Refactor array index handling in input filter, to make it work in all cases.

author: Stefan Esser 2014-02-16 13:05:36 +0100
committer: Stefan Esser 2014-02-16 13:05:36 +0100
commit: d5ea5d30d8e400b73d2a5abf2d1e2d8fc3485bd6 (patch)
tree: 5ddafde4fd62a368330b2c2b05201043448d82e7
parent: f7ef68966204b2ac1e45f1c7e8c72aae2becc382 (diff)
3 files changed, 67 insertions, 52 deletions
diff --git a/Changelog b/Changelog
index 9bc62e9..1129c99 100644
--- a/Changelog
+++ b/Changelog
@@ -11,6 +11,7 @@
    - Added suhosin.log.stdout to log to stdout (for debugging purposes only)
    - Add ini_set() fail mode to suhosin.disable.display_errors
    - Fix suhosin.get/post/cookie.max_totalname_length filter
+    - Refactor array index handling in filter to make it work always
    - TODO: WARN THAT FUNCTION WHITELISTS/BLACKLISTS NEVER WORKED CORRECTLY WITH PHP < 5.5
 2012-02-12 - 0.9.34
diff --git a/ifilter.c b/ifilter.c
index 42f5d9b..d73106b 100644
--- a/ifilter.c
+++ b/ifilter.c
@@ -502,49 +502,56 @@ unsigned int suhosin_input_filter(int arg, char *var, char **val, unsigned int v
        
        /* Find out array depth */
        while (index) {
+                char *index_end;
                unsigned int index_length;
                
+                /* overjump '[' */
+                index++;
+                
+                /* increase array depth */
                depth++;
-                index = strchr(index+1, '[');
+                                
+                index_end = strchr(index, ']');
+                if (index_end == NULL) {
+                        index_end = index+strlen(index);
+                }
                
-                if (prev_index) {
+                index_length = index_end - index;
-                        index_length = index ? index - 1 - prev_index - 1: strlen(prev_index);
                        
-                        if (SUHOSIN_G(max_array_index_length) && SUHOSIN_G(max_array_index_length) < index_length) {
+                if (SUHOSIN_G(max_array_index_length) && SUHOSIN_G(max_array_index_length) < index_length) {
-                                suhosin_log(S_VARS, "configured request variable array index length limit exceeded - dropped variable '%s'", var);
+                        suhosin_log(S_VARS, "configured request variable array index length limit exceeded - dropped variable '%s'", var);
-                                if (!SUHOSIN_G(simulation)) {
+                        if (!SUHOSIN_G(simulation)) {
-                                        return 0;
+                                return 0;
-                                }
-                        } 
-                        switch (arg) {
-                            case PARSE_GET:
-                                        if (SUHOSIN_G(max_get_array_index_length) && SUHOSIN_G(max_get_array_index_length) < index_length) {
-                                                suhosin_log(S_VARS, "configured GET variable array index length limit exceeded - dropped variable '%s'", var);
-                                                if (!SUHOSIN_G(simulation)) {
-                                                        return 0;
-                                                }
-                                        } 
-                                        break;
-                            case PARSE_COOKIE:
-                                        if (SUHOSIN_G(max_cookie_array_index_length) && SUHOSIN_G(max_cookie_array_index_length) < index_length) {
-                                                suhosin_log(S_VARS, "configured COOKIE variable array index length limit exceeded - dropped variable '%s'", var);
-                                                if (!SUHOSIN_G(simulation)) {
-                                                        return 0;
-                                                }
-                                        } 
-                                        break;
-                            case PARSE_POST:
-                                        if (SUHOSIN_G(max_post_array_index_length) && SUHOSIN_G(max_post_array_index_length) < index_length) {
-                                                suhosin_log(S_VARS, "configured POST variable array index length limit exceeded - dropped variable '%s'", var);
-                                                if (!SUHOSIN_G(simulation)) {
-                                                        return 0;
-                                                }
-                                        } 
-                                        break;
                        }
-                        prev_index = index;
+                } 
+                switch (arg) {
+                    case PARSE_GET:
+                                if (SUHOSIN_G(max_get_array_index_length) && SUHOSIN_G(max_get_array_index_length) < index_length) {
+                                        suhosin_log(S_VARS, "configured GET variable array index length limit exceeded - dropped variable '%s'", var);
+                                        if (!SUHOSIN_G(simulation)) {
+                                                return 0;
+                                        }
+                                } 
+                                break;
+                    case PARSE_COOKIE:
+                                if (SUHOSIN_G(max_cookie_array_index_length) && SUHOSIN_G(max_cookie_array_index_length) < index_length) {
+                                        suhosin_log(S_VARS, "configured COOKIE variable array index length limit exceeded - dropped variable '%s'", var);
+                                        if (!SUHOSIN_G(simulation)) {
+                                                return 0;
+                                        }
+                                } 
+                                break;
+                    case PARSE_POST:
+                                if (SUHOSIN_G(max_post_array_index_length) && SUHOSIN_G(max_post_array_index_length) < index_length) {
+                                        suhosin_log(S_VARS, "configured POST variable array index length limit exceeded - dropped variable '%s'", var);
+                                        if (!SUHOSIN_G(simulation)) {
+                                                return 0;
+                                        }
+                                } 
+                                break;
                }
                
+                index = strchr(index, '[');
        }
        
        /* Drop this variable if it exceeds the array depth limit */
diff --git a/ufilter.c b/ufilter.c
index efab2ce..67bb114 100644
--- a/ufilter.c
+++ b/ufilter.c
@@ -131,29 +131,36 @@ static int check_fileupload_varname(char *varname)
        
        /* Find out array depth */
        while (index) {
+                char *index_end;
                unsigned int index_length;
                
+                /* overjump '[' */
+                index++;
+                
+                /* increase array depth */
                depth++;
-                index = strchr(index+1, '[');
+                                
+                index_end = strchr(index, ']');
+                if (index_end == NULL) {
+                        index_end = index+strlen(index);
+                }
                
-                if (prev_index) {
+                index_length = index_end - index;
-                        index_length = index ? index - 1 - prev_index - 1: strlen(prev_index);
                        
-                        if (SUHOSIN_G(max_array_index_length) && SUHOSIN_G(max_array_index_length) < index_length) {
+                if (SUHOSIN_G(max_array_index_length) && SUHOSIN_G(max_array_index_length) < index_length) {
-                                suhosin_log(S_FILES, "configured request variable array index length limit exceeded - dropped variable '%s'", var);
+                        suhosin_log(S_FILES, "configured request variable array index length limit exceeded - dropped variable '%s'", var);
-                                if (!SUHOSIN_G(simulation)) {
+                        if (!SUHOSIN_G(simulation)) {
-                                        goto return_failure;
+                                goto return_failure;
-                                }
+                        }
-                        } 
+                } 
-                        if (SUHOSIN_G(max_post_array_index_length) && SUHOSIN_G(max_post_array_index_length) < index_length) {
+                if (SUHOSIN_G(max_post_array_index_length) && SUHOSIN_G(max_post_array_index_length) < index_length) {
-                                suhosin_log(S_FILES, "configured POST variable array index length limit exceeded - dropped variable '%s'", var);
+                        suhosin_log(S_FILES, "configured POST variable array index length limit exceeded - dropped variable '%s'", var);
-                                if (!SUHOSIN_G(simulation)) {
+                        if (!SUHOSIN_G(simulation)) {
-                                        goto return_failure;
+                                goto return_failure;
-                                }
+                        }
-                        } 
+                } 
-                        prev_index = index;
-                }
                
+                index = strchr(index, '[');             
        }
        
        /* Drop this variable if it exceeds the array depth limit */
author	Stefan Esser	2014-02-16 13:05:36 +0100
committer	Stefan Esser	2014-02-16 13:05:36 +0100
commit	d5ea5d30d8e400b73d2a5abf2d1e2d8fc3485bd6 (patch)
tree	5ddafde4fd62a368330b2c2b05201043448d82e7
parent	f7ef68966204b2ac1e45f1c7e8c72aae2becc382 (diff)

diff --git a/Changelog b/Changelog index 9bc62e9..1129c99 100644 --- a/Changelog +++ b/Changelog
@@ -11,6 +11,7 @@
11	- Added suhosin.log.stdout to log to stdout (for debugging purposes only)	11	- Added suhosin.log.stdout to log to stdout (for debugging purposes only)
12	- Add ini_set() fail mode to suhosin.disable.display_errors	12	- Add ini_set() fail mode to suhosin.disable.display_errors
13	- Fix suhosin.get/post/cookie.max_totalname_length filter	13	- Fix suhosin.get/post/cookie.max_totalname_length filter
		14	- Refactor array index handling in filter to make it work always
14	- TODO: WARN THAT FUNCTION WHITELISTS/BLACKLISTS NEVER WORKED CORRECTLY WITH PHP < 5.5	15	- TODO: WARN THAT FUNCTION WHITELISTS/BLACKLISTS NEVER WORKED CORRECTLY WITH PHP < 5.5
15		16
16	2012-02-12 - 0.9.34	17	2012-02-12 - 0.9.34


diff --git a/ifilter.c b/ifilter.c index 42f5d9b..d73106b 100644 --- a/ifilter.c +++ b/ifilter.c
@@ -502,49 +502,56 @@ unsigned int suhosin_input_filter(int arg, char var, char *val, unsigned int v
502		502
503	/* Find out array depth */	503	/* Find out array depth */
504	while (index) {	504	while (index) {
		505	char *index_end;
505	unsigned int index_length;	506	unsigned int index_length;
506		507
		508	/* overjump '[' */
		509	index++;
		510
		511	/* increase array depth */
507	depth++;	512	depth++;
508	index = strchr(index+1, '[');	513
		514	index_end = strchr(index, ']');
		515	if (index_end == NULL) {
		516	index_end = index+strlen(index);
		517	}
509		518
510	if (prev_index) {	519	index_length = index_end - index;
511	index_length = index ? index - 1 - prev_index - 1: strlen(prev_index);
512		520
513	if (SUHOSIN_G(max_array_index_length) && SUHOSIN_G(max_array_index_length) < index_length) {	521	if (SUHOSIN_G(max_array_index_length) && SUHOSIN_G(max_array_index_length) < index_length) {
514	suhosin_log(S_VARS, "configured request variable array index length limit exceeded - dropped variable '%s'", var);	522	suhosin_log(S_VARS, "configured request variable array index length limit exceeded - dropped variable '%s'", var);
515	if (!SUHOSIN_G(simulation)) {	523	if (!SUHOSIN_G(simulation)) {
516	return 0;	524	return 0;
517	}
518	}
519	switch (arg) {
520	case PARSE_GET:
521	if (SUHOSIN_G(max_get_array_index_length) && SUHOSIN_G(max_get_array_index_length) < index_length) {
522	suhosin_log(S_VARS, "configured GET variable array index length limit exceeded - dropped variable '%s'", var);
523	if (!SUHOSIN_G(simulation)) {
524	return 0;
525	}
526	}
527	break;
528	case PARSE_COOKIE:
529	if (SUHOSIN_G(max_cookie_array_index_length) && SUHOSIN_G(max_cookie_array_index_length) < index_length) {
530	suhosin_log(S_VARS, "configured COOKIE variable array index length limit exceeded - dropped variable '%s'", var);
531	if (!SUHOSIN_G(simulation)) {
532	return 0;
533	}
534	}
535	break;
536	case PARSE_POST:
537	if (SUHOSIN_G(max_post_array_index_length) && SUHOSIN_G(max_post_array_index_length) < index_length) {
538	suhosin_log(S_VARS, "configured POST variable array index length limit exceeded - dropped variable '%s'", var);
539	if (!SUHOSIN_G(simulation)) {
540	return 0;
541	}
542	}
543	break;
544	}	525	}
545	prev_index = index;	526	}
		527	switch (arg) {
		528	case PARSE_GET:
		529	if (SUHOSIN_G(max_get_array_index_length) && SUHOSIN_G(max_get_array_index_length) < index_length) {
		530	suhosin_log(S_VARS, "configured GET variable array index length limit exceeded - dropped variable '%s'", var);
		531	if (!SUHOSIN_G(simulation)) {
		532	return 0;
		533	}
		534	}
		535	break;
		536	case PARSE_COOKIE:
		537	if (SUHOSIN_G(max_cookie_array_index_length) && SUHOSIN_G(max_cookie_array_index_length) < index_length) {
		538	suhosin_log(S_VARS, "configured COOKIE variable array index length limit exceeded - dropped variable '%s'", var);
		539	if (!SUHOSIN_G(simulation)) {
		540	return 0;
		541	}
		542	}
		543	break;
		544	case PARSE_POST:
		545	if (SUHOSIN_G(max_post_array_index_length) && SUHOSIN_G(max_post_array_index_length) < index_length) {
		546	suhosin_log(S_VARS, "configured POST variable array index length limit exceeded - dropped variable '%s'", var);
		547	if (!SUHOSIN_G(simulation)) {
		548	return 0;
		549	}
		550	}
		551	break;
546	}	552	}
547		553
		554	index = strchr(index, '[');
548	}	555	}
549		556
550	/* Drop this variable if it exceeds the array depth limit */	557	/* Drop this variable if it exceeds the array depth limit */


diff --git a/ufilter.c b/ufilter.c index efab2ce..67bb114 100644 --- a/ufilter.c +++ b/ufilter.c
@@ -131,29 +131,36 @@ static int check_fileupload_varname(char *varname)
131		131
132	/* Find out array depth */	132	/* Find out array depth */
133	while (index) {	133	while (index) {
		134	char *index_end;
134	unsigned int index_length;	135	unsigned int index_length;
135		136
		137	/* overjump '[' */
		138	index++;
		139
		140	/* increase array depth */
136	depth++;	141	depth++;
137	index = strchr(index+1, '[');	142
		143	index_end = strchr(index, ']');
		144	if (index_end == NULL) {
		145	index_end = index+strlen(index);
		146	}
138		147
139	if (prev_index) {	148	index_length = index_end - index;
140	index_length = index ? index - 1 - prev_index - 1: strlen(prev_index);
141		149
142	if (SUHOSIN_G(max_array_index_length) && SUHOSIN_G(max_array_index_length) < index_length) {	150	if (SUHOSIN_G(max_array_index_length) && SUHOSIN_G(max_array_index_length) < index_length) {
143	suhosin_log(S_FILES, "configured request variable array index length limit exceeded - dropped variable '%s'", var);	151	suhosin_log(S_FILES, "configured request variable array index length limit exceeded - dropped variable '%s'", var);
144	if (!SUHOSIN_G(simulation)) {	152	if (!SUHOSIN_G(simulation)) {
145	goto return_failure;	153	goto return_failure;
146	}	154	}
147	}	155	}
148	if (SUHOSIN_G(max_post_array_index_length) && SUHOSIN_G(max_post_array_index_length) < index_length) {	156	if (SUHOSIN_G(max_post_array_index_length) && SUHOSIN_G(max_post_array_index_length) < index_length) {
149	suhosin_log(S_FILES, "configured POST variable array index length limit exceeded - dropped variable '%s'", var);	157	suhosin_log(S_FILES, "configured POST variable array index length limit exceeded - dropped variable '%s'", var);
150	if (!SUHOSIN_G(simulation)) {	158	if (!SUHOSIN_G(simulation)) {
151	goto return_failure;	159	goto return_failure;
152	}	160	}
153	}	161	}
154	prev_index = index;
155	}
156		162
		163	index = strchr(index, '[');
157	}	164	}
158		165
159	/* Drop this variable if it exceeds the array depth limit */	166	/* Drop this variable if it exceeds the array depth limit */