Merge branch 'ifilter'

author: Ben Fuhrmannek 2014-10-16 15:08:59 +0200
committer: Ben Fuhrmannek 2014-10-16 15:08:59 +0200
commit: c4467269c3d5bf4cba72dadf846e229e4bc5c0c7 (patch)
tree: d3696caedda0ffef0143a80cf3e70c459147b255
parent: 82e8d0eb03fb3bd88062e99065f990b26fb9fc8b (diff)
parent: 49a4321cec080d61ff112aaf27f55257e62402f9 (diff)
9 files changed, 249 insertions, 2 deletions
diff --git a/execute.c b/execute.c
index 560d8f5..a27d82f 100644
--- a/execute.c
+++ b/execute.c
@@ -415,7 +415,6 @@ static void suhosin_execute_ex(zend_op_array *op_array, int zo, long dummy TSRML
                        SUHOSIN_G(att_get_vars)-SUHOSIN_G(cur_get_vars),
                        SUHOSIN_G(att_post_vars)-SUHOSIN_G(cur_post_vars),
                        SUHOSIN_G(att_cookie_vars)-SUHOSIN_G(cur_cookie_vars));
-                
                }
        
                if (!SUHOSIN_G(simulation) && SUHOSIN_G(filter_action)) {
diff --git a/ifilter.c b/ifilter.c
index 48b62c7..47ab6f2 100644
--- a/ifilter.c
+++ b/ifilter.c
@@ -41,6 +41,26 @@ static size_t strnlen(const char *s, size_t maxlen) {
 }
 #endif
+size_t suhosin_strnspn(const char *input, size_t n, const char *accept)
+{
+        size_t count = 0;
+        for (; *input != '\0' && count < n; input++, count++) {
+                if (strchr(accept, *input) == NULL)
+                        break;
+        }
+        return count;
+}
+size_t suhosin_strncspn(const char *input, size_t n, const char *reject)
+{
+        size_t count = 0;
+        for (; *input != '\0' && count < n; input++, count++) {
+                if (strchr(reject, *input) != NULL)
+                        break;
+        }
+        return count;
+}
 /* {{{ normalize_varname
 */
@@ -524,7 +544,8 @@ unsigned int suhosin_input_filter(int arg, char *var, char **val, unsigned int v
                }
                
                index_length = index_end - index;
-                        
+                
+                /* max. array index length */
                if (SUHOSIN_G(max_array_index_length) && SUHOSIN_G(max_array_index_length) < index_length) {
                        suhosin_log(S_VARS, "configured request variable array index length limit exceeded - dropped variable '%s'", var);
                        if (!SUHOSIN_G(simulation)) {
@@ -558,6 +579,23 @@ unsigned int suhosin_input_filter(int arg, char *var, char **val, unsigned int v
                                break;
                }
                
+                /* index whitelist/blacklist */
+                if (SUHOSIN_G(array_index_whitelist) && *(SUHOSIN_G(array_index_whitelist))) {
+                        if (suhosin_strnspn(index, index_length, SUHOSIN_G(array_index_whitelist)) != index_length) {
+                                suhosin_log(S_VARS, "array index contains not whitelisted characters - dropped variable '%s'", var);
+                                if (!SUHOSIN_G(simulation)) {
+                                        return 0;
+                                }
+                        }
+                } else if (SUHOSIN_G(array_index_blacklist) && *(SUHOSIN_G(array_index_blacklist))) {
+                        if (suhosin_strncspn(index, index_length, SUHOSIN_G(array_index_blacklist)) != index_length) {
+                                suhosin_log(S_VARS, "array index contains blacklisted characters - dropped variable '%s'", var);
+                                if (!SUHOSIN_G(simulation)) {
+                                        return 0;
+                                }
+                        }
+                }
+                
                index = strchr(index, '[');
        }
        
diff --git a/php_suhosin.h b/php_suhosin.h
index b81043a..28a88eb 100644
--- a/php_suhosin.h
+++ b/php_suhosin.h
@@ -208,6 +208,8 @@ ZEND_BEGIN_MODULE_GLOBALS(suhosin)
        long  max_value_length;
        long  max_array_depth;
        long  max_array_index_length;
+        char* array_index_whitelist;
+        char* array_index_blacklist;
        zend_bool  disallow_nul;
        zend_bool  disallow_ws;
 /*      cookie variables */
@@ -447,6 +449,8 @@ extern unsigned int (*old_input_filter)(int arg, char *var, char **val, unsigned
 void normalize_varname(char *varname);
 int suhosin_rfc1867_filter(unsigned int event, void *event_data, void **extra TSRMLS_DC);
 void suhosin_bailout(TSRMLS_D);
+size_t suhosin_strnspn(const char *input, size_t n, const char *accept);
+size_t suhosin_strncspn(const char *input, size_t n, const char *reject);
 /* Add pseudo refcount macros for PHP version < 5.3 */
 #ifndef Z_REFCOUNT_PP
diff --git a/suhosin.c b/suhosin.c
index 78dd865..81711b1 100644
--- a/suhosin.c
+++ b/suhosin.c
@@ -791,6 +791,8 @@ PHP_INI_BEGIN()
        STD_PHP_INI_ENTRY("suhosin.request.max_array_depth", "50", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestLong, max_array_depth, zend_suhosin_globals, suhosin_globals)
        STD_PHP_INI_ENTRY("suhosin.request.max_totalname_length", "256", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestLong, max_totalname_length, zend_suhosin_globals, suhosin_globals)
        STD_PHP_INI_ENTRY("suhosin.request.max_array_index_length", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestLong, max_array_index_length, zend_suhosin_globals, suhosin_globals)
+                STD_PHP_INI_ENTRY("suhosin.request.array_index_whitelist", "", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateString, array_index_whitelist, zend_suhosin_globals, suhosin_globals)
+                STD_PHP_INI_ENTRY("suhosin.request.array_index_blacklist", "", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateString, array_index_blacklist, zend_suhosin_globals, suhosin_globals)
        STD_PHP_INI_ENTRY("suhosin.request.disallow_nul", "1", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestBool, disallow_nul, zend_suhosin_globals, suhosin_globals)
        STD_PHP_INI_ENTRY("suhosin.request.disallow_ws", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestBool, disallow_ws, zend_suhosin_globals, suhosin_globals)
    
diff --git a/tests/filter/input_filter_request_array_index_blacklist.phpt b/tests/filter/input_filter_request_array_index_blacklist.phpt
new file mode 100644
index 0000000..01d551f
--- /dev/null
+++ b/tests/filter/input_filter_request_array_index_blacklist.phpt
@@ -0,0 +1,53 @@
+--TEST--
+suhosin input filter (suhosin.request.array_index_blacklist)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=511
+suhosin.log.script=0
+suhosin.request.array_index_blacklist="=ABC%{}\\$;"
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+var1[aaa]=1;var2[bbB]=1;var3[ccc][ccC]=1
+--GET--
+var1[aaa]=1&var2[bbB]=1&var3[ccc][ccC]=1
+--POST--
+var1[aaa]=1&var2[bbB]=1&var3[ccc][ccC]=1
+--FILE--
+<?php
+var_dump(ini_get("suhosin.request.array_index_blacklist"));
+var_dump($_GET);
+var_dump($_POST);
+var_dump($_COOKIE);
+?>
+--EXPECTF--
+string(10) "=ABC%{}\$;"
+array(1) {
+  ["var1"]=>
+  array(1) {
+    ["aaa"]=>
+    string(1) "1"
+  }
+}
+array(1) {
+  ["var1"]=>
+  array(1) {
+    ["aaa"]=>
+    string(1) "1"
+  }
+}
+array(1) {
+  ["var1"]=>
+  array(1) {
+    ["aaa"]=>
+    string(1) "1"
+  }
+}
+ALERT - array index contains blacklisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - array index contains blacklisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - array index contains blacklisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - array index contains blacklisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - array index contains blacklisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - array index contains blacklisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - dropped 6 request variables - (2 in GET, 2 in POST, 2 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
diff --git a/tests/filter/input_filter_request_array_index_whitelist.phpt b/tests/filter/input_filter_request_array_index_whitelist.phpt
new file mode 100644
index 0000000..8e63a36
--- /dev/null
+++ b/tests/filter/input_filter_request_array_index_whitelist.phpt
@@ -0,0 +1,51 @@
+--TEST--
+suhosin input filter (suhosin.request.array_index_whitelist)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+suhosin.request.array_index_whitelist=abcdefghijklmnopqrstuvwxyz
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+var1[aaa]=1;var2[bbB]=1;var3[ccc][ccC]=1
+--GET--
+var1[aaa]=1&var2[bbB]=1&var3[ccc][ccC]=1
+--POST--
+var1[aaa]=1&var2[bbB]=1&var3[ccc][ccC]=1
+--FILE--
+<?php
+var_dump($_GET);
+var_dump($_POST);
+var_dump($_COOKIE);
+?>
+--EXPECTF--
+array(1) {
+  ["var1"]=>
+  array(1) {
+    ["aaa"]=>
+    string(1) "1"
+  }
+}
+array(1) {
+  ["var1"]=>
+  array(1) {
+    ["aaa"]=>
+    string(1) "1"
+  }
+}
+array(1) {
+  ["var1"]=>
+  array(1) {
+    ["aaa"]=>
+    string(1) "1"
+  }
+}
+ALERT - array index contains not whitelisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - array index contains not whitelisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - array index contains not whitelisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - array index contains not whitelisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - array index contains not whitelisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - array index contains not whitelisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - dropped 6 request variables - (2 in GET, 2 in POST, 2 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
diff --git a/tests/filter/post_fileupload_array_index_blacklist.phpt b/tests/filter/post_fileupload_array_index_blacklist.phpt
new file mode 100644
index 0000000..f0e003b
--- /dev/null
+++ b/tests/filter/post_fileupload_array_index_blacklist.phpt
@@ -0,0 +1,41 @@
+--TEST--
+suhosin file upload filter (array index whitelist)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+file_uploads=1
+suhosin.request.array_index_blacklist=ABC
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+--GET--
+--POST_RAW--
+Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="fn[foo][bar]"
+ok
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="fn[foo][BAR]"
+bad
+-----------------------------20896060251896012921717172737--
+--FILE--
+<?php
+var_dump($_POST);
+?>
+--EXPECTF--
+array(1) {
+  ["fn"]=>
+  array(1) {
+    ["foo"]=>
+    array(1) {
+      ["bar"]=>
+      string(2) "ok"
+    }
+  }
+}
+ALERT - array index contains blacklisted characters - dropped variable 'fn[foo][BAR]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - dropped 1 request variables - (0 in GET, 1 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
diff --git a/tests/filter/post_fileupload_array_index_whitelist.phpt b/tests/filter/post_fileupload_array_index_whitelist.phpt
new file mode 100644
index 0000000..f2fe8c8
--- /dev/null
+++ b/tests/filter/post_fileupload_array_index_whitelist.phpt
@@ -0,0 +1,41 @@
+--TEST--
+suhosin file upload filter (array index whitelist)
+--INI--
+suhosin.log.syslog=0
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+file_uploads=1
+suhosin.request.array_index_whitelist=abcdefghijklmnopqrstuvwxyz
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--COOKIE--
+--GET--
+--POST_RAW--
+Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="fn[foo][bar]"
+ok
+-----------------------------20896060251896012921717172737
+Content-Disposition: form-data; name="fn[foo][BAR]"
+bad
+-----------------------------20896060251896012921717172737--
+--FILE--
+<?php
+var_dump($_POST);
+?>
+--EXPECTF--
+array(1) {
+  ["fn"]=>
+  array(1) {
+    ["foo"]=>
+    array(1) {
+      ["bar"]=>
+      string(2) "ok"
+    }
+  }
+}
+ALERT - array index contains not whitelisted characters - dropped variable 'fn[foo][BAR]' (attacker 'REMOTE_ADDR not set', file '%s')
+ALERT - dropped 1 request variables - (0 in GET, 1 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')
diff --git a/ufilter.c b/ufilter.c
index f3c3054..b6c5986 100644
--- a/ufilter.c
+++ b/ufilter.c
@@ -113,6 +113,24 @@ static int check_fileupload_varname(char *varname)
                        }
                } 
                
+                /* index whitelist/blacklist */
+                if (SUHOSIN_G(array_index_whitelist) && *(SUHOSIN_G(array_index_whitelist))) {
+                        if (suhosin_strnspn(index, index_length, SUHOSIN_G(array_index_whitelist)) != index_length) {
+                                suhosin_log(S_VARS, "array index contains not whitelisted characters - dropped variable '%s'", var);
+                                if (!SUHOSIN_G(simulation)) {
+                                        goto return_failure;
+                                }
+                        }
+                } else if (SUHOSIN_G(array_index_blacklist) && *(SUHOSIN_G(array_index_blacklist))) {
+                        if (suhosin_strncspn(index, index_length, SUHOSIN_G(array_index_blacklist)) != index_length) {
+                                suhosin_log(S_VARS, "array index contains blacklisted characters - dropped variable '%s'", var);
+                                if (!SUHOSIN_G(simulation)) {
+                                        goto return_failure;
+                                }
+                        }
+                }
+                
+                
                index = strchr(index, '[');             
        }
author	Ben Fuhrmannek	2014-10-16 15:08:59 +0200
committer	Ben Fuhrmannek	2014-10-16 15:08:59 +0200
commit	c4467269c3d5bf4cba72dadf846e229e4bc5c0c7 (patch)
tree	d3696caedda0ffef0143a80cf3e70c459147b255
parent	82e8d0eb03fb3bd88062e99065f990b26fb9fc8b (diff)
parent	49a4321cec080d61ff112aaf27f55257e62402f9 (diff)

diff --git a/execute.c b/execute.c index 560d8f5..a27d82f 100644 --- a/execute.c +++ b/execute.c
@@ -415,7 +415,6 @@ static void suhosin_execute_ex(zend_op_array *op_array, int zo, long dummy TSRML
415	SUHOSIN_G(att_get_vars)-SUHOSIN_G(cur_get_vars),	415	SUHOSIN_G(att_get_vars)-SUHOSIN_G(cur_get_vars),
416	SUHOSIN_G(att_post_vars)-SUHOSIN_G(cur_post_vars),	416	SUHOSIN_G(att_post_vars)-SUHOSIN_G(cur_post_vars),
417	SUHOSIN_G(att_cookie_vars)-SUHOSIN_G(cur_cookie_vars));	417	SUHOSIN_G(att_cookie_vars)-SUHOSIN_G(cur_cookie_vars));
418
419	}	418	}
420		419
421	if (!SUHOSIN_G(simulation) && SUHOSIN_G(filter_action)) {	420	if (!SUHOSIN_G(simulation) && SUHOSIN_G(filter_action)) {


diff --git a/ifilter.c b/ifilter.c index 48b62c7..47ab6f2 100644 --- a/ifilter.c +++ b/ifilter.c
@@ -41,6 +41,26 @@ static size_t strnlen(const char *s, size_t maxlen) {
41	}	41	}
42	#endif	42	#endif
43		43
		44	size_t suhosin_strnspn(const char input, size_t n, const char accept)
		45	{
		46	size_t count = 0;
		47	for (; *input != '\0' && count < n; input++, count++) {
		48	if (strchr(accept, *input) == NULL)
		49	break;
		50	}
		51	return count;
		52	}
		53
		54	size_t suhosin_strncspn(const char input, size_t n, const char reject)
		55	{
		56	size_t count = 0;
		57	for (; *input != '\0' && count < n; input++, count++) {
		58	if (strchr(reject, *input) != NULL)
		59	break;
		60	}
		61	return count;
		62	}
		63
44		64
45	/* {{{ normalize_varname	65	/* {{{ normalize_varname
46	*/	66	*/
@@ -524,7 +544,8 @@ unsigned int suhosin_input_filter(int arg, char var, char *val, unsigned int v
524	}	544	}
525		545
526	index_length = index_end - index;	546	index_length = index_end - index;
527		547
		548	/* max. array index length */
528	if (SUHOSIN_G(max_array_index_length) && SUHOSIN_G(max_array_index_length) < index_length) {	549	if (SUHOSIN_G(max_array_index_length) && SUHOSIN_G(max_array_index_length) < index_length) {
529	suhosin_log(S_VARS, "configured request variable array index length limit exceeded - dropped variable '%s'", var);	550	suhosin_log(S_VARS, "configured request variable array index length limit exceeded - dropped variable '%s'", var);
530	if (!SUHOSIN_G(simulation)) {	551	if (!SUHOSIN_G(simulation)) {
@@ -558,6 +579,23 @@ unsigned int suhosin_input_filter(int arg, char var, char *val, unsigned int v
558	break;	579	break;
559	}	580	}
560		581
		582	/* index whitelist/blacklist */
		583	if (SUHOSIN_G(array_index_whitelist) && *(SUHOSIN_G(array_index_whitelist))) {
		584	if (suhosin_strnspn(index, index_length, SUHOSIN_G(array_index_whitelist)) != index_length) {
		585	suhosin_log(S_VARS, "array index contains not whitelisted characters - dropped variable '%s'", var);
		586	if (!SUHOSIN_G(simulation)) {
		587	return 0;
		588	}
		589	}
		590	} else if (SUHOSIN_G(array_index_blacklist) && *(SUHOSIN_G(array_index_blacklist))) {
		591	if (suhosin_strncspn(index, index_length, SUHOSIN_G(array_index_blacklist)) != index_length) {
		592	suhosin_log(S_VARS, "array index contains blacklisted characters - dropped variable '%s'", var);
		593	if (!SUHOSIN_G(simulation)) {
		594	return 0;
		595	}
		596	}
		597	}
		598
561	index = strchr(index, '[');	599	index = strchr(index, '[');
562	}	600	}
563		601


diff --git a/php_suhosin.h b/php_suhosin.h index b81043a..28a88eb 100644 --- a/php_suhosin.h +++ b/php_suhosin.h
@@ -208,6 +208,8 @@ ZEND_BEGIN_MODULE_GLOBALS(suhosin)
208	long max_value_length;	208	long max_value_length;
209	long max_array_depth;	209	long max_array_depth;
210	long max_array_index_length;	210	long max_array_index_length;
		211	char* array_index_whitelist;
		212	char* array_index_blacklist;
211	zend_bool disallow_nul;	213	zend_bool disallow_nul;
212	zend_bool disallow_ws;	214	zend_bool disallow_ws;
213	/* cookie variables */	215	/* cookie variables */
@@ -447,6 +449,8 @@ extern unsigned int (old_input_filter)(int arg, char var, char **val, unsigned
447	void normalize_varname(char *varname);	449	void normalize_varname(char *varname);
448	int suhosin_rfc1867_filter(unsigned int event, void event_data, void *extra TSRMLS_DC);	450	int suhosin_rfc1867_filter(unsigned int event, void event_data, void *extra TSRMLS_DC);
449	void suhosin_bailout(TSRMLS_D);	451	void suhosin_bailout(TSRMLS_D);
		452	size_t suhosin_strnspn(const char input, size_t n, const char accept);
		453	size_t suhosin_strncspn(const char input, size_t n, const char reject);
450		454
451	/* Add pseudo refcount macros for PHP version < 5.3 */	455	/* Add pseudo refcount macros for PHP version < 5.3 */
452	#ifndef Z_REFCOUNT_PP	456	#ifndef Z_REFCOUNT_PP


diff --git a/suhosin.c b/suhosin.c index 78dd865..81711b1 100644 --- a/suhosin.c +++ b/suhosin.c
@@ -791,6 +791,8 @@ PHP_INI_BEGIN()
791	STD_PHP_INI_ENTRY("suhosin.request.max_array_depth", "50", PHP_INI_SYSTEM\|PHP_INI_PERDIR, OnUpdateRequestLong, max_array_depth, zend_suhosin_globals, suhosin_globals)	791	STD_PHP_INI_ENTRY("suhosin.request.max_array_depth", "50", PHP_INI_SYSTEM\|PHP_INI_PERDIR, OnUpdateRequestLong, max_array_depth, zend_suhosin_globals, suhosin_globals)
792	STD_PHP_INI_ENTRY("suhosin.request.max_totalname_length", "256", PHP_INI_SYSTEM\|PHP_INI_PERDIR, OnUpdateRequestLong, max_totalname_length, zend_suhosin_globals, suhosin_globals)	792	STD_PHP_INI_ENTRY("suhosin.request.max_totalname_length", "256", PHP_INI_SYSTEM\|PHP_INI_PERDIR, OnUpdateRequestLong, max_totalname_length, zend_suhosin_globals, suhosin_globals)
793	STD_PHP_INI_ENTRY("suhosin.request.max_array_index_length", "64", PHP_INI_SYSTEM\|PHP_INI_PERDIR, OnUpdateRequestLong, max_array_index_length, zend_suhosin_globals, suhosin_globals)	793	STD_PHP_INI_ENTRY("suhosin.request.max_array_index_length", "64", PHP_INI_SYSTEM\|PHP_INI_PERDIR, OnUpdateRequestLong, max_array_index_length, zend_suhosin_globals, suhosin_globals)
		794	STD_PHP_INI_ENTRY("suhosin.request.array_index_whitelist", "", PHP_INI_SYSTEM\|PHP_INI_PERDIR, OnUpdateString, array_index_whitelist, zend_suhosin_globals, suhosin_globals)
		795	STD_PHP_INI_ENTRY("suhosin.request.array_index_blacklist", "", PHP_INI_SYSTEM\|PHP_INI_PERDIR, OnUpdateString, array_index_blacklist, zend_suhosin_globals, suhosin_globals)
794	STD_PHP_INI_ENTRY("suhosin.request.disallow_nul", "1", PHP_INI_SYSTEM\|PHP_INI_PERDIR, OnUpdateRequestBool, disallow_nul, zend_suhosin_globals, suhosin_globals)	796	STD_PHP_INI_ENTRY("suhosin.request.disallow_nul", "1", PHP_INI_SYSTEM\|PHP_INI_PERDIR, OnUpdateRequestBool, disallow_nul, zend_suhosin_globals, suhosin_globals)
795	STD_PHP_INI_ENTRY("suhosin.request.disallow_ws", "0", PHP_INI_SYSTEM\|PHP_INI_PERDIR, OnUpdateRequestBool, disallow_ws, zend_suhosin_globals, suhosin_globals)	797	STD_PHP_INI_ENTRY("suhosin.request.disallow_ws", "0", PHP_INI_SYSTEM\|PHP_INI_PERDIR, OnUpdateRequestBool, disallow_ws, zend_suhosin_globals, suhosin_globals)
796		798


diff --git a/tests/filter/input_filter_request_array_index_blacklist.phpt b/tests/filter/input_filter_request_array_index_blacklist.phpt new file mode 100644 index 0000000..01d551f --- /dev/null +++ b/tests/filter/input_filter_request_array_index_blacklist.phpt
@@ -0,0 +1,53 @@
		1	--TEST--
		2	suhosin input filter (suhosin.request.array_index_blacklist)
		3	--INI--
		4	suhosin.log.syslog=0
		5	suhosin.log.sapi=0
		6	suhosin.log.stdout=511
		7	suhosin.log.script=0
		8	suhosin.request.array_index_blacklist="=ABC%{}\\$;"
		9	--SKIPIF--
		10	<?php include('skipif.inc'); ?>
		11	--COOKIE--
		12	var1[aaa]=1;var2[bbB]=1;var3[ccc][ccC]=1
		13	--GET--
		14	var1[aaa]=1&var2[bbB]=1&var3[ccc][ccC]=1
		15	--POST--
		16	var1[aaa]=1&var2[bbB]=1&var3[ccc][ccC]=1
		17	--FILE--
		18	<?php
		19	var_dump(ini_get("suhosin.request.array_index_blacklist"));
		20	var_dump($_GET);
		21	var_dump($_POST);
		22	var_dump($_COOKIE);
		23	?>
		24	--EXPECTF--
		25	string(10) "=ABC%{}\$;"
		26	array(1) {
		27	["var1"]=>
		28	array(1) {
		29	["aaa"]=>
		30	string(1) "1"
		31	}
		32	}
		33	array(1) {
		34	["var1"]=>
		35	array(1) {
		36	["aaa"]=>
		37	string(1) "1"
		38	}
		39	}
		40	array(1) {
		41	["var1"]=>
		42	array(1) {
		43	["aaa"]=>
		44	string(1) "1"
		45	}
		46	}
		47	ALERT - array index contains blacklisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s')
		48	ALERT - array index contains blacklisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s')
		49	ALERT - array index contains blacklisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s')
		50	ALERT - array index contains blacklisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s')
		51	ALERT - array index contains blacklisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s')
		52	ALERT - array index contains blacklisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s')
		53	ALERT - dropped 6 request variables - (2 in GET, 2 in POST, 2 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')


diff --git a/tests/filter/input_filter_request_array_index_whitelist.phpt b/tests/filter/input_filter_request_array_index_whitelist.phpt new file mode 100644 index 0000000..8e63a36 --- /dev/null +++ b/tests/filter/input_filter_request_array_index_whitelist.phpt
@@ -0,0 +1,51 @@
		1	--TEST--
		2	suhosin input filter (suhosin.request.array_index_whitelist)
		3	--INI--
		4	suhosin.log.syslog=0
		5	suhosin.log.sapi=0
		6	suhosin.log.stdout=255
		7	suhosin.log.script=0
		8	suhosin.request.array_index_whitelist=abcdefghijklmnopqrstuvwxyz
		9	--SKIPIF--
		10	<?php include('skipif.inc'); ?>
		11	--COOKIE--
		12	var1[aaa]=1;var2[bbB]=1;var3[ccc][ccC]=1
		13	--GET--
		14	var1[aaa]=1&var2[bbB]=1&var3[ccc][ccC]=1
		15	--POST--
		16	var1[aaa]=1&var2[bbB]=1&var3[ccc][ccC]=1
		17	--FILE--
		18	<?php
		19	var_dump($_GET);
		20	var_dump($_POST);
		21	var_dump($_COOKIE);
		22	?>
		23	--EXPECTF--
		24	array(1) {
		25	["var1"]=>
		26	array(1) {
		27	["aaa"]=>
		28	string(1) "1"
		29	}
		30	}
		31	array(1) {
		32	["var1"]=>
		33	array(1) {
		34	["aaa"]=>
		35	string(1) "1"
		36	}
		37	}
		38	array(1) {
		39	["var1"]=>
		40	array(1) {
		41	["aaa"]=>
		42	string(1) "1"
		43	}
		44	}
		45	ALERT - array index contains not whitelisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s')
		46	ALERT - array index contains not whitelisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s')
		47	ALERT - array index contains not whitelisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s')
		48	ALERT - array index contains not whitelisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s')
		49	ALERT - array index contains not whitelisted characters - dropped variable 'var2[bbB]' (attacker 'REMOTE_ADDR not set', file '%s')
		50	ALERT - array index contains not whitelisted characters - dropped variable 'var3[ccc][ccC]' (attacker 'REMOTE_ADDR not set', file '%s')
		51	ALERT - dropped 6 request variables - (2 in GET, 2 in POST, 2 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')


diff --git a/tests/filter/post_fileupload_array_index_blacklist.phpt b/tests/filter/post_fileupload_array_index_blacklist.phpt new file mode 100644 index 0000000..f0e003b --- /dev/null +++ b/tests/filter/post_fileupload_array_index_blacklist.phpt
@@ -0,0 +1,41 @@
		1	--TEST--
		2	suhosin file upload filter (array index whitelist)
		3	--INI--
		4	suhosin.log.syslog=0
		5	suhosin.log.sapi=0
		6	suhosin.log.stdout=255
		7	suhosin.log.script=0
		8	file_uploads=1
		9	suhosin.request.array_index_blacklist=ABC
		10	--SKIPIF--
		11	<?php include('skipif.inc'); ?>
		12	--COOKIE--
		13	--GET--
		14	--POST_RAW--
		15	Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
		16	-----------------------------20896060251896012921717172737
		17	Content-Disposition: form-data; name="fn[foo][bar]"
		18
		19	ok
		20	-----------------------------20896060251896012921717172737
		21	Content-Disposition: form-data; name="fn[foo][BAR]"
		22
		23	bad
		24	-----------------------------20896060251896012921717172737--
		25	--FILE--
		26	<?php
		27	var_dump($_POST);
		28	?>
		29	--EXPECTF--
		30	array(1) {
		31	["fn"]=>
		32	array(1) {
		33	["foo"]=>
		34	array(1) {
		35	["bar"]=>
		36	string(2) "ok"
		37	}
		38	}
		39	}
		40	ALERT - array index contains blacklisted characters - dropped variable 'fn[foo][BAR]' (attacker 'REMOTE_ADDR not set', file '%s')
		41	ALERT - dropped 1 request variables - (0 in GET, 1 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')


diff --git a/tests/filter/post_fileupload_array_index_whitelist.phpt b/tests/filter/post_fileupload_array_index_whitelist.phpt new file mode 100644 index 0000000..f2fe8c8 --- /dev/null +++ b/tests/filter/post_fileupload_array_index_whitelist.phpt
@@ -0,0 +1,41 @@
		1	--TEST--
		2	suhosin file upload filter (array index whitelist)
		3	--INI--
		4	suhosin.log.syslog=0
		5	suhosin.log.sapi=0
		6	suhosin.log.stdout=255
		7	suhosin.log.script=0
		8	file_uploads=1
		9	suhosin.request.array_index_whitelist=abcdefghijklmnopqrstuvwxyz
		10	--SKIPIF--
		11	<?php include('skipif.inc'); ?>
		12	--COOKIE--
		13	--GET--
		14	--POST_RAW--
		15	Content-Type: multipart/form-data; boundary=---------------------------20896060251896012921717172737
		16	-----------------------------20896060251896012921717172737
		17	Content-Disposition: form-data; name="fn[foo][bar]"
		18
		19	ok
		20	-----------------------------20896060251896012921717172737
		21	Content-Disposition: form-data; name="fn[foo][BAR]"
		22
		23	bad
		24	-----------------------------20896060251896012921717172737--
		25	--FILE--
		26	<?php
		27	var_dump($_POST);
		28	?>
		29	--EXPECTF--
		30	array(1) {
		31	["fn"]=>
		32	array(1) {
		33	["foo"]=>
		34	array(1) {
		35	["bar"]=>
		36	string(2) "ok"
		37	}
		38	}
		39	}
		40	ALERT - array index contains not whitelisted characters - dropped variable 'fn[foo][BAR]' (attacker 'REMOTE_ADDR not set', file '%s')
		41	ALERT - dropped 1 request variables - (0 in GET, 1 in POST, 0 in COOKIE) (attacker 'REMOTE_ADDR not set', file '%s')


diff --git a/ufilter.c b/ufilter.c index f3c3054..b6c5986 100644 --- a/ufilter.c +++ b/ufilter.c
@@ -113,6 +113,24 @@ static int check_fileupload_varname(char *varname)
113	}	113	}
114	}	114	}
115		115
		116	/* index whitelist/blacklist */
		117	if (SUHOSIN_G(array_index_whitelist) && *(SUHOSIN_G(array_index_whitelist))) {
		118	if (suhosin_strnspn(index, index_length, SUHOSIN_G(array_index_whitelist)) != index_length) {
		119	suhosin_log(S_VARS, "array index contains not whitelisted characters - dropped variable '%s'", var);
		120	if (!SUHOSIN_G(simulation)) {
		121	goto return_failure;
		122	}
		123	}
		124	} else if (SUHOSIN_G(array_index_blacklist) && *(SUHOSIN_G(array_index_blacklist))) {
		125	if (suhosin_strncspn(index, index_length, SUHOSIN_G(array_index_blacklist)) != index_length) {
		126	suhosin_log(S_VARS, "array index contains blacklisted characters - dropped variable '%s'", var);
		127	if (!SUHOSIN_G(simulation)) {
		128	goto return_failure;
		129	}
		130	}
		131	}
		132
		133
116	index = strchr(index, '[');	134	index = strchr(index, '[');
117	}	135	}
118		136