diff --git a/configure.ac b/configure.ac index 07e64e74887c3..cea4508842aad 100644 --- a/configure.ac +++ b/configure.ac @@ -1182,6 +1182,38 @@ AS_VAR_IF([PHP_PEAR], [no],, [ [pear]) ]) +dnl PIE +dnl ---------------------------------------------------------------------------- + +PHP_HELP_SEPARATOR([PIE:]) +PHP_CONFIGURE_PART([Configuring PIE]) + +dnl If CLI is disabled disable PIE. +AS_VAR_IF([PHP_CLI], [no], [with_pie=no]) + +PHP_ARG_WITH([pie], + [whether to install PIE], + [AS_HELP_STRING([[--with-pie[=DIR]]], + [Install PIE in DIR [PREFIX/bin]])], + [no], + [yes]) + +AS_VAR_IF([PHP_PIE], [no],, [ + install_pie=install-pie + + AS_VAR_IF([PHP_PIE], [yes], + [AS_CASE([$PHP_LAYOUT], + [GNU], [PIE_INSTALLDIR=$bindir], + [PIE_INSTALLDIR=$bindir])], + [PIE_INSTALLDIR=$PHP_PIE]) + + PHP_SUBST([PIE_INSTALLDIR]) + PHP_ADD_BUILD_DIR([pie]) + PHP_ADD_MAKEFILE_FRAGMENT([$abs_srcdir/pie/Makefile.frag], + [$abs_srcdir/pie], + [pie]) +]) + dnl Configuring Zend and TSRM. dnl ---------------------------------------------------------------------------- @@ -1622,7 +1654,7 @@ else fi; all_targets="\$(OVERALL_TARGET) \$(PHP_MODULES) \$(PHP_ZEND_EX) \$(PHP_BINARIES) $pharcmd" -install_targets="$install_sapi $install_modules $install_binaries install-build install-headers install-programs $install_pear $pharcmd_install" +install_targets="$install_sapi $install_modules $install_binaries install-build install-headers install-programs $install_pear $install_pie $pharcmd_install" PHP_SUBST([all_targets]) PHP_SUBST([install_targets]) diff --git a/pie/Makefile.frag b/pie/Makefile.frag new file mode 100644 index 0000000000000..3c4a1739b3fb9 --- /dev/null +++ b/pie/Makefile.frag @@ -0,0 +1,39 @@ +piedir=$(PIE_INSTALLDIR) + +PIE_PHP_FLAGS = -dmemory_limit=-1 + +CURL = `which curl 2>/dev/null` +WGET = `which wget 2>/dev/null` +FETCH = `which fetch 2>/dev/null` +FETCH_PHP = $(top_srcdir)/pear/fetch.php +GH = `which gh 2>/dev/null` +PIE_PHAR_URL = https://github.com/php/pie/releases/latest/download/pie.phar +PIE_PHAR_TEMP_DL_LOCATION = $(top_srcdir)/pie/pie_temp.phar +PIE_PHAR_DESTINATION = $(INSTALL_ROOT)$(piedir)/pie + +$(PIE_PHAR_DESTINATION): + @echo "Installing PIE: $(PIE_PHAR_DESTINATION)" +# First, figure out a way to download the phar, with curl, wget, fetch, or a backup PHP script... + @if test ! -z "$(CURL)" && test -x "$(CURL)"; then \ + "$(CURL)" --no-progress-meter --silent --location "${PIE_PHAR_URL}" --output $(PIE_PHAR_TEMP_DL_LOCATION); \ + elif test ! -z "$(WGET)" && test -x "$(WGET)"; then \ + "$(WGET)" "${PIE_PHAR_URL}" --quiet --no-directories --output-document=$(PIE_PHAR_TEMP_DL_LOCATION); \ + elif test ! -z "$(FETCH)" && test -x "$(FETCH)"; then \ + "$(FETCH)" -o $(PIE_PHAR_TEMP_DL_LOCATION) "${PIE_PHAR_URL}"; \ + else \ + $(top_builddir)/sapi/cli/php -n "${FETCH_PHP}" "${PIE_PHAR_URL}" $(PIE_PHAR_TEMP_DL_LOCATION) ; \ + fi +# Try to verify using `gh` CLI, or if not use `self-verify` (which isn't the best, since it could already have been tampered) + @if test ! -z "$(GH)" && test -x "$(GH)"; then \ + "$(GH)" attestation verify --owner=php $(PIE_PHAR_TEMP_DL_LOCATION); \ + else \ + $(top_builddir)/sapi/cli/php $(PIE_PHP_FLAGS) $(PIE_PHAR_TEMP_DL_LOCATION) self-verify; \ + fi +# Once verified, move it to the real location + @mv $(PIE_PHAR_TEMP_DL_LOCATION) $(PIE_PHAR_DESTINATION) + @chmod +x $(PIE_PHAR_DESTINATION) + +.PHONY: install-pie +install-pie: $(PIE_PHAR_DESTINATION) + @$(top_builddir)/sapi/cli/php $(PIE_PHP_FLAGS) $(PIE_PHAR_DESTINATION) self-update > /dev/null 2>&1 + @$(top_builddir)/sapi/cli/php $(PIE_PHP_FLAGS) $(PIE_PHAR_DESTINATION) --version diff --git a/pie/README.md b/pie/README.md new file mode 100644 index 0000000000000..0b273cda9d295 --- /dev/null +++ b/pie/README.md @@ -0,0 +1,12 @@ +# PIE downloader + +When building PHP, supply the `--with-pie` flag. This will attempt to download +the latest stable version of PIE, using `curl`, `wget`, `fetch`, or a PHP script. + +By default it will download PIE to `$prefix/bin/pie`. You can change +the target path, e.g. `--with-pie=/usr/local/bin`, which will cause PIE to be +downloaded to `/usr/local/bin/pie`. + +If the `gh` CLI tool exists on the system, it will be used to verify that the +PIE that is downloaded was built within PHP's CI system. If not, the +`pie self-verify` command is used, but this has limited benefit.