Add protection against injection attacks (like XSS/SQL/other) through HTTP User-Agent String

author: Stefan Esser 2014-06-09 09:03:03 +0200
committer: Stefan Esser 2014-06-09 09:03:03 +0200
commit: 134a88c1da096f787a560c43534f07b74867b9cb (patch)
tree: ab925ecba15c137a3b916ac65964d9b1c32f513a
parent: cd70620d20aef7fa5b89065c39708186f0b590c4 (diff)
4 files changed, 56 insertions, 0 deletions
diff --git a/Changelog b/Changelog
index 69101e8..77235e5 100644
--- a/Changelog
+++ b/Changelog
@@ -1,6 +1,7 @@
 2014-05-xx - 0.9.36-dev
    - Added better handling of non existing/non executable shell scripts
+    - Added protection against XSS/SQL/Other Injections through User-Agent HTTP header
    - Added LICENSE file to make distributions happy
 2014-02-24 - 0.9.35
diff --git a/ifilter.c b/ifilter.c
index d73106b..cd02869 100644
--- a/ifilter.c
+++ b/ifilter.c
@@ -249,6 +249,7 @@ void suhosin_register_server_variables(zval *track_vars_array TSRMLS_DC)
                suhosin_server_strip(svars, "PHP_SELF", sizeof("PHP_SELF"));
                suhosin_server_strip(svars, "PATH_INFO", sizeof("PATH_INFO"));
                suhosin_server_strip(svars, "PATH_TRANSLATED", sizeof("PATH_TRANSLATED"));
+                suhosin_server_strip(svars, "HTTP_USER_AGENT", sizeof("HTTP_USER_AGENT"));
        }
 }
 /* }}} */
diff --git a/tests/filter/server_user_agent_strip_off.phpt b/tests/filter/server_user_agent_strip_off.phpt
new file mode 100644
index 0000000..36c6580
--- /dev/null
+++ b/tests/filter/server_user_agent_strip_off.phpt
@@ -0,0 +1,27 @@
+--TEST--
+Testing: suhosin.server.strip=On
+--DESCRIPTION--
+This test is not exactly what we want, but good enough due to limitations of the test framework.
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+suhosin.server.strip=Off
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--ENV--
+return <<<END
+HTTP_USER_AGENT=Mozilla/5.0 (Windows NT 6.0; rv:29.0) <script>alert('123');</script>Gecko/20100101 Firefox/29.0
+END;
+--COOKIE--
+--GET--
+A=B
+--POST--
+--FILE--
+<?php
+var_dump($_SERVER['HTTP_USER_AGENT']);
+?>
+--EXPECTF--
+string(95) "Mozilla/5.0 (Windows NT 6.0; rv:29.0) <script>alert('123');</script>Gecko/20100101 Firefox/29.0"
diff --git a/tests/filter/server_user_agent_strip_on.phpt b/tests/filter/server_user_agent_strip_on.phpt
new file mode 100644
index 0000000..73d577c
--- /dev/null
+++ b/tests/filter/server_user_agent_strip_on.phpt
@@ -0,0 +1,27 @@
+--TEST--
+Testing: suhosin.server.strip=On
+--DESCRIPTION--
+This test is not exactly what we want, but good enough due to limitations of the test framework.
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+suhosin.server.strip=On
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--ENV--
+return <<<END
+HTTP_USER_AGENT=Mozilla/5.0 (Windows NT 6.0; rv:29.0) <script>alert('123');</script>Gecko/20100101 Firefox/29.0
+END;
+--COOKIE--
+--GET--
+A=B
+--POST--
+--FILE--
+<?php
+var_dump($_SERVER['HTTP_USER_AGENT']);
+?>
+--EXPECTF--
+string(95) "Mozilla/5.0 (Windows NT 6.0; rv:29.0) ?script?alert(?123?);?/script?Gecko/20100101 Firefox/29.0"
author	Stefan Esser	2014-06-09 09:03:03 +0200
committer	Stefan Esser	2014-06-09 09:03:03 +0200
commit	134a88c1da096f787a560c43534f07b74867b9cb (patch)
tree	ab925ecba15c137a3b916ac65964d9b1c32f513a
parent	cd70620d20aef7fa5b89065c39708186f0b590c4 (diff)

diff --git a/Changelog b/Changelog index 69101e8..77235e5 100644 --- a/Changelog +++ b/Changelog
@@ -1,6 +1,7 @@
1	2014-05-xx - 0.9.36-dev	1	2014-05-xx - 0.9.36-dev
2		2
3	- Added better handling of non existing/non executable shell scripts	3	- Added better handling of non existing/non executable shell scripts
		4	- Added protection against XSS/SQL/Other Injections through User-Agent HTTP header
4	- Added LICENSE file to make distributions happy	5	- Added LICENSE file to make distributions happy
5		6
6	2014-02-24 - 0.9.35	7	2014-02-24 - 0.9.35


diff --git a/ifilter.c b/ifilter.c index d73106b..cd02869 100644 --- a/ifilter.c +++ b/ifilter.c
@@ -249,6 +249,7 @@ void suhosin_register_server_variables(zval *track_vars_array TSRMLS_DC)
249	suhosin_server_strip(svars, "PHP_SELF", sizeof("PHP_SELF"));	249	suhosin_server_strip(svars, "PHP_SELF", sizeof("PHP_SELF"));
250	suhosin_server_strip(svars, "PATH_INFO", sizeof("PATH_INFO"));	250	suhosin_server_strip(svars, "PATH_INFO", sizeof("PATH_INFO"));
251	suhosin_server_strip(svars, "PATH_TRANSLATED", sizeof("PATH_TRANSLATED"));	251	suhosin_server_strip(svars, "PATH_TRANSLATED", sizeof("PATH_TRANSLATED"));
		252	suhosin_server_strip(svars, "HTTP_USER_AGENT", sizeof("HTTP_USER_AGENT"));
252	}	253	}
253	}	254	}
254	/* }}} */	255	/* }}} */


diff --git a/tests/filter/server_user_agent_strip_off.phpt b/tests/filter/server_user_agent_strip_off.phpt new file mode 100644 index 0000000..36c6580 --- /dev/null +++ b/tests/filter/server_user_agent_strip_off.phpt
@@ -0,0 +1,27 @@
		1	--TEST--
		2	Testing: suhosin.server.strip=On
		3	--DESCRIPTION--
		4	This test is not exactly what we want, but good enough due to limitations of the test framework.
		5	--INI--
		6	suhosin.log.syslog=0
		7	suhosin.log.sapi=0
		8	suhosin.log.stdout=255
		9	suhosin.log.script=0
		10	suhosin.server.strip=Off
		11	--SKIPIF--
		12	<?php include('skipif.inc'); ?>
		13	--ENV--
		14	return <<<END
		15	HTTP_USER_AGENT=Mozilla/5.0 (Windows NT 6.0; rv:29.0) <script>alert('123');</script>Gecko/20100101 Firefox/29.0
		16	END;
		17	--COOKIE--
		18	--GET--
		19	A=B
		20	--POST--
		21	--FILE--
		22	<?php
		23	var_dump($_SERVER['HTTP_USER_AGENT']);
		24	?>
		25	--EXPECTF--
		26	string(95) "Mozilla/5.0 (Windows NT 6.0; rv:29.0) <script>alert('123');</script>Gecko/20100101 Firefox/29.0"
		27


diff --git a/tests/filter/server_user_agent_strip_on.phpt b/tests/filter/server_user_agent_strip_on.phpt new file mode 100644 index 0000000..73d577c --- /dev/null +++ b/tests/filter/server_user_agent_strip_on.phpt
@@ -0,0 +1,27 @@
		1	--TEST--
		2	Testing: suhosin.server.strip=On
		3	--DESCRIPTION--
		4	This test is not exactly what we want, but good enough due to limitations of the test framework.
		5	--INI--
		6	suhosin.log.syslog=0
		7	suhosin.log.sapi=0
		8	suhosin.log.stdout=255
		9	suhosin.log.script=0
		10	suhosin.server.strip=On
		11	--SKIPIF--
		12	<?php include('skipif.inc'); ?>
		13	--ENV--
		14	return <<<END
		15	HTTP_USER_AGENT=Mozilla/5.0 (Windows NT 6.0; rv:29.0) <script>alert('123');</script>Gecko/20100101 Firefox/29.0
		16	END;
		17	--COOKIE--
		18	--GET--
		19	A=B
		20	--POST--
		21	--FILE--
		22	<?php
		23	var_dump($_SERVER['HTTP_USER_AGENT']);
		24	?>
		25	--EXPECTF--
		26	string(95) "Mozilla/5.0 (Windows NT 6.0; rv:29.0) ?script?alert(?123?);?/script?Gecko/20100101 Firefox/29.0"
		27