Skip to content

Include password in persistent hash key #19

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Mar 10, 2022
Merged

Include password in persistent hash key #19

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
5a49472
Include password in persistent hash key
NattyNarwhal Dec 6, 2021
ae5d274
explain the magic number for the hash key
NattyNarwhal Dec 6, 2021
085a66c
Use murmur for hashing
NattyNarwhal Dec 7, 2021
2c73ec2
correct comment mistake
NattyNarwhal Dec 7, 2021
563cb03
Use sizeof string constant for constant parts
NattyNarwhal Dec 7, 2021
4ba5961
Add test case for improper persistent PW handling
NattyNarwhal Jan 10, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 19 additions & 2 deletions ibm_db2.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -351,8 +351,21 @@ static void _php_db2_set_symbol(char * varname, zval *var)
}
/* }}} */

/* {{{ Murmur hash implementation (for persistent key hash)
*/

static unsigned int _php_db2_MurmurOAAT32 (const char * key)
{
unsigned int h = 3323198485;
for (;*key;++key) {
h ^= *key;
h *= 0x5bd1e995;
h ^= h >> 15;
}
return h;
}

/* }}} */

#ifdef PASE /* IBM i meta change ""->NULL */
static void _php_db2_meta_helper(SQLCHAR **qualifier, size_t *qualifier_len,
Expand Down Expand Up @@ -2313,6 +2326,7 @@ static int _php_db2_connect_helper( INTERNAL_FUNCTION_PARAMETERS, conn_handle **
int reused = 0;
int hKeyLen = 0;
char *hKey = NULL;
unsigned int password_hashed;
char server[2048];
int attr = SQL_TRUE;
size_t database_len;
Expand Down Expand Up @@ -2354,10 +2368,13 @@ static int _php_db2_connect_helper( INTERNAL_FUNCTION_PARAMETERS, conn_handle **
/* Check if we already have a connection for this userID & database combination */
if (isPersistent) {
zend_resource *entry;
hKeyLen = strlen(database) + strlen(uid) + 8;
hKeyLen = strlen(database) + strlen(uid) +
sizeof("__db2_..FFFFFFFF"); /* constant part; includes null */
hKey = (char *) ecalloc(1, hKeyLen);

sprintf(hKey, "__db2_%s.%s", uid, database);
/* XXX: How do we include the options (array) in here too? */
password_hashed = _php_db2_MurmurOAAT32(password);
snprintf(hKey, hKeyLen, "__db2_%s.%s.%08x", uid, database, password_hashed);
temp = zend_hash_str_find_ptr(&EG(persistent_list), hKey, hKeyLen );
if ( temp && temp->type == le_pconn_struct) {
conn_res = *pconn_res = (conn_handle *)temp->ptr;
Expand Down
31 changes: 31 additions & 0 deletions tests/test_222_PersistentConnReuseWithBadPassword.phpt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
--TEST--
IBM-DB2: db2_pconnect() - test persistent connection won't be reused with bad password
--SKIPIF--
<?php require_once('skipif.inc'); ?>
--FILE--
<?php

require_once('connection.inc');

/*
* Use blatantly incorrect password, to make sure password is part of the
* internal persistent connection hash.
*/
$conn1 = db2_pconnect($database, $user, $password);
if ($conn1) {
$conn2 = db2_pconnect($database, $user, "wrongbad");
if ($conn2) {
echo "A bad password was accepted.\n";
db2_close($conn2);
} else {
echo "OK\n";
}
db2_close($conn1);
}
else {
echo "Connection failed.\n";
}

?>
--EXPECT--
OK