From 4adc8da23e6166e7156abbfe2d4fc654f5d3054c Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 23 Jul 2019 16:26:55 +0200 Subject: - main package now recommends commonly used extensions and SAPI (json, mbstring, opcache, pdo, xml) - fix gd build options and dependencies - refresh provided configuration from upstream production values --- php-7.4.0-phpize.patch | 10 +- php-upstream.patch | 266 ------------------------------------------------- php.ini | 12 +++ php.spec | 53 ++++++---- 4 files changed, 51 insertions(+), 290 deletions(-) delete mode 100644 php-upstream.patch diff --git a/php-7.4.0-phpize.patch b/php-7.4.0-phpize.patch index b6958b3..fb99f3e 100644 --- a/php-7.4.0-phpize.patch +++ b/php-7.4.0-phpize.patch @@ -1,8 +1,8 @@ diff -up ./scripts/phpize.in.headers ./scripts/phpize.in ---- ./scripts/phpize.in.headers 2019-05-20 11:11:06.000000000 +0200 -+++ ./scripts/phpize.in 2019-05-20 16:22:43.182043588 +0200 -@@ -169,6 +169,15 @@ phpize_autotools() - mv config.h.in.tmp config.h.in +--- ./scripts/phpize.in.headers 2019-07-23 10:05:11.000000000 +0200 ++++ ./scripts/phpize.in 2019-07-23 10:18:13.648098089 +0200 +@@ -165,6 +165,15 @@ phpize_autotools() + $PHP_AUTOHEADER || exit 1 } +phpize_check_headers() @@ -17,7 +17,7 @@ diff -up ./scripts/phpize.in.headers ./scripts/phpize.in # Main script case "$1" in -@@ -187,12 +196,15 @@ case "$1" in +@@ -183,12 +192,15 @@ case "$1" in # Version --version|-v) diff --git a/php-upstream.patch b/php-upstream.patch deleted file mode 100644 index 1984dd9..0000000 --- a/php-upstream.patch +++ /dev/null @@ -1,266 +0,0 @@ -From f65956e4fb4dc15ba8129e69b13a2cd758e85f46 Mon Sep 17 00:00:00 2001 -From: Sara Golemon -Date: Tue, 9 Jul 2019 11:18:13 -0400 -Subject: [PATCH] Relax argon2 mem_cost down to 64k, bump time_cost to 4 - ---- - ext/sodium/sodium_pwhash.c | 5 ++--- - .../tests/php_password_hash_argon2i.phpt | 18 +++++++++--------- - .../tests/php_password_hash_argon2id.phpt | 19 ++++++++++--------- - ext/standard/php_password.h | 7 ++----- - .../password_needs_rehash_argon2.phpt | 14 +++++--------- - 5 files changed, 28 insertions(+), 35 deletions(-) - -diff --git a/ext/sodium/sodium_pwhash.c b/ext/sodium/sodium_pwhash.c -index d615a24ab6e2..7b7f574e173a 100644 ---- a/ext/sodium/sodium_pwhash.c -+++ b/ext/sodium/sodium_pwhash.c -@@ -29,7 +29,6 @@ - #if SODIUM_LIBRARY_VERSION_MAJOR > 9 || (SODIUM_LIBRARY_VERSION_MAJOR == 9 && SODIUM_LIBRARY_VERSION_MINOR >= 6) - - /** -- * OPSLIMIT and MEMLIMIT are taken from libsodium's MODERATE values. - * MEMLIMIT is normalized to KB even though sodium uses Bytes in order to - * present a consistent user-facing API. - * -@@ -37,8 +36,8 @@ - * - * When updating these values, synchronize ext/standard/php_password.h values. - */ --#define PHP_SODIUM_PWHASH_MEMLIMIT (256 << 10) --#define PHP_SODIUM_PWHASH_OPSLIMIT 3 -+#define PHP_SODIUM_PWHASH_MEMLIMIT (64 << 10) -+#define PHP_SODIUM_PWHASH_OPSLIMIT 4 - #define PHP_SODIUM_PWHASH_THREADS 1 - - static zend_string *php_sodium_argon2_hash(const zend_string *password, zend_array *options, int alg) { -diff --git a/ext/sodium/tests/php_password_hash_argon2i.phpt b/ext/sodium/tests/php_password_hash_argon2i.phpt -index 9ce6c7399eee..4522e6d1753a 100644 ---- a/ext/sodium/tests/php_password_hash_argon2i.phpt -+++ b/ext/sodium/tests/php_password_hash_argon2i.phpt -@@ -36,38 +36,38 @@ foreach([1, 2, 4] as $mem) { - --EXPECTF-- - Argon2 provider: string(%d) "%s" - Using password: string(44) "%s" --Hash: string(97) "$argon2i$v=19$m=262144,t=3,p=1$%s$%s" -+Hash: string(96) "$argon2i$v=19$m=65536,t=4,p=1$%s$%s" - bool(true) - bool(false) - Using password: string(44) "%s" --Hash: string(97) "$argon2i$v=19$m=262144,t=6,p=1$%s$%s" -+Hash: string(96) "$argon2i$v=19$m=65536,t=8,p=1$%s$%s" - bool(true) - bool(false) - Using password: string(44) "%s" --Hash: string(98) "$argon2i$v=19$m=262144,t=12,p=1$%s$%s" -+Hash: string(97) "$argon2i$v=19$m=65536,t=16,p=1$%s$%s" - bool(true) - bool(false) - Using password: string(44) "%s" --Hash: string(97) "$argon2i$v=19$m=524288,t=3,p=1$%s$%s" -+Hash: string(97) "$argon2i$v=19$m=131072,t=4,p=1$%s$%s" - bool(true) - bool(false) - Using password: string(44) "%s" --Hash: string(97) "$argon2i$v=19$m=524288,t=6,p=1$%s$%s" -+Hash: string(97) "$argon2i$v=19$m=131072,t=8,p=1$%s$%s" - bool(true) - bool(false) - Using password: string(44) "%s" --Hash: string(98) "$argon2i$v=19$m=524288,t=12,p=1$%s$%s" -+Hash: string(98) "$argon2i$v=19$m=131072,t=16,p=1$%s$%s" - bool(true) - bool(false) - Using password: string(44) "%s" --Hash: string(98) "$argon2i$v=19$m=1048576,t=3,p=1$%s$%s" -+Hash: string(97) "$argon2i$v=19$m=262144,t=4,p=1$%s$%s" - bool(true) - bool(false) - Using password: string(44) "%s" --Hash: string(98) "$argon2i$v=19$m=1048576,t=6,p=1$%s$%s" -+Hash: string(97) "$argon2i$v=19$m=262144,t=8,p=1$%s$%s" - bool(true) - bool(false) - Using password: string(44) "%s" --Hash: string(99) "$argon2i$v=19$m=1048576,t=12,p=1$%s$%s" -+Hash: string(98) "$argon2i$v=19$m=262144,t=16,p=1$%s$%s" - bool(true) - bool(false) -diff --git a/ext/sodium/tests/php_password_hash_argon2id.phpt b/ext/sodium/tests/php_password_hash_argon2id.phpt -index e6d4c1ee80a9..db5145718b8f 100644 ---- a/ext/sodium/tests/php_password_hash_argon2id.phpt -+++ b/ext/sodium/tests/php_password_hash_argon2id.phpt -@@ -36,38 +36,39 @@ foreach([1, 2, 4] as $mem) { - --EXPECTF-- - Argon2 provider: string(%d) "%s" - Using password: string(44) "%s" --Hash: string(98) "$argon2id$v=19$m=262144,t=3,p=1$%s$%s" -+Hash: string(97) "$argon2id$v=19$m=65536,t=4,p=1$%s$%s" - bool(true) - bool(false) - Using password: string(44) "%s" --Hash: string(98) "$argon2id$v=19$m=262144,t=6,p=1$%s$%s" -+Hash: string(97) "$argon2id$v=19$m=65536,t=8,p=1$%s$%s" - bool(true) - bool(false) - Using password: string(44) "%s" --Hash: string(99) "$argon2id$v=19$m=262144,t=12,p=1$%s$%s" -+Hash: string(98) "$argon2id$v=19$m=65536,t=16,p=1$%s$%s" - bool(true) - bool(false) - Using password: string(44) "%s" --Hash: string(98) "$argon2id$v=19$m=524288,t=3,p=1$%s$%s" -+Hash: string(98) "$argon2id$v=19$m=131072,t=4,p=1$%s$%s" - bool(true) - bool(false) - Using password: string(44) "%s" --Hash: string(98) "$argon2id$v=19$m=524288,t=6,p=1$%s$%s" -+Hash: string(98) "$argon2id$v=19$m=131072,t=8,p=1$%s$%s" - bool(true) - bool(false) - Using password: string(44) "%s" --Hash: string(99) "$argon2id$v=19$m=524288,t=12,p=1$%s$%s" -+Hash: string(99) "$argon2id$v=19$m=131072,t=16,p=1$%s$%s" - bool(true) - bool(false) - Using password: string(44) "%s" --Hash: string(99) "$argon2id$v=19$m=1048576,t=3,p=1$%s$%s" -+Hash: string(98) "$argon2id$v=19$m=262144,t=4,p=1$%s$%s" - bool(true) - bool(false) - Using password: string(44) "%s" --Hash: string(99) "$argon2id$v=19$m=1048576,t=6,p=1$%s$%s" -+Hash: string(98) "$argon2id$v=19$m=262144,t=8,p=1$%s$%s" - bool(true) - bool(false) - Using password: string(44) "%s" --Hash: string(100) "$argon2id$v=19$m=1048576,t=12,p=1$%s$%s" -+Hash: string(99) "$argon2id$v=19$m=262144,t=16,p=1$%s$%s" - bool(true) - bool(false) -+ -diff --git a/ext/standard/php_password.h b/ext/standard/php_password.h -index ce3fdba6bbc4..97a6bf63a21e 100644 ---- a/ext/standard/php_password.h -+++ b/ext/standard/php_password.h -@@ -34,14 +34,11 @@ PHP_MSHUTDOWN_FUNCTION(password); - - #if HAVE_ARGON2LIB - /** -- * OPSLIMIT and MEMLIMIT are taken from libsodium's MODERATE values. -- * Threads are fixed at 1 by libsodium. -- * - * When updating these values, synchronize ext/sodium/sodium_pwhash.c values. - * Note that libargon expresses memlimit in KB, while libsoidum uses bytes. - */ --#define PHP_PASSWORD_ARGON2_MEMORY_COST (256 << 10) --#define PHP_PASSWORD_ARGON2_TIME_COST 3 -+#define PHP_PASSWORD_ARGON2_MEMORY_COST (64 << 10) -+#define PHP_PASSWORD_ARGON2_TIME_COST 4 - #define PHP_PASSWORD_ARGON2_THREADS 1 - #endif - -diff --git a/ext/standard/tests/password/password_needs_rehash_argon2.phpt b/ext/standard/tests/password/password_needs_rehash_argon2.phpt -index 9552be1dc924..69588d02ad4a 100644 ---- a/ext/standard/tests/password/password_needs_rehash_argon2.phpt -+++ b/ext/standard/tests/password/password_needs_rehash_argon2.phpt -@@ -10,24 +10,20 @@ if (!defined('PASSWORD_ARGON2ID')) die('skip password_hash not built with Argon2 - - $hash = password_hash('test', PASSWORD_ARGON2I); - var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I)); --var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['memory_cost' => 1<<17])); --var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['time_cost' => 4])); --var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['threads' => 4])); -+var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['memory_cost' => PASSWORD_ARGON2_DEFAULT_MEMORY_COST * 2])); -+var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['time_cost' => PASSWORD_ARGON2_DEFAULT_TIME_COST + 1])); - - $hash = password_hash('test', PASSWORD_ARGON2ID); - var_dump(password_needs_rehash($hash, PASSWORD_ARGON2ID)); --var_dump(password_needs_rehash($hash, PASSWORD_ARGON2ID, ['memory_cost' => 1<<17])); --var_dump(password_needs_rehash($hash, PASSWORD_ARGON2ID, ['time_cost' => 4])); --var_dump(password_needs_rehash($hash, PASSWORD_ARGON2ID, ['threads' => 4])); -+var_dump(password_needs_rehash($hash, PASSWORD_ARGON2ID, ['memory_cost' => PASSWORD_ARGON2_DEFAULT_MEMORY_COST * 2])); -+var_dump(password_needs_rehash($hash, PASSWORD_ARGON2ID, ['time_cost' => PASSWORD_ARGON2_DEFAULT_TIME_COST + 1])); -+ - echo "OK!"; --?> - --EXPECT-- - bool(false) - bool(true) - bool(true) --bool(true) - bool(false) - bool(true) - bool(true) --bool(true) - OK! -From db0eaa8cf1cbeeec5968a5f91a416541d354ccfe Mon Sep 17 00:00:00 2001 -From: Remi Collet -Date: Wed, 10 Jul 2019 09:00:41 +0200 -Subject: [PATCH] improve libargon2/libsodium compatibility - ---- - ext/standard/password.c | 15 +++++++++++++++ - ext/standard/tests/password/bug75221.phpt | 2 +- - .../password/password_hash_error_argon2.phpt | 4 ++-- - 3 files changed, 18 insertions(+), 3 deletions(-) - -diff --git a/ext/standard/password.c b/ext/standard/password.c -index aacb30e61cb7..a12590c0e083 100644 ---- a/ext/standard/password.c -+++ b/ext/standard/password.c -@@ -571,6 +571,21 @@ static const php_password_algo* php_password_algo_find_zval_ex(zval *arg, const - #if HAVE_ARGON2LIB - case 2: return &php_password_algo_argon2i; - case 3: return &php_password_algo_argon2id; -+#else -+ case 2: -+ { -+ zend_string *n = zend_string_init("argon2i", sizeof("argon2i")-1, 0); -+ const php_password_algo* ret = php_password_algo_find(n); -+ zend_string_release(n); -+ return ret; -+ } -+ case 3: -+ { -+ zend_string *n = zend_string_init("argon2id", sizeof("argon2id")-1, 0); -+ const php_password_algo* ret = php_password_algo_find(n); -+ zend_string_release(n); -+ return ret; -+ } - #endif - } - return NULL; -diff --git a/ext/standard/tests/password/bug75221.phpt b/ext/standard/tests/password/bug75221.phpt -index ec03f92ea6cd..bd6e386a164e 100644 ---- a/ext/standard/tests/password/bug75221.phpt -+++ b/ext/standard/tests/password/bug75221.phpt -@@ -9,7 +9,7 @@ if (!defined('PASSWORD_ARGON2I')) die('skip password_hash not built with Argon2' - $hash = password_hash( - "php", - PASSWORD_ARGON2I, -- ['memory_cost' => 16384, 'time_cost' => 2, 'threads' => 4] -+ ['memory_cost' => 64 << 10, 'time_cost' => 4, 'threads' => 1] - ); - var_dump(substr($hash, -1, 1) !== "\0"); - ?> -diff --git a/ext/standard/tests/password/password_hash_error_argon2.phpt b/ext/standard/tests/password/password_hash_error_argon2.phpt -index 070d61656ab1..2ea6b93627c0 100644 ---- a/ext/standard/tests/password/password_hash_error_argon2.phpt -+++ b/ext/standard/tests/password/password_hash_error_argon2.phpt -@@ -21,7 +21,7 @@ NULL - Warning: password_hash(): Time cost is outside of allowed time range in %s on line %d - NULL - --Warning: password_hash(): Invalid number of threads in %s on line %d -+Warning: password_hash(): %sthread%s - NULL - - Warning: password_hash(): Memory cost is outside of allowed memory range in %s on line %d -@@ -30,5 +30,5 @@ NULL - Warning: password_hash(): Time cost is outside of allowed time range in %s on line %d - NULL - --Warning: password_hash(): Invalid number of threads in %s on line %d -+Warning: password_hash(): %sthread%s - NULL diff --git a/php.ini b/php.ini index 5e3ffc5..06adab5 100644 --- a/php.ini +++ b/php.ini @@ -359,6 +359,12 @@ zend.enable_gc = On ; Default: "" ;zend.script_encoding = +; Allows to include or exclude arguments from stack traces generated for exceptions +; Default: Off +; In production, it is recommended to turn this setting on to prohibit the output +; of sensitive information in stack traces +zend.exception_ignore_args = On + ;;;;;;;;;;;;;;;;; ; Miscellaneous ; ;;;;;;;;;;;;;;;;; @@ -595,6 +601,7 @@ report_memleaks = On ; ascii (all printable ASCII characters and NL) ; no-ctrl (all characters except control characters) ; all (all characters) +; raw (like "all", but messages are not split at newlines) ; http://php.net/syslog.filter ;syslog.filter = ascii @@ -1561,6 +1568,11 @@ zend.assertions = -1 ; Default: mbstring.http_output_conv_mimetype=^(text/|application/xhtml\+xml) ;mbstring.http_output_conv_mimetype= +; This directive specifies maximum stack depth for mbstring regular expressions. It is similar +; to the pcre.recursion_limit for PCRE. +; Default: 100000 +;mbstring.regex_stack_limit=100000 + [gd] ; Tell the jpeg decode to ignore warnings and try to create ; a gd image. The warning will then be displayed as notices diff --git a/php.spec b/php.spec index 4de1b9c..827528f 100644 --- a/php.spec +++ b/php.spec @@ -102,13 +102,13 @@ %global gh_owner php %global gh_project php-src %global upver 7.4.0 -%global rcver alpha3 -%global lower alpha3 +%global rcver beta1 +%global lower beta1 Summary: PHP scripting language for creating dynamic web sites Name: %{?scl_prefix}php Version: %{upver}%{?lower:~%{lower}}%{?gh_date:.%{gh_date}} -Release: 13%{?dist} +Release: 14%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -163,7 +163,6 @@ Patch47: php-5.6.3-phpinfo.patch Patch91: php-7.2.0-oci8conf.patch # Upstream fixes (100+) -Patch100: php-upstream.patch # Security fixes (200+) @@ -215,17 +214,28 @@ BuildRequires: /bin/ps Requires: httpd-mmn = %{_httpd_mmn} Provides: %{?scl_prefix}mod_php = %{version}-%{release} Requires: %{?scl_prefix}php-common%{?_isa} = %{version}-%{release} -# For backwards-compatibility, require php-cli for the time being: -Requires: %{?scl_prefix}php-cli%{?_isa} = %{version}-%{release} # To ensure correct /var/lib/php/session ownership: %if %{with_httpd2410} Requires(pre): httpd-filesystem %else Requires(pre): httpd %endif + %if 0%{?fedora} >= 27 || 0%{?rhel} >= 8 +# For backwards-compatibility, pull the "php" command +Recommends: %{?scl_prefix}php-cli%{?_isa} = %{version}-%{release} # httpd have threaded MPM by default -Recommends: %{?scl_prefix}php-fpm%{?_isa} = %{version}-%{release} +Recommends: %{?scl_prefix}php-fpm%{?_isa} = %{version}-%{release} +# as "php" is now mostly a meta-package, commonly used extensions +Recommends: %{?scl_prefix}php-json%{?_isa} = %{version}-%{release} +Recommends: %{?scl_prefix}php-mbstring%{?_isa} = %{version}-%{release} +Recommends: %{?scl_prefix}php-opcache%{?_isa} = %{version}-%{release} +Recommends: %{?scl_prefix}php-pdo%{?_isa} = %{version}-%{release} +Recommends: %{?scl_prefix}php-sodium%{?_isa} = %{version}-%{release} +Recommends: %{?scl_prefix}php-xml%{?_isa} = %{version}-%{release} +%else +# For backwards-compatibility, require php-cli for the time being: +Requires: %{?scl_prefix}php-cli%{?_isa} = %{version}-%{release} %endif @@ -698,11 +708,6 @@ License: PHP License: PHP and BSD %endif Requires: %{?scl_prefix}php-common%{?_isa} = %{version}-%{release} -# Required to build the bundled GD library -BuildRequires: pkgconfig(libjpeg) -BuildRequires: pkgconfig(libpng) -BuildRequires: pkgconfig(freetype2) -BuildRequires: pkgconfig(xpm) %if %{with_libgd} BuildRequires: pkgconfig(gdlib) >= 2.1.1 %if 0%{?fedora} <= 19 && 0%{?rhel} <= 7 @@ -711,6 +716,12 @@ Requires: gd-last%{?_isa} >= 2.1.1 Requires: gd%{?_isa} >= 2.1.1 %endif %else +# Required to build the bundled GD library +BuildRequires: pkgconfig(zlib) +BuildRequires: pkgconfig(libjpeg) +BuildRequires: pkgconfig(libpng) +BuildRequires: pkgconfig(freetype2) +BuildRequires: pkgconfig(xpm) BuildRequires: pkgconfig(libwebp) Provides: bundled(gd) = 2.0.35 %endif @@ -899,8 +910,6 @@ in pure PHP. %setup -q -n php-%{upver}%{?rcver} %endif -rm -r ext/recode - %patch1 -p1 -b .mpmcheck %patch5 -p1 -b .includedir %patch6 -p1 -b .embed @@ -923,7 +932,6 @@ sed -e 's/php-devel/%{?scl_prefix}php-devel/' -i scripts/phpize.in %patch91 -p1 -b .remi-oci8 # upstream patches -%patch100 -p1 -b .up # security patches @@ -1112,11 +1120,7 @@ ln -sf ../configure --disable-rpath \ --without-pear \ --with-exec-dir=%{_bindir} \ - --with-freetype \ - --with-png \ - --with-xpm \ --without-gdbm \ - --with-jpeg \ --with-openssl \ --with-system-ciphers \ %if %{with_libpcre} @@ -1162,6 +1166,10 @@ build --libdir=%{_libdir}/php \ --with-external-gd \ %else --enable-gd=shared \ + --with-webp \ + --with-jpeg \ + --with-xpm \ + --with-freetype \ %endif --with-gmp=shared \ --enable-calendar=shared \ @@ -1771,6 +1779,13 @@ fi %changelog +* Tue Jul 23 2019 Remi Collet - 7.4.0~beta1-14 +- update to 7.4.0beta1 +- main package now recommends commonly used extensions and SAPI + (json, mbstring, opcache, pdo, xml) +- fix gd build options and dependencies +- refresh provided configuration from upstream production values + * Fri Jul 12 2019 Remi Collet - 7.4.0~alpha3-13 - drop recode extension, moved to php-pecl-recode - add upstream patch for argon2 password -- cgit