, *hash, *max_pass_length = NULL;
 
-	PHALCON_MM_GROW();
-
-	phalcon_fetch_params(1, 2, 0, &password, &password_hash);
+	phalcon_fetch_params(0, 2, 1, &password, &password_hash, &max_pass_length);
 
+	if (Z_TYPE_P(password) != IS_STRING) {
+		PHALCON_SEPARATE_PARAM_NMO(password);
+		convert_to_string(password);
+	}
+
+	if (max_pass_length) {
+		if (Z_TYPE_P(max_pass_length) != IS_LONG) {
+			PHALCON_SEPARATE_PARAM_NMO(max_pass_length);
+			convert_to_long(max_pass_length);
+		}
+
+		if (Z_LVAL_P(max_pass_length) > 0 && Z_STRLEN_P(password) > Z_LVAL_P(max_pass_length)) {
+			RETURN_FALSE;
+		}
+	}
+
+	PHALCON_MM_GROW();
 	PHALCON_INIT_VAR(hash);
 	phalcon_call_func_p2(hash, "crypt", password, password_hash);
 	is_equal_function(return_value, hash, password_hash TSRMLS_CC);

build/64bits/phalcon.h

@@ -8309,6 +8309,7 @@ ZEND_END_ARG_INFO()
 ZEND_BEGIN_ARG_INFO_EX(arginfo_phalcon_security_checkhash, 0, 0, 2)
 	ZEND_ARG_INFO(0, password)
 	ZEND_ARG_INFO(0, passwordHash)
+	ZEND_ARG_INFO(0, maxPasswordLength)
 ZEND_END_ARG_INFO()
 
 ZEND_BEGIN_ARG_INFO_EX(arginfo_phalcon_security_islegacyhash, 0, 0, 1)

build/safe/phalcon.c

@@ -36931,7 +36931,7 @@ static PHP_METHOD(Phalcon_Acl_Adapter_Memory, isAllowed){
 		}
 	}
 
-	PHALCON_INIT_VAR(have_access);
+	PHALCON_INIT_NVAR(have_access);
 	ZVAL_BOOL(have_access, allow_access);
 
 	phalcon_update_property_this(this_ptr, SL("_accessGranted"), have_access TSRMLS_CC);
@@ -92800,12 +92800,27 @@ static PHP_METHOD(Phalcon_Security, hash){
 
 static PHP_METHOD(Phalcon_Security, checkHash){
 
-	zval *password, *password_hash, *hash;
+	zval *password, *password_hash, *hash, *max_pass_length = NULL;
 
-	PHALCON_MM_GROW();
-
-	phalcon_fetch_params(1, 2, 0, &password, &password_hash);
+	phalcon_fetch_params(0, 2, 1, &password, &password_hash, &max_pass_length);
 
+	if (Z_TYPE_P(password) != IS_STRING) {
+		PHALCON_SEPARATE_PARAM_NMO(password);
+		convert_to_string(password);
+	}
+
+	if (max_pass_length) {
+		if (Z_TYPE_P(max_pass_length) != IS_LONG) {
+			PHALCON_SEPARATE_PARAM_NMO(max_pass_length);
+			convert_to_long(max_pass_length);
+		}
+
+		if (Z_LVAL_P(max_pass_length) > 0 && Z_STRLEN_P(password) > Z_LVAL_P(max_pass_length)) {
+			RETURN_FALSE;
+		}
+	}
+
+	PHALCON_MM_GROW();
 	PHALCON_INIT_VAR(hash);
 	phalcon_call_func_p2(hash, "crypt", password, password_hash);
 	is_equal_function(return_value, hash, password_hash TSRMLS_CC);

build/safe/phalcon.h

@@ -8309,6 +8309,7 @@ ZEND_END_ARG_INFO()
 ZEND_BEGIN_ARG_INFO_EX(arginfo_phalcon_security_checkhash, 0, 0, 2)
 	ZEND_ARG_INFO(0, password)
 	ZEND_ARG_INFO(0, passwordHash)
+	ZEND_ARG_INFO(0, maxPasswordLength)
 ZEND_END_ARG_INFO()
 
 ZEND_BEGIN_ARG_INFO_EX(arginfo_phalcon_security_islegacyhash, 0, 0, 1)

ext/acl/adapter/memory.c

@@ -888,7 +888,7 @@ PHP_METHOD(Phalcon_Acl_Adapter_Memory, isAllowed){
 		}
 	}
 
-	PHALCON_INIT_VAR(have_access);
+	PHALCON_INIT_NVAR(have_access);
 	ZVAL_BOOL(have_access, allow_access);
 
 	phalcon_update_property_this(this_ptr, SL("_accessGranted"), have_access TSRMLS_CC);

ext/security.c

@@ -260,16 +260,32 @@ PHP_METHOD(Phalcon_Security, hash){
  *
  * @param string $password
  * @param string $passwordHash
+ * @param int $maxPasswordLength
  * @return boolean
  */
 PHP_METHOD(Phalcon_Security, checkHash){
 
-	zval *password, *password_hash, *hash;
+	zval *password, *password_hash, *hash, *max_pass_length = NULL;
 
-	PHALCON_MM_GROW();
-
-	phalcon_fetch_params(1, 2, 0, &password, &password_hash);
+	phalcon_fetch_params(0, 2, 1, &password, &password_hash, &max_pass_length);
 
+	if (Z_TYPE_P(password) != IS_STRING) {
+		PHALCON_SEPARATE_PARAM_NMO(password);
+		convert_to_string(password);
+	}
+
+	if (max_pass_length) {
+		if (Z_TYPE_P(max_pass_length) != IS_LONG) {
+			PHALCON_SEPARATE_PARAM_NMO(max_pass_length);
+			convert_to_long(max_pass_length);
+		}
+
+		if (Z_LVAL_P(max_pass_length) > 0 && Z_STRLEN_P(password) > Z_LVAL_P(max_pass_length)) {
+			RETURN_FALSE;
+		}
+	}
+
+	PHALCON_MM_GROW();
 	PHALCON_INIT_VAR(hash);
 	phalcon_call_func_p2(hash, "crypt", password, password_hash);
 	is_equal_function(return_value, hash, password_hash TSRMLS_CC);

ext/security.h

@@ -56,6 +56,7 @@ ZEND_END_ARG_INFO()
 ZEND_BEGIN_ARG_INFO_EX(arginfo_phalcon_security_checkhash, 0, 0, 2)
 	ZEND_ARG_INFO(0, password)
 	ZEND_ARG_INFO(0, passwordHash)
+	ZEND_ARG_INFO(0, maxPasswordLength)
 ZEND_END_ARG_INFO()
 
 ZEND_BEGIN_ARG_INFO_EX(arginfo_phalcon_security_islegacyhash, 0, 0, 1)

ext/tests/issue-1258.phpt

@@ -0,0 +1,50 @@
+--TEST--
+Segmentation fault in zim_Phalcon_Mvc_Dispatcher__throwDispatchException - https://github.com/phalcon/cphalcon/issues/1258
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--FILE--
+<?php
+
+class Secure extends Phalcon\Mvc\User\Plugin
+{
+	public function beforeDispatch(\Phalcon\Events\Event $event, \Phalcon\Mvc\Dispatcher $dispatcher)
+	{
+		$acl = new \Phalcon\Acl\Adapter\Memory();
+		$acl->setDefaultAction(Phalcon\Acl::ALLOW);
+		$acl->addRole(new \Phalcon\Acl\Role('test'));
+
+		$acl->isAllowed('test' , 'test' , 'test');
+		$acl->isAllowed('test' , 'test' , 'test');
+	}
+}
+
+$di = new \Phalcon\DI\FactoryDefault();
+$di->set(
+	'dispatcher',
+	function () use ($di) {
+		$eventsManager = $di->getShared('eventsManager');
+
+		$secure = new \Secure($di);
+		$eventsManager->attach('dispatch' , $secure);
+
+		$dispatcher = new \Phalcon\Mvc\Dispatcher();
+		$dispatcher->setEventsManager($eventsManager);
+
+		return $dispatcher;
+	}
+);
+
+$di['view'] = function(){
+	return new Phalcon\Mvc\View();
+};
+
+$application = new \Phalcon\Mvc\Application($di);
+try {
+	$application->handle()->getContent();
+}
+catch (Exception $e) {
+	echo $e->getMessage(), PHP_EOL;
+}
+?>
+--EXPECT--
+IndexController handler class cannot be loaded

ext/tests/issue-1261.phpt

@@ -0,0 +1,18 @@
+--TEST--
+Ability to restrict the maximum password length for Phalcon\Security::checkHash() - https://github.com/phalcon/cphalcon/pull/1261
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--FILE--
+<?php
+$s = new \Phalcon\Security();
+$hash = $s->hash('password', 10);
+echo var_export((bool)$s->checkHash('password', $hash), 0), PHP_EOL;
+echo var_export((bool)$s->checkHash('password', $hash, 0), 0), PHP_EOL;
+echo var_export((bool)$s->checkHash('password', $hash, 8), 0), PHP_EOL;
+echo var_export((bool)$s->checkHash('password', $hash, 7), 0), PHP_EOL;
+?>
+--EXPECT--
+true
+true
+true
+false