zend_accelerator_module.c

Dmitry Stogov Wed, 31 Jul 2013 03:26:47 -0700

Commit:    d69b3d8f5955a51ec688a52ceb925705d393821d
Author:    Dmitry Stogov <dmi...@zend.com>         Wed, 31 Jul 2013 14:20:56 
+0400
Parents:   d9e2dc80844e0f371a3a7f5b40933a5938a240f4
Branches:  PHP-5.5 master


Link:       
http://git.php.net/?p=php-src.git;a=commitdiff;h=d69b3d8f5955a51ec688a52ceb925705d393821d

Log:
Added opcache.restrict_api configuration directive that may limit usage of 
OPcahce API functions only to patricular script(s)

Changed paths:
  M  NEWS
  M  ext/opcache/README
  M  ext/opcache/ZendAccelerator.h
  M  ext/opcache/zend_accelerator_module.c


Diff:
diff --git a/NEWS b/NEWS
index 60b2760..19e33d8 100644
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,8 @@ PHP                                                           
             NEWS
     limited case). (Arpad)
 
 - OPcahce:
+  . Added opcache.restrict_api configuration directive that may limit
+    usage of OPcahce API functions only to patricular script(s). (Dmitry)
   . Added support for glob symbols in blacklist entries (?, *, **).
     (Terry Elison, Dmitry)
   . Fixed bug #65338 (Enabling both php_opcache and php_wincache AVs on
diff --git a/ext/opcache/README b/ext/opcache/README
index 3110012..6c3cc74 100644
--- a/ext/opcache/README
+++ b/ext/opcache/README
@@ -199,6 +199,10 @@ opcache.protect_memory (default "0")
        Protect the shared memory from unexpected writing during script 
execution.
        Useful for internal debugging only.
 
+opcache.restrict_api (default "")
+       Allows calling OPcache API functions only from PHP scripts which path is
+       started from specified string. The default "" means no restriction.
+
 opcache.mmap_base
        Mapping base of shared memory segments (for Windows only). All the PHP
        processes have to map shared memory into the same address space. This
diff --git a/ext/opcache/ZendAccelerator.h b/ext/opcache/ZendAccelerator.h
index 57e2e7a..361b60b 100644
--- a/ext/opcache/ZendAccelerator.h
+++ b/ext/opcache/ZendAccelerator.h
@@ -232,6 +232,7 @@ typedef struct _zend_accel_directives {
 #if ZEND_EXTENSION_API_NO > PHP_5_3_X_API_NO
        long           interned_strings_buffer;
 #endif
+       char          *restrict_api;
 } zend_accel_directives;
 
 typedef struct _zend_accel_globals {
diff --git a/ext/opcache/zend_accelerator_module.c 
b/ext/opcache/zend_accelerator_module.c
index 2287d13..f9ddaa9 100644
--- a/ext/opcache/zend_accelerator_module.c
+++ b/ext/opcache/zend_accelerator_module.c
@@ -71,6 +71,21 @@ static zend_function_entry accel_functions[] = {
        { NULL, NULL, NULL, 0, 0 }
 };
 
+static int validate_api_restriction(TSRMLS_D)
+{
+       if (ZCG(accel_directives).restrict_api && 
*ZCG(accel_directives).restrict_api) {
+               int len = strlen(ZCG(accel_directives).restrict_api);
+
+               if (!SG(request_info).path_translated ||
+                   strlen(SG(request_info).path_translated) < len ||
+                   memcmp(SG(request_info).path_translated, 
ZCG(accel_directives).restrict_api, len) != 0) {
+                       zend_error(E_WARNING, ACCELERATOR_PRODUCT_NAME " API is 
restricted by \"restrict_api\" configuration directive");
+                       return 0;
+               }
+       }       
+       return 1;
+}
+
 static ZEND_INI_MH(OnUpdateMemoryConsumption)
 {
        long *p;
@@ -251,6 +266,7 @@ ZEND_INI_BEGIN()
        STD_PHP_INI_BOOLEAN("opcache.enable_file_override"      , "0"   , 
PHP_INI_SYSTEM, OnUpdateBool,              
accel_directives.file_override_enabled,     zend_accel_globals, accel_globals)
        STD_PHP_INI_BOOLEAN("opcache.enable_cli"             , "0"   , 
PHP_INI_SYSTEM, OnUpdateBool,              accel_directives.enable_cli,         
       zend_accel_globals, accel_globals)
        STD_PHP_INI_ENTRY("opcache.error_log"                , ""    , 
PHP_INI_SYSTEM, OnUpdateString,           accel_directives.error_log,           
      zend_accel_globals, accel_globals)
+       STD_PHP_INI_ENTRY("opcache.restrict_api"             , ""    , 
PHP_INI_SYSTEM, OnUpdateString,           accel_directives.restrict_api,        
      zend_accel_globals, accel_globals)
 
 #ifdef ZEND_WIN32
        STD_PHP_INI_ENTRY("opcache.mmap_base", NULL, PHP_INI_SYSTEM,    
OnUpdateString,                              accel_directives.mmap_base,        
         zend_accel_globals, accel_globals)
@@ -517,6 +533,10 @@ static ZEND_FUNCTION(opcache_get_status)
                return;
        }
        
+       if (!validate_api_restriction(TSRMLS_C)) {
+               RETURN_FALSE;
+       }
+
        if (!accel_startup_ok) {
                RETURN_FALSE;
        }
@@ -587,6 +607,10 @@ static ZEND_FUNCTION(opcache_get_configuration)
        }
 #endif
 
+       if (!validate_api_restriction(TSRMLS_C)) {
+               RETURN_FALSE;
+       }
+
        array_init(return_value);
 
        /* directives */
@@ -651,6 +675,10 @@ static ZEND_FUNCTION(opcache_reset)
        }
 #endif
 
+       if (!validate_api_restriction(TSRMLS_C)) {
+               RETURN_FALSE;
+       }
+
        if (!ZCG(enabled) || !accel_startup_ok || !ZCSG(accelerator_enabled)) {
                RETURN_FALSE;
        }
@@ -671,6 +699,10 @@ static ZEND_FUNCTION(opcache_invalidate)
                return;
        }
 
+       if (!validate_api_restriction(TSRMLS_C)) {
+               RETURN_FALSE;
+       }
+
        if (zend_accel_invalidate(script_name, script_name_len, force 
TSRMLS_CC) == SUCCESS) {
                RETURN_TRUE;
        } else {


--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-CVS] com php-src: Added opcache.restrict_api configuration directive that may limit usage of OPcahce API functions only to patricular script(s): NEWS ext/opcache/README ext/opcache/ZendAccelerator.h ext/opcache/zend_accelerator_module.c

Reply via email to