Signature validation fails due to JIT stack limit

[yunosh]

As a follow-up to issue #147 I found out why the validation of signatures failed in our use case. I tracked it down with real-world data to a masked error from preg_match(). If the signature is a very large base64 string (like 12k large), preg_match() passes back an empty match by reference. If you call preg_last_error_msg() though, you get a "JIT stack limit exhausted" error message. This could be fixed by using a non-capturing regular expression for matching the base64 data.

Unfortunately the regular expression is defined in the FHIR XML schema, e.g. (\s*([0-9a-zA-Z\+/=]){4}\s*)+ in fhir-base.xsd. Changing it to (?:\s*(?:[0-9a-zA-Z\+/=]){4}\s*)+ would fix the error, but this is obviously not possible, if you don't want to rewrite the regular expression during code generation.

Another option would be to disable PCRE's JIT-Compiler completely: ini_set('pcre.jit', 0);. This also fixes the error. Actually, now that I write this, that would be a viable work-around for the time being. But eventually this should be fixed in the library.

[dcarbone]

Ah, that is good to know! Thank you for root-causing this! Will most definitely be helpful to others, as well!

I think adding a config entry to allow the user to explicitly toggle this value would be a good idea.

[dcarbone]

I also think making sure a more useful error is returned from regex validators would be good.

[dcarbone]

@yunosh I have released v4.0.0-rc1, with one of the core features being an improved validation system. One of its core features is the ability to define you own rules, including overwriting default ones.

It is still a bit of a work in progress, but I have created a unit test for exactly this issue to ensure you receive an error going forward.

I do not think I will have this library ever set php ini settings, but I will add a section to the wiki with the suggested setting.