koto / phar-util Goto Github PK
View Code? Open in Web Editor NEWPharUtil - Security-oriented utilities for Phar archives
Home Page: http://blog.kotowicz.net/2010/08/hardening-php-how-to-securely-include.html
License: MIT License
PharUtil - Security-oriented utilities for Phar archives
Home Page: http://blog.kotowicz.net/2010/08/hardening-php-how-to-securely-include.html
License: MIT License
Should look into stripping comments from files before they're stored in the phar. While I'm not sure how exactly this could be implemented, I do know that Silex, the Symfony2 microframework https://github.com/fabpot/Silex, does this itself.
If used, it should trim down the size of the phar file substantially if the files have a healthy amount of inline documentation; after all, those lines aren't needed since it's being packaged into a phar.
Anways, this seems to be implemented using a method defined in the Symfony kernel, looking at this function: https://github.com/fabpot/Silex/blob/master/src/Silex/Compiler.php#L70
Which, in turn, apparently uses a giant loop over token_get_all()
(documentation: http://us3.php.net/manual/en/function.token-get-all.php)
Consider this a feature request, I guess.
If I get the chance in a few weeks/months, I'll see if I can work out implementation myself but right now I'm pressed for time as I've got several papers to do for english, a speech to hammer out, and exams on the horizon.
Hi,
First thanks for the great tool!
Wow!
I'm defiantly going to use it.
I was wonder if you also have an idea or other solution how to encrypt the PHAR file so it could not be read as php code. So even I extract the PHAR file, I will have nothing.
I know about Zend Guard and ionCube that can encrypt your code, but I'm not sure if they support PHAR, in such a way that files inside the PHAR can be encrypted.
My goal is to distributed my php code, which should run on remote clients and make it secure as possible. The solution you develop here is super coool and save me almost 90% of the work, but I'm still missing the option to decode/decrypt the source files.
I have check ionCube and they seems to support PHAR, so I might be able to do so.
but I also going to check bcompiler.
Was wondering if u have any idea how to create a "LOCKED" or phar archive.
Thanks
Sassy
Several test cases fail with errors:
phpunit RemotePharVerifierTest.php
PHPUnit 3.7.13 by Sebastian Bergmann.
...EE.......................EEEEE
Time: 0 seconds, Memory: 6.00Mb
There were 7 errors:
/usr/share/php/PharUtil/RemotePharVerifier.php:182
/usr/share/php/tests/PharUtil/test/PharUtil/RemotePharVerifierTest.php:247
/usr/share/php/tests/PharUtil/test/PharUtil/RemotePharVerifierTest.php:27
/usr/share/php/PharUtil/RemotePharVerifier.php:182
/usr/share/php/tests/PharUtil/test/PharUtil/RemotePharVerifierTest.php:249
/usr/share/php/tests/PharUtil/test/PharUtil/RemotePharVerifierTest.php:17
/usr/share/php/PharUtil/RemotePharVerifier.php:182
/usr/share/php/tests/PharUtil/test/PharUtil/RemotePharVerifierTest.php:247
/usr/share/php/tests/PharUtil/test/PharUtil/RemotePharVerifierTest.php:27
/usr/share/php/PharUtil/RemotePharVerifier.php:182
/usr/share/php/tests/PharUtil/test/PharUtil/RemotePharVerifierTest.php:247
/usr/share/php/tests/PharUtil/test/PharUtil/RemotePharVerifierTest.php:27
/usr/share/php/PharUtil/RemotePharVerifier.php:182
/usr/share/php/tests/PharUtil/test/PharUtil/RemotePharVerifierTest.php:247
/usr/share/php/tests/PharUtil/test/PharUtil/RemotePharVerifierTest.php:17
/usr/share/php/PharUtil/RemotePharVerifier.php:182
/usr/share/php/tests/PharUtil/test/PharUtil/RemotePharVerifierTest.php:247
/usr/share/php/tests/PharUtil/test/PharUtil/RemotePharVerifierTest.php:27
/usr/share/php/PharUtil/RemotePharVerifier.php:182
/usr/share/php/tests/PharUtil/test/PharUtil/RemotePharVerifierTest.php:247
/usr/share/php/tests/PharUtil/test/PharUtil/RemotePharVerifierTest.php:27
FAILURES!
Tests: 33, Assertions: 62, Errors: 7.
Hi,
I tried to create a phar archive without signing it (using -n or --ns option).
Building Phar archive from home...
PHP Warning: file_get_contents(./cert/priv.pem): failed to open stream: No such file or directory in /usr/bin/phar-build on line 142
PHP Stack trace:
PHP 1. {main}() /usr/bin/phar-build:0
PHP 2. file_get_contents() /usr/bin/phar-build:142
Error: Could not load private key from './cert/priv.pem'!
Thanks for this great tools :)
https://github.com/damianb/phar-util/blob/master/PharUtil/RemotePharVerifier.php#L154
No $overwrite
parameter is present, and no param docs are present for param $local_path
.
RemotePharVerifier.php is missing a ) on line 2 in version 0.6.1.
Upon executing phar-build:
obsidian@lithion-mint ~/code/crcverify $ phar-build --phar verifier.phar
PHP Fatal error: Call to undefined method SplFileInfo::isDot() in /usr/bin/phar-build on line 161
PHP Stack trace:
PHP 1. {main}() /usr/bin/phar-build:0
phar-build 0.5.3
Building Phar archive from ./src...
adding ./src/bootstrap.php
adding ./src/vendor
PHP Fatal error: Call to undefined method SplFileInfo::isDot() in /usr/bin/phar-build on line 161
PHP Stack trace:
PHP 1. {main}() /usr/bin/phar-build:0
uname:
obsidian@lithion-mint ~/code/crcverify $ uname -a
Linux lithion-mint 2.6.32-21-generic #32-Ubuntu SMP Fri Apr 16 08:09:38 UTC 2010 x86_64 GNU/Linux
PHP info:
obsidian@lithion-mint ~/code/crcverify $ php -v
PHP 5.3.2-1ubuntu4.5 with Suhosin-Patch (cli) (built: Sep 17 2010 13:49:46)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
with Xdebug v2.0.5, Copyright (c) 2002-2008, by Derick Rethans
If you need additional info, just ask.
Hi!
I have a great need to create self-executable Phars...
I need the ability to add the following to the very top of the generated phars:
#!/bin/env php
<?php
Can you please add this support via a command line argument to phar-util?
Thanks!
When trying to add the PEAR channel from pear.kotowicz.net
, the domain doesn't exist anymore.
Hi:
I came accross another issue using this tool in the same block of code:
// buildFromIterator unfortunately sucks and skips nested directories (?)
foreach ($iterator as $file) {
echo "adding " . $file . PHP_EOL;
if ($file->isFile()) {
$phar->addFile($file, str_replace($options['src'], '', $file));
}
if ($file->isDir() && !$iterator->isDot()) {
// this also doesn't work :(
$phar->addEmptyDir(str_replace($options['src'], '', $file));
}
}
}
the thing is that if you use this code against a dir structure like a/b/a/c.php then the str_replace will replace both "a" giving back something like /b//c.php and the build will fail...
so my propose about this is using the ltrim function that ensures the strip just from the beginning of the string,
also a suggest about this piece of code is that the check on the !$iterator->isDot() is made in the entire block of code so we don't get the adding a/b/c/. and a/b/c/.. and we avoid the entire process on that.
So the proposed piece of code:
foreach ($iterator as $file) {
if (!$iterator->isDot()){
echo "adding " . $file . PHP_EOL;
if ($file->isFile()) {
//$phar->addFile($file, str_replace($options['src'], '', $file));
$phar->addFile($file, ltrim($file,$options['src']));
}
if ($file->isDir() ) {
// this also doesn't work :(
// $phar->addEmptyDir(str_replace($options['src'], '', $file));
$phar->addEmptyDir(ltrim($file,$options['src']));
}
}
}
again thanks for this job, :D
https://github.com/koto/phar-util/blob/master/PharUtil/RemotePharVerifier.php#L2
Missing a closing parenthesis )
Thank you !
http://github.com/koto/phar-util/blob/master/phar-build.php#L193
Is it possible to have an exit call placed here that will allow another script (such as a bash script) to determine if the build failed? It would be extremely useful for automated build scripts.
In here why don't we just verify the public key before trying to use it?
// When public key is invalid, openssl throws a
// 'supplied key param cannot be coerced into a public key' warning
// and phar ignores sig verification.
// We need to protect from that by catching the warning
I think openssl_pkey_get_public($certificate) would do the job. So this is an input validation task, which should be in the setter and not in the processing code as some kind of workaround...
Btw why don't you send an issue about this feature. Maybe phar maintainers add it to the next release. (it is weird to talk about libs which haven't have maintenance for such a long time)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.