yohgaki

From 5bf51e7bdcfaf2d6e8af5132bb7884bc307f440b Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Tue, 22 May 2018 17:03:48 +0900
Subject: [PATCH] Rework scram_channel_binding to protect from downgrade
 attacks

When a client attempts to connect to a PostgreSQL cluster, it may be
possible that it requested channel binding with SCRAM authentication,
but that the server tricks the clister and forcibly downgrades the
authentication request.  For example, a v10 cluster supports SCRAM but

yohgaki

FROM alpine 
MAINTAINER Yasuo Ohgaki version: 0.1

RUN \
 apk update; \
 apk add gcc g++ make curl openssh-client rsync perl-net-dns

RUN \
 mkdir /package; \
 cd /package/; \

yohgaki

Index: en/reference/hash/functions/hash-hkdf.xml
===================================================================
--- en/reference/hash/functions/hash-hkdf.xml	(リビジョン 342317)
+++ en/reference/hash/functions/hash-hkdf.xml	(作業コピー)
@@ -3,7 +3,7 @@
 <refentry xml:id="function.hash-hkdf" xmlns="http://docbook.org/ns/docbook"  xmlns:xlink="http://www.w3.org/1999/xlink">
  <refnamediv>
   <refname>hash_hkdf</refname>
-  <refpurpose>Generate a HKDF key derivation of a supplied key input</refpurpose>
+  <refpurpose>Derive secure new key from existing key by using HKDF</refpurpose>

yohgaki

<?php
// This code is to explain why current API is not good for user defined serializer.
// https://wiki.php.net/rfc/user_defined_session_serializer
ob_start();

ini_set('session.serialize_handler', 'php_serialize');
ini_set('session.save_handler', 'files');
ini_set('session.save_path', '/tmp');
ini_set('session.use_strict_mode', 0);

yohgaki

diff --git a/ext/session/session.c b/ext/session/session.c
index b2d0236..4b30b96 100644
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -890,19 +890,31 @@ PS_SERIALIZER_ENCODE_FUNC(php_binary) /* {{{ */
 	smart_str buf = {0};
 	php_serialize_data_t var_hash;
 	PS_ENCODE_VARS;
+	HashTable *_ht;
+	int key_type;

yohgaki

diff --git a/ext/standard/head.c b/ext/standard/head.c
index eac9159..4842cb7d 100644
--- a/ext/standard/head.c
+++ b/ext/standard/head.c
@@ -181,6 +181,74 @@ PHPAPI int php_setcookie(zend_string *name, zend_string *value, time_t expires,
 	return result;
 }
 
+enum cookie_set_opts {
+	COOKIE_SET_EXPIRES = 0,

yohgaki

<?php
ob_start();

ini_set('session.use_cookies', 1);
ini_set('session.save_handler', 'files');

session_name('BUG');

session_start();

yohgaki

diff --git a/ext/mbstring/mbstring.c b/ext/mbstring/mbstring.c
index d6d7cfc..b35a409 100644
--- a/ext/mbstring/mbstring.c
+++ b/ext/mbstring/mbstring.c
@@ -3856,24 +3856,112 @@ PHP_FUNCTION(mb_convert_kana)
 }
 /* }}} */
 
-#define PHP_MBSTR_STACK_BLOCK_SIZE 32
+

yohgaki

diff --git a/ext/standard/uniqid.c b/ext/standard/uniqid.c
index f429e6d..975e65b 100644
--- a/ext/standard/uniqid.c
+++ b/ext/standard/uniqid.c
@@ -36,8 +36,11 @@
 #endif
 
 #include "php_lcg.h"
+#include "php_random.h"
 #include "uniqid.h"

yohgaki

diff --git a/UPGRADING b/UPGRADING
index 5400a2e..56221f4 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -71,6 +71,25 @@ PHP 7.1 UPGRADE NOTES
 - OpenSSL:
   . Dropped sslv2 stream.
 
+- Session:
+  . Session ID is generated from CSPNG directly. As a result, Session ID length