archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 21:48:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge branch 'PHP-8.4'

Browse source 
* PHP-8.4:
  NEWS
  NEWS
  Fix GH-18529: ldap no longer respects TLS_CACERT from ldaprc in ldap_start_tls() Regresion introduced in fix for GH-17776
This commit is contained in:
Remi Collet 2025-05-15 09:22:52 +02:00
commit 2e70a8945a
No known key found for this signature in database
GPG key ID: DC9FF8D3EE5AF27F
3 changed files with 49 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

49
ext/ldap/ldap.c
View file

@ -3708,15 +3708,56 @@ PHP_FUNCTION(ldap_rename_ext)
/* }}} */ /* }}} */
#ifdef HAVE_LDAP_START_TLS_S #ifdef HAVE_LDAP_START_TLS_S
/*
Force new tls context creation with string options inherited from global
Workaround to https://bugs.openldap.org/show_bug.cgi?id=10337
*/
static int _php_ldap_tls_newctx(LDAP *ld)
{
int val = 0, i, opts[] = {
#if (LDAP_API_VERSION > 2000)
LDAP_OPT_X_TLS_CACERTDIR,
LDAP_OPT_X_TLS_CACERTFILE,
LDAP_OPT_X_TLS_CERTFILE,
LDAP_OPT_X_TLS_CIPHER_SUITE,
LDAP_OPT_X_TLS_KEYFILE,
LDAP_OPT_X_TLS_RANDOM_FILE,
#endif
#ifdef LDAP_OPT_X_TLS_CRLFILE
LDAP_OPT_X_TLS_CRLFILE,
#endif
#ifdef LDAP_OPT_X_TLS_DHFILE
LDAP_OPT_X_TLS_DHFILE,
#endif
#ifdef LDAP_OPT_X_TLS_ECNAME
LDAP_OPT_X_TLS_ECNAME,
#endif
0};
for (i=0 ; opts[i] ; i++) {
char *path = NULL;
ldap_get_option(ld, opts[i], &path);
if (path) { /* already set locally */
ldap_memfree(path);
} else {
ldap_get_option(NULL, opts[i], &path);
if (path) { /* set globally, inherit */
ldap_set_option(ld, opts[i], path);
ldap_memfree(path);
}
}
}
return ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, &val);
}
/* {{{ Start TLS */ /* {{{ Start TLS */
PHP_FUNCTION(ldap_start_tls) PHP_FUNCTION(ldap_start_tls)
{ {
zval *link; zval *link;
ldap_linkdata *ld; ldap_linkdata *ld;
int rc, protocol = LDAP_VERSION3; int rc, protocol = LDAP_VERSION3;
#ifdef LDAP_OPT_X_TLS_NEWCTX
int val = 0;
#endif
if (zend_parse_parameters(ZEND_NUM_ARGS(), "O", &link, ldap_link_ce) != SUCCESS) { if (zend_parse_parameters(ZEND_NUM_ARGS(), "O", &link, ldap_link_ce) != SUCCESS) {
RETURN_THROWS(); RETURN_THROWS();
@ -3727,7 +3768,7 @@ PHP_FUNCTION(ldap_start_tls)
if (((rc = ldap_set_option(ld->link, LDAP_OPT_PROTOCOL_VERSION, &protocol)) != LDAP_SUCCESS) || if (((rc = ldap_set_option(ld->link, LDAP_OPT_PROTOCOL_VERSION, &protocol)) != LDAP_SUCCESS) ||
#ifdef LDAP_OPT_X_TLS_NEWCTX #ifdef LDAP_OPT_X_TLS_NEWCTX
(LDAPG(tls_newctx) && (rc = ldap_set_option(ld->link, LDAP_OPT_X_TLS_NEWCTX, &val)) != LDAP_OPT_SUCCESS) || (LDAPG(tls_newctx) && (rc = _php_ldap_tls_newctx(ld->link)) != LDAP_OPT_SUCCESS) ||
#endif #endif
((rc = ldap_start_tls_s(ld->link, NULL, NULL)) != LDAP_SUCCESS) ((rc = ldap_start_tls_s(ld->link, NULL, NULL)) != LDAP_SUCCESS)
) { ) {

2
ext/ldap/tests/ldap_start_tls_basic.phpt
View file

@ -5,6 +5,8 @@ Patrick Allaert <patrickallaert@php.net>
# Belgian PHP Testfest 2009 # Belgian PHP Testfest 2009
--EXTENSIONS-- --EXTENSIONS--
ldap ldap
--ENV--
LDAPNOINIT=1
--SKIPIF-- --SKIPIF--
<?php require_once __DIR__ .'/skipifbindfailure.inc'; ?> <?php require_once __DIR__ .'/skipifbindfailure.inc'; ?>
--FILE-- --FILE--

4
ext/ldap/tests/ldaps_basic.phpt
View file

@ -2,8 +2,8 @@
ldap_connect() - Basic ldaps test ldap_connect() - Basic ldaps test
--EXTENSIONS-- --EXTENSIONS--
ldap ldap
--XFAIL-- --ENV--
Passes locally but fails on CI - need investigation (configuration ?) LDAPNOINIT=1
--SKIPIF-- --SKIPIF--
<?php require_once __DIR__ .'/skipifbindfailure.inc'; ?> <?php require_once __DIR__ .'/skipifbindfailure.inc'; ?>
--FILE-- --FILE--