array index whitelist/blacklist for multipart formdata

author: Ben Fuhrmannek 2014-09-25 18:07:55 +0200
committer: Ben Fuhrmannek 2014-09-25 18:07:55 +0200
commit: 49a4321cec080d61ff112aaf27f55257e62402f9 (patch)
tree: c3500f64ef6cc5d45d70296339827857de1bf889
parent: 594c8df58c6f7f9b9610c7f0fd11da08a532de98 (diff)
5 files changed, 106 insertions, 4 deletions
diff --git a/ifilter.c b/ifilter.c
index 4ea846f..47ab6f2 100644
--- a/ifilter.c
+++ b/ifilter.c
@@ -41,7 +41,7 @@ static size_t strnlen(const char *s, size_t maxlen) {
 }
 #endif
-static size_t strnspn(const char *input, size_t n, const char *accept)
+size_t suhosin_strnspn(const char *input, size_t n, const char *accept)
 {
        size_t count = 0;
        for (; *input != '\0' && count < n; input++, count++) {
@@ -51,7 +51,7 @@ static size_t strnspn(const char *input, size_t n, const char *accept)
        return count;
 }
-static size_t strncspn(const char *input, size_t n, const char *reject)
+size_t suhosin_strncspn(const char *input, size_t n, const char *reject)
 {
        size_t count = 0;
        for (; *input != '\0' && count < n; input++, count++) {
@@ -581,14 +581,14 @@ unsigned int suhosin_input_filter(int arg, char *var, char **val, unsigned int v
                
                /* index whitelist/blacklist */
                if (SUHOSIN_G(array_index_whitelist) && *(SUHOSIN_G(array_index_whitelist))) {
-                        if (strnspn(index, index_length, SUHOSIN_G(array_index_whitelist)) != index_length) {
+                        if (suhosin_strnspn(index, index_length, SUHOSIN_G(array_index_whitelist)) != index_length) {
                                suhosin_log(S_VARS, "array index contains not whitelisted characters - dropped variable '%s'", var);
                                if (!SUHOSIN_G(simulation)) {
                                        return 0;
                                }
                        }
                } else if (SUHOSIN_G(array_index_blacklist) && *(SUHOSIN_G(array_index_blacklist))) {
-                        if (strncspn(index, index_length, SUHOSIN_G(array_index_blacklist)) != index_length) {
+                        if (suhosin_strncspn(index, index_length, SUHOSIN_G(array_index_blacklist)) != index_length) {
                                suhosin_log(S_VARS, "array index contains blacklisted characters - dropped variable '%s'", var);
                                if (!SUHOSIN_G(simulation)) {
                                        return 0;
diff --git a/php_suhosin.h b/php_suhosin.h
index 8877e53..7be628a 100644
--- a/php_suhosin.h
+++ b/php_suhosin.h
@@ -446,6 +446,8 @@ extern unsigned int (*old_input_filter)(int arg, char *var, char **val, unsigned
 void normalize_varname(char *varname);
 int suhosin_rfc1867_filter(unsigned int event, void *event_data, void **extra TSRMLS_DC);
 void suhosin_bailout(TSRMLS_D);
+size_t suhosin_strnspn(const char *input, size_t n, const char *accept);
+size_t suhosin_strncspn(const char *input, size_t n, const char *reject);
 /* Add pseudo refcount macros for PHP version < 5.3 */
 #ifndef Z_REFCOUNT_PP
diff --git a/tests/filter/post_fileupload_array_index_blacklist.phpt b/tests/filter/post_fileupload_array_index_blacklist.phpt
new file mode 100644
index 0000000..f0e003b
--- /dev/null
+++ b/tests/filter/post_fileupload_array_index_blacklist.phpt
@@ -0,0 +1,41 @@
+--TEST--
+suhosin file upload filter (array index whitelist)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+file_uploads=1
+suhosin.request.array_index_blacklist=ABC
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+--GET--
+--POST_RAW--
+Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="fn[foo][bar]"
+ok
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="fn[foo][BAR]"
+bad
+-----------------------------20896060251896012921717172737--
+--FILE--
+<?php
+var_dump($_POST);
+?>
+--EXPECTF--
+array(1) {
+  ["fn"]=>
+  array(1) {
+    ["foo"]=>
+    array(1) {
+      ["bar"]=>
+      string(2) "ok"
+    }
+  }
+}
+ALERT - array index contains blacklisted characters - dropped variable 'fn[foo][BAR]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - dropped 1 request variables - (0 in GET, 1 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
diff --git a/tests/filter/post_fileupload_array_index_whitelist.phpt b/tests/filter/post_fileupload_array_index_whitelist.phpt
new file mode 100644
index 0000000..f2fe8c8
--- /dev/null
+++ b/tests/filter/post_fileupload_array_index_whitelist.phpt
@@ -0,0 +1,41 @@
+--TEST--
+suhosin file upload filter (array index whitelist)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+file_uploads=1
+suhosin.request.array_index_whitelist=abcdefghijklmnopqrstuvwxyz
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+--GET--
+--POST_RAW--
+Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="fn[foo][bar]"
+ok
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="fn[foo][BAR]"
+bad
+-----------------------------20896060251896012921717172737--
+--FILE--
+<?php
+var_dump($_POST);
+?>
+--EXPECTF--
+array(1) {
+  ["fn"]=>
+  array(1) {
+    ["foo"]=>
+    array(1) {
+      ["bar"]=>
+      string(2) "ok"
+    }
+  }
+}
+ALERT - array index contains not whitelisted characters - dropped variable 'fn[foo][BAR]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - dropped 1 request variables - (0 in GET, 1 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
diff --git a/ufilter.c b/ufilter.c
index 1669e88..28b61e1 100644
--- a/ufilter.c
+++ b/ufilter.c
@@ -113,6 +113,24 @@ static int check_fileupload_varname(char *varname)
                        }
                } 
                
+                /* index whitelist/blacklist */
+                if (SUHOSIN_G(array_index_whitelist) && *(SUHOSIN_G(array_index_whitelist))) {
+                        if (suhosin_strnspn(index, index_length, SUHOSIN_G(array_index_whitelist)) != index_length) {
+                                suhosin_log(S_VARS, "array index contains not whitelisted characters - dropped variable '%s'", var);
+                                if (!SUHOSIN_G(simulation)) {
+                                        goto return_failure;
+                                }
+                        }
+                } else if (SUHOSIN_G(array_index_blacklist) && *(SUHOSIN_G(array_index_blacklist))) {
+                        if (suhosin_strncspn(index, index_length, SUHOSIN_G(array_index_blacklist)) != index_length) {
+                                suhosin_log(S_VARS, "array index contains blacklisted characters - dropped variable '%s'", var);
+                                if (!SUHOSIN_G(simulation)) {
+                                        goto return_failure;
+                                }
+                        }
+                }
+                
+                
                index = strchr(index, '[');             
        }
author	Ben Fuhrmannek	2014-09-25 18:07:55 +0200
committer	Ben Fuhrmannek	2014-09-25 18:07:55 +0200
commit	49a4321cec080d61ff112aaf27f55257e62402f9 (patch)
tree	c3500f64ef6cc5d45d70296339827857de1bf889
parent	594c8df58c6f7f9b9610c7f0fd11da08a532de98 (diff)

diff --git a/ifilter.c b/ifilter.c index 4ea846f..47ab6f2 100644 --- a/ifilter.c +++ b/ifilter.c
@@ -41,7 +41,7 @@ static size_t strnlen(const char *s, size_t maxlen) {
41	}	41	}
42	#endif	42	#endif
43		43
44	static size_t strnspn(const char input, size_t n, const char accept)	44	size_t suhosin_strnspn(const char input, size_t n, const char accept)
45	{	45	{
46	size_t count = 0;	46	size_t count = 0;
47	for (; *input != '\0' && count < n; input++, count++) {	47	for (; *input != '\0' && count < n; input++, count++) {
@@ -51,7 +51,7 @@ static size_t strnspn(const char input, size_t n, const char accept)
51	return count;	51	return count;
52	}	52	}
53		53
54	static size_t strncspn(const char input, size_t n, const char reject)	54	size_t suhosin_strncspn(const char input, size_t n, const char reject)
55	{	55	{
56	size_t count = 0;	56	size_t count = 0;
57	for (; *input != '\0' && count < n; input++, count++) {	57	for (; *input != '\0' && count < n; input++, count++) {
@@ -581,14 +581,14 @@ unsigned int suhosin_input_filter(int arg, char var, char *val, unsigned int v
581		581
582	/* index whitelist/blacklist */	582	/* index whitelist/blacklist */
583	if (SUHOSIN_G(array_index_whitelist) && *(SUHOSIN_G(array_index_whitelist))) {	583	if (SUHOSIN_G(array_index_whitelist) && *(SUHOSIN_G(array_index_whitelist))) {
584	if (strnspn(index, index_length, SUHOSIN_G(array_index_whitelist)) != index_length) {	584	if (suhosin_strnspn(index, index_length, SUHOSIN_G(array_index_whitelist)) != index_length) {
585	suhosin_log(S_VARS, "array index contains not whitelisted characters - dropped variable '%s'", var);	585	suhosin_log(S_VARS, "array index contains not whitelisted characters - dropped variable '%s'", var);
586	if (!SUHOSIN_G(simulation)) {	586	if (!SUHOSIN_G(simulation)) {
587	return 0;	587	return 0;
588	}	588	}
589	}	589	}
590	} else if (SUHOSIN_G(array_index_blacklist) && *(SUHOSIN_G(array_index_blacklist))) {	590	} else if (SUHOSIN_G(array_index_blacklist) && *(SUHOSIN_G(array_index_blacklist))) {
591	if (strncspn(index, index_length, SUHOSIN_G(array_index_blacklist)) != index_length) {	591	if (suhosin_strncspn(index, index_length, SUHOSIN_G(array_index_blacklist)) != index_length) {
592	suhosin_log(S_VARS, "array index contains blacklisted characters - dropped variable '%s'", var);	592	suhosin_log(S_VARS, "array index contains blacklisted characters - dropped variable '%s'", var);
593	if (!SUHOSIN_G(simulation)) {	593	if (!SUHOSIN_G(simulation)) {
594	return 0;	594	return 0;


diff --git a/php_suhosin.h b/php_suhosin.h index 8877e53..7be628a 100644 --- a/php_suhosin.h +++ b/php_suhosin.h
@@ -446,6 +446,8 @@ extern unsigned int (old_input_filter)(int arg, char var, char **val, unsigned
446	void normalize_varname(char *varname);	446	void normalize_varname(char *varname);
447	int suhosin_rfc1867_filter(unsigned int event, void event_data, void *extra TSRMLS_DC);	447	int suhosin_rfc1867_filter(unsigned int event, void event_data, void *extra TSRMLS_DC);
448	void suhosin_bailout(TSRMLS_D);	448	void suhosin_bailout(TSRMLS_D);
		449	size_t suhosin_strnspn(const char input, size_t n, const char accept);
		450	size_t suhosin_strncspn(const char input, size_t n, const char reject);
449		451
450	/* Add pseudo refcount macros for PHP version < 5.3 */	452	/* Add pseudo refcount macros for PHP version < 5.3 */
451	#ifndef Z_REFCOUNT_PP	453	#ifndef Z_REFCOUNT_PP


diff --git a/tests/filter/post_fileupload_array_index_blacklist.phpt b/tests/filter/post_fileupload_array_index_blacklist.phpt new file mode 100644 index 0000000..f0e003b --- /dev/null +++ b/tests/filter/post_fileupload_array_index_blacklist.phpt
@@ -0,0 +1,41 @@
		1	--TEST--
		2	suhosin file upload filter (array index whitelist)
		3	--INI--
		4	suhosin.log.syslog=0
		5	suhosin.log.sapi=0
		6	suhosin.log.stdout=255
		7	suhosin.log.script=0
		8	file_uploads=1
		9	suhosin.request.array_index_blacklist=ABC
		10	--SKIPIF--
		11	<?php include('skipif.inc'); ?>
		12	--COOKIE--
		13	--GET--
		14	--POST_RAW--
		15	Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
		16	-----------------------------20896060251896012921717172737
		17	Content-Disposition: form-data; name="fn[foo][bar]"
		18
		19	ok
		20	-----------------------------20896060251896012921717172737
		21	Content-Disposition: form-data; name="fn[foo][BAR]"
		22
		23	bad
		24	-----------------------------20896060251896012921717172737--
		25	--FILE--
		26	<?php
		27	var_dump($_POST);
		28	?>
		29	--EXPECTF--
		30	array(1) {
		31	["fn"]=>
		32	array(1) {
		33	["foo"]=>
		34	array(1) {
		35	["bar"]=>
		36	string(2) "ok"
		37	}
		38	}
		39	}
		40	ALERT - array index contains blacklisted characters - dropped variable 'fn[foo][BAR]' (attacker 'REMOTE_ADDR not set', file '%s')
		41	ALERT - dropped 1 request variables - (0 in GET, 1 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')


diff --git a/tests/filter/post_fileupload_array_index_whitelist.phpt b/tests/filter/post_fileupload_array_index_whitelist.phpt new file mode 100644 index 0000000..f2fe8c8 --- /dev/null +++ b/tests/filter/post_fileupload_array_index_whitelist.phpt
@@ -0,0 +1,41 @@
		1	--TEST--
		2	suhosin file upload filter (array index whitelist)
		3	--INI--
		4	suhosin.log.syslog=0
		5	suhosin.log.sapi=0
		6	suhosin.log.stdout=255
		7	suhosin.log.script=0
		8	file_uploads=1
		9	suhosin.request.array_index_whitelist=abcdefghijklmnopqrstuvwxyz
		10	--SKIPIF--
		11	<?php include('skipif.inc'); ?>
		12	--COOKIE--
		13	--GET--
		14	--POST_RAW--
		15	Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
		16	-----------------------------20896060251896012921717172737
		17	Content-Disposition: form-data; name="fn[foo][bar]"
		18
		19	ok
		20	-----------------------------20896060251896012921717172737
		21	Content-Disposition: form-data; name="fn[foo][BAR]"
		22
		23	bad
		24	-----------------------------20896060251896012921717172737--
		25	--FILE--
		26	<?php
		27	var_dump($_POST);
		28	?>
		29	--EXPECTF--
		30	array(1) {
		31	["fn"]=>
		32	array(1) {
		33	["foo"]=>
		34	array(1) {
		35	["bar"]=>
		36	string(2) "ok"
		37	}
		38	}
		39	}
		40	ALERT - array index contains not whitelisted characters - dropped variable 'fn[foo][BAR]' (attacker 'REMOTE_ADDR not set', file '%s')
		41	ALERT - dropped 1 request variables - (0 in GET, 1 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')


diff --git a/ufilter.c b/ufilter.c index 1669e88..28b61e1 100644 --- a/ufilter.c +++ b/ufilter.c
@@ -113,6 +113,24 @@ static int check_fileupload_varname(char *varname)
113	}	113	}
114	}	114	}
115		115
		116	/* index whitelist/blacklist */
		117	if (SUHOSIN_G(array_index_whitelist) && *(SUHOSIN_G(array_index_whitelist))) {
		118	if (suhosin_strnspn(index, index_length, SUHOSIN_G(array_index_whitelist)) != index_length) {
		119	suhosin_log(S_VARS, "array index contains not whitelisted characters - dropped variable '%s'", var);
		120	if (!SUHOSIN_G(simulation)) {
		121	goto return_failure;
		122	}
		123	}
		124	} else if (SUHOSIN_G(array_index_blacklist) && *(SUHOSIN_G(array_index_blacklist))) {
		125	if (suhosin_strncspn(index, index_length, SUHOSIN_G(array_index_blacklist)) != index_length) {
		126	suhosin_log(S_VARS, "array index contains blacklisted characters - dropped variable '%s'", var);
		127	if (!SUHOSIN_G(simulation)) {
		128	goto return_failure;
		129	}
		130	}
		131	}
		132
		133
116	index = strchr(index, '[');	134	index = strchr(index, '[');
117	}	135	}
118		136