Added opcache.restrict_api configuration directive that may limit usage of OPcahce API functions only to patricular script(s)

NEWS

@@ -11,6 +11,8 @@ PHP                                                                        NEWS
     limited case). (Arpad)
 
 - OPcahce:
+  . Added opcache.restrict_api configuration directive that may limit
+    usage of OPcahce API functions only to patricular script(s). (Dmitry)
   . Added support for glob symbols in blacklist entries (?, *, **).
     (Terry Elison, Dmitry)
   . Fixed bug #65338 (Enabling both php_opcache and php_wincache AVs on

ext/opcache/README

@@ -199,6 +199,10 @@ opcache.protect_memory (default "0")
 	Protect the shared memory from unexpected writing during script execution.
 	Useful for internal debugging only.
 
+opcache.restrict_api (default "")
+	Allows calling OPcache API functions only from PHP scripts which path is
+	started from specified string. The default "" means no restriction.
+
 opcache.mmap_base
 	Mapping base of shared memory segments (for Windows only). All the PHP
 	processes have to map shared memory into the same address space. This

ext/opcache/ZendAccelerator.h

@@ -232,6 +232,7 @@ typedef struct _zend_accel_directives {
 #if ZEND_EXTENSION_API_NO > PHP_5_3_X_API_NO
 	long           interned_strings_buffer;
 #endif
+	char          *restrict_api;
 } zend_accel_directives;
 
 typedef struct _zend_accel_globals {

ext/opcache/zend_accelerator_module.c

@@ -71,6 +71,21 @@ static zend_function_entry accel_functions[] = {
 	{ NULL, NULL, NULL, 0, 0 }
 };
 
+static int validate_api_restriction(TSRMLS_D)
+{
+	if (ZCG(accel_directives).restrict_api && *ZCG(accel_directives).restrict_api) {
+		int len = strlen(ZCG(accel_directives).restrict_api);
+
+		if (!SG(request_info).path_translated ||
+		    strlen(SG(request_info).path_translated) < len ||
+		    memcmp(SG(request_info).path_translated, ZCG(accel_directives).restrict_api, len) != 0) {
+			zend_error(E_WARNING, ACCELERATOR_PRODUCT_NAME " API is restricted by \"restrict_api\" configuration directive");
+			return 0;
+		}
+	}       
+	return 1;
+}
+
 static ZEND_INI_MH(OnUpdateMemoryConsumption)
 {
 	long *p;
@@ -251,6 +266,7 @@ ZEND_INI_BEGIN()
 	STD_PHP_INI_BOOLEAN("opcache.enable_file_override"	, "0"   , PHP_INI_SYSTEM, OnUpdateBool,              accel_directives.file_override_enabled,     zend_accel_globals, accel_globals)
 	STD_PHP_INI_BOOLEAN("opcache.enable_cli"             , "0"   , PHP_INI_SYSTEM, OnUpdateBool,              accel_directives.enable_cli,                zend_accel_globals, accel_globals)
 	STD_PHP_INI_ENTRY("opcache.error_log"                , ""    , PHP_INI_SYSTEM, OnUpdateString,	         accel_directives.error_log,                 zend_accel_globals, accel_globals)
+	STD_PHP_INI_ENTRY("opcache.restrict_api"             , ""    , PHP_INI_SYSTEM, OnUpdateString,	         accel_directives.restrict_api,              zend_accel_globals, accel_globals)
 
 #ifdef ZEND_WIN32
 	STD_PHP_INI_ENTRY("opcache.mmap_base", NULL, PHP_INI_SYSTEM,	OnUpdateString,	                             accel_directives.mmap_base,                 zend_accel_globals, accel_globals)
@@ -517,6 +533,10 @@ static ZEND_FUNCTION(opcache_get_status)
 		return;
 	}
 	
+	if (!validate_api_restriction(TSRMLS_C)) {
+		RETURN_FALSE;
+	}
+
 	if (!accel_startup_ok) {
 		RETURN_FALSE;
 	}
@@ -587,6 +607,10 @@ static ZEND_FUNCTION(opcache_get_configuration)
 	}
 #endif
 
+	if (!validate_api_restriction(TSRMLS_C)) {
+		RETURN_FALSE;
+	}
+
 	array_init(return_value);
 
 	/* directives */
@@ -651,6 +675,10 @@ static ZEND_FUNCTION(opcache_reset)
 	}
 #endif
 
+	if (!validate_api_restriction(TSRMLS_C)) {
+		RETURN_FALSE;
+	}
+
 	if (!ZCG(enabled) || !accel_startup_ok || !ZCSG(accelerator_enabled)) {
 		RETURN_FALSE;
 	}
@@ -671,6 +699,10 @@ static ZEND_FUNCTION(opcache_invalidate)
 		return;
 	}
 
+	if (!validate_api_restriction(TSRMLS_C)) {
+		RETURN_FALSE;
+	}
+
 	if (zend_accel_invalidate(script_name, script_name_len, force TSRMLS_CC) == SUCCESS) {
 		RETURN_TRUE;
 	} else {