Conditions | 21 |
Paths | 10 |
Total Lines | 96 |
Code Lines | 44 |
Lines | 0 |
Ratio | 0 % |
Changes | 0 |
Small methods make your code easier to understand, in particular if combined with a good name. Besides, if your method is small, finding a good name is usually much easier.
For example, if you find yourself adding comments to a method's body, this is usually a good sign to extract the commented part to a new method, and use the comment as a starting point when coming up with a good name for this new method.
Commonly applied refactorings include:
If many parameters/temporary variables are present:
1 | <?php |
||
202 | public static function isOpensslParseSafe() |
||
203 | { |
||
204 | if (null !== self::$useOpensslParse) { |
||
205 | return self::$useOpensslParse; |
||
206 | } |
||
207 | |||
208 | if (PHP_VERSION_ID >= 50600) { |
||
209 | return self::$useOpensslParse = true; |
||
210 | } |
||
211 | |||
212 | // Vulnerable: |
||
213 | // PHP 5.3.0 - PHP 5.3.27 |
||
214 | // PHP 5.4.0 - PHP 5.4.22 |
||
215 | // PHP 5.5.0 - PHP 5.5.6 |
||
216 | if ( |
||
217 | (PHP_VERSION_ID < 50400 && PHP_VERSION_ID >= 50328) |
||
218 | || (PHP_VERSION_ID < 50500 && PHP_VERSION_ID >= 50423) |
||
219 | || (PHP_VERSION_ID < 50600 && PHP_VERSION_ID >= 50507) |
||
220 | ) { |
||
221 | // This version of PHP has the fix for CVE-2013-6420 applied. |
||
222 | return self::$useOpensslParse = true; |
||
223 | } |
||
224 | |||
225 | if (defined('PHP_WINDOWS_VERSION_BUILD')) { |
||
226 | // Windows is probably insecure in this case. |
||
227 | return self::$useOpensslParse = false; |
||
228 | } |
||
229 | |||
230 | $compareDistroVersionPrefix = function ($prefix, $fixedVersion) { |
||
231 | $regex = '{^'.preg_quote($prefix).'([0-9]+)$}'; |
||
232 | |||
233 | if (preg_match($regex, PHP_VERSION, $m)) { |
||
234 | return ((int) $m[1]) >= $fixedVersion; |
||
235 | } |
||
236 | |||
237 | return false; |
||
238 | }; |
||
239 | |||
240 | // Hard coded list of PHP distributions with the fix backported. |
||
241 | if ( |
||
242 | $compareDistroVersionPrefix('5.3.3-7+squeeze', 18) // Debian 6 (Squeeze) |
||
243 | || $compareDistroVersionPrefix('5.4.4-14+deb7u', 7) // Debian 7 (Wheezy) |
||
244 | || $compareDistroVersionPrefix('5.3.10-1ubuntu3.', 9) // Ubuntu 12.04 (Precise) |
||
245 | ) { |
||
246 | return self::$useOpensslParse = true; |
||
247 | } |
||
248 | |||
249 | // Symfony Process component is missing so we assume it is unsafe at this point |
||
250 | if (!class_exists('Symfony\Component\Process\PhpProcess')) { |
||
251 | return self::$useOpensslParse = false; |
||
252 | } |
||
253 | |||
254 | // This is where things get crazy, because distros backport security |
||
255 | // fixes the chances are on NIX systems the fix has been applied but |
||
256 | // it's not possible to verify that from the PHP version. |
||
257 | // |
||
258 | // To verify exec a new PHP process and run the issue testcase with |
||
259 | // known safe input that replicates the bug. |
||
260 | |||
261 | // Based on testcase in https://github.com/php/php-src/commit/c1224573c773b6845e83505f717fbf820fc18415 |
||
262 | // changes in https://github.com/php/php-src/commit/76a7fd893b7d6101300cc656058704a73254d593 |
||
263 | $cert = 'LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVwRENDQTR5Z0F3SUJBZ0lKQUp6dThyNnU2ZUJjTUEwR0NTcUdTSWIzRFFFQkJRVUFNSUhETVFzd0NRWUQKVlFRR0V3SkVSVEVjTUJvR0ExVUVDQXdUVG05eVpISm9aV2x1TFZkbGMzUm1ZV3hsYmpFUU1BNEdBMVVFQnd3SApTOE9Ed3Jac2JqRVVNQklHQTFVRUNnd0xVMlZyZEdsdmJrVnBibk14SHpBZEJnTlZCQXNNRmsxaGJHbGphVzkxCmN5QkRaWEowSUZObFkzUnBiMjR4SVRBZkJnTlZCQU1NR0cxaGJHbGphVzkxY3k1elpXdDBhVzl1WldsdWN5NWsKWlRFcU1DZ0dDU3FHU0liM0RRRUpBUlliYzNSbFptRnVMbVZ6YzJWeVFITmxhM1JwYjI1bGFXNXpMbVJsTUhVWQpaREU1TnpBd01UQXhNREF3TURBd1dnQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBCkFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUEKQUFBQUFBQVhEVEUwTVRFeU9ERXhNemt6TlZvd2djTXhDekFKQmdOVkJBWVRBa1JGTVJ3d0dnWURWUVFJREJOTwpiM0prY21obGFXNHRWMlZ6ZEdaaGJHVnVNUkF3RGdZRFZRUUhEQWRMdzRQQ3RteHVNUlF3RWdZRFZRUUtEQXRUClpXdDBhVzl1UldsdWN6RWZNQjBHQTFVRUN3d1dUV0ZzYVdOcGIzVnpJRU5sY25RZ1UyVmpkR2x2YmpFaE1COEcKQTFVRUF3d1liV0ZzYVdOcGIzVnpMbk5sYTNScGIyNWxhVzV6TG1SbE1Tb3dLQVlKS29aSWh2Y05BUWtCRmh0egpkR1ZtWVc0dVpYTnpaWEpBYzJWcmRHbHZibVZwYm5NdVpHVXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRRERBZjNobDdKWTBYY0ZuaXlFSnBTU0RxbjBPcUJyNlFQNjV1c0pQUnQvOFBhRG9xQnUKd0VZVC9OYSs2ZnNnUGpDMHVLOURaZ1dnMnRIV1dvYW5TYmxBTW96NVBINlorUzRTSFJaN2UyZERJalBqZGhqaAowbUxnMlVNTzV5cDBWNzk3R2dzOWxOdDZKUmZIODFNTjJvYlhXczROdHp0TE11RDZlZ3FwcjhkRGJyMzRhT3M4CnBrZHVpNVVhd1Raa3N5NXBMUEhxNWNNaEZHbTA2djY1Q0xvMFYyUGQ5K0tBb2tQclBjTjVLTEtlYno3bUxwazYKU01lRVhPS1A0aWRFcXh5UTdPN2ZCdUhNZWRzUWh1K3ByWTNzaTNCVXlLZlF0UDVDWm5YMmJwMHdLSHhYMTJEWAoxbmZGSXQ5RGJHdkhUY3lPdU4rblpMUEJtM3ZXeG50eUlJdlZBZ01CQUFHalFqQkFNQWtHQTFVZEV3UUNNQUF3CkVRWUpZSVpJQVliNFFnRUJCQVFEQWdlQU1Bc0dBMVVkRHdRRUF3SUZvREFUQmdOVkhTVUVEREFLQmdnckJnRUYKQlFjREFqQU5CZ2txaGtpRzl3MEJBUVVGQUFPQ0FRRUFHMGZaWVlDVGJkajFYWWMrMVNub2FQUit2SThDOENhRAo4KzBVWWhkbnlVNGdnYTBCQWNEclk5ZTk0ZUVBdTZacXljRjZGakxxWFhkQWJvcHBXb2NyNlQ2R0QxeDMzQ2tsClZBcnpHL0t4UW9oR0QySmVxa2hJTWxEb214SE83a2EzOStPYThpMnZXTFZ5alU4QVp2V01BcnVIYTRFRU55RzcKbFcyQWFnYUZLRkNyOVRuWFRmcmR4R1ZFYnY3S1ZRNmJkaGc1cDVTanBXSDErTXEwM3VSM1pYUEJZZHlWODMxOQpvMGxWajFLRkkyRENML2xpV2lzSlJvb2YrMWNSMzVDdGQwd1lCY3BCNlRac2xNY09QbDc2ZHdLd0pnZUpvMlFnClpzZm1jMnZDMS9xT2xOdU5xLzBUenprVkd2OEVUVDNDZ2FVK1VYZTRYT1Z2a2NjZWJKbjJkZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K'; |
||
264 | $script = <<<'EOT' |
||
265 | |||
266 | error_reporting(-1); |
||
267 | $info = openssl_x509_parse(base64_decode('%s')); |
||
268 | var_dump(PHP_VERSION, $info['issuer']['emailAddress'], $info['validFrom_time_t']); |
||
269 | |||
270 | EOT; |
||
271 | $script = '<'."?php\n".sprintf($script, $cert); |
||
272 | |||
273 | try { |
||
274 | $process = new PhpProcess($script); |
||
275 | $process->mustRun(); |
||
276 | } catch (\Exception $e) { |
||
277 | // In the case of any exceptions just accept it is not possible to |
||
278 | // determine the safety of openssl_x509_parse and bail out. |
||
279 | return self::$useOpensslParse = false; |
||
280 | } |
||
281 | |||
282 | $output = preg_split('{\r?\n}', trim($process->getOutput())); |
||
283 | $errorOutput = trim($process->getErrorOutput()); |
||
284 | |||
285 | if ( |
||
286 | count($output) === 3 |
||
287 | && $output[0] === sprintf('string(%d) "%s"', strlen(PHP_VERSION), PHP_VERSION) |
||
288 | && $output[1] === 'string(27) "[email protected]"' |
||
289 | && $output[2] === 'int(-1)' |
||
290 | && preg_match('{openssl_x509_parse\(\): illegal (?:ASN1 data type for|length in) timestamp in - on line \d+}', $errorOutput) |
||
291 | ) { |
||
292 | // This PHP has the fix backported probably by a distro security team. |
||
293 | return self::$useOpensslParse = true; |
||
294 | } |
||
295 | |||
296 | return self::$useOpensslParse = false; |
||
297 | } |
||
298 | |||
309 |
If you suppress an error, we recommend checking for the error condition explicitly: