Refactor array index handling in input filter, to make it work in all cases.

author: Stefan Esser 2014-02-16 13:05:36 +0100
committer: Stefan Esser 2014-02-16 13:05:36 +0100
commit: d5ea5d30d8e400b73d2a5abf2d1e2d8fc3485bd6 (patch)
tree: 5ddafde4fd62a368330b2c2b05201043448d82e7 /ifilter.c
parent: f7ef68966204b2ac1e45f1c7e8c72aae2becc382 (diff)
1 files changed, 42 insertions, 35 deletions
diff --git a/ifilter.c b/ifilter.c
index 42f5d9b..d73106b 100644
--- a/ifilter.c
+++ b/ifilter.c
@@ -502,49 +502,56 @@ unsigned int suhosin_input_filter(int arg, char *var, char **val, unsigned int v
        
        /* Find out array depth */
        while (index) {
+                char *index_end;
                unsigned int index_length;
                
+                /* overjump '[' */
+                index++;
+                
+                /* increase array depth */
                depth++;
-                index = strchr(index+1, '[');
+                                
+                index_end = strchr(index, ']');
+                if (index_end == NULL) {
+                        index_end = index+strlen(index);
+                }
                
-                if (prev_index) {
+                index_length = index_end - index;
-                        index_length = index ? index - 1 - prev_index - 1: strlen(prev_index);
                        
-                        if (SUHOSIN_G(max_array_index_length) && SUHOSIN_G(max_array_index_length) < index_length) {
+                if (SUHOSIN_G(max_array_index_length) && SUHOSIN_G(max_array_index_length) < index_length) {
-                                suhosin_log(S_VARS, "configured request variable array index length limit exceeded - dropped variable '%s'", var);
+                        suhosin_log(S_VARS, "configured request variable array index length limit exceeded - dropped variable '%s'", var);
-                                if (!SUHOSIN_G(simulation)) {
+                        if (!SUHOSIN_G(simulation)) {
-                                        return 0;
+                                return 0;
-                                }
-                        } 
-                        switch (arg) {
-                            case PARSE_GET:
-                                        if (SUHOSIN_G(max_get_array_index_length) && SUHOSIN_G(max_get_array_index_length) < index_length) {
-                                                suhosin_log(S_VARS, "configured GET variable array index length limit exceeded - dropped variable '%s'", var);
-                                                if (!SUHOSIN_G(simulation)) {
-                                                        return 0;
-                                                }
-                                        } 
-                                        break;
-                            case PARSE_COOKIE:
-                                        if (SUHOSIN_G(max_cookie_array_index_length) && SUHOSIN_G(max_cookie_array_index_length) < index_length) {
-                                                suhosin_log(S_VARS, "configured COOKIE variable array index length limit exceeded - dropped variable '%s'", var);
-                                                if (!SUHOSIN_G(simulation)) {
-                                                        return 0;
-                                                }
-                                        } 
-                                        break;
-                            case PARSE_POST:
-                                        if (SUHOSIN_G(max_post_array_index_length) && SUHOSIN_G(max_post_array_index_length) < index_length) {
-                                                suhosin_log(S_VARS, "configured POST variable array index length limit exceeded - dropped variable '%s'", var);
-                                                if (!SUHOSIN_G(simulation)) {
-                                                        return 0;
-                                                }
-                                        } 
-                                        break;
                        }
-                        prev_index = index;
+                } 
+                switch (arg) {
+                    case PARSE_GET:
+                                if (SUHOSIN_G(max_get_array_index_length) && SUHOSIN_G(max_get_array_index_length) < index_length) {
+                                        suhosin_log(S_VARS, "configured GET variable array index length limit exceeded - dropped variable '%s'", var);
+                                        if (!SUHOSIN_G(simulation)) {
+                                                return 0;
+                                        }
+                                } 
+                                break;
+                    case PARSE_COOKIE:
+                                if (SUHOSIN_G(max_cookie_array_index_length) && SUHOSIN_G(max_cookie_array_index_length) < index_length) {
+                                        suhosin_log(S_VARS, "configured COOKIE variable array index length limit exceeded - dropped variable '%s'", var);
+                                        if (!SUHOSIN_G(simulation)) {
+                                                return 0;
+                                        }
+                                } 
+                                break;
+                    case PARSE_POST:
+                                if (SUHOSIN_G(max_post_array_index_length) && SUHOSIN_G(max_post_array_index_length) < index_length) {
+                                        suhosin_log(S_VARS, "configured POST variable array index length limit exceeded - dropped variable '%s'", var);
+                                        if (!SUHOSIN_G(simulation)) {
+                                                return 0;
+                                        }
+                                } 
+                                break;
                }
                
+                index = strchr(index, '[');
        }
        
        /* Drop this variable if it exceeds the array depth limit */
author	Stefan Esser	2014-02-16 13:05:36 +0100
committer	Stefan Esser	2014-02-16 13:05:36 +0100
commit	d5ea5d30d8e400b73d2a5abf2d1e2d8fc3485bd6 (patch)
tree	5ddafde4fd62a368330b2c2b05201043448d82e7 /ifilter.c
parent	f7ef68966204b2ac1e45f1c7e8c72aae2becc382 (diff)

diff --git a/ifilter.c b/ifilter.c index 42f5d9b..d73106b 100644 --- a/ifilter.c +++ b/ifilter.c
@@ -502,49 +502,56 @@ unsigned int suhosin_input_filter(int arg, char var, char *val, unsigned int v
502		502
503	/* Find out array depth */	503	/* Find out array depth */
504	while (index) {	504	while (index) {
		505	char *index_end;
505	unsigned int index_length;	506	unsigned int index_length;
506		507
		508	/* overjump '[' */
		509	index++;
		510
		511	/* increase array depth */
507	depth++;	512	depth++;
508	index = strchr(index+1, '[');	513
		514	index_end = strchr(index, ']');
		515	if (index_end == NULL) {
		516	index_end = index+strlen(index);
		517	}
509		518
510	if (prev_index) {	519	index_length = index_end - index;
511	index_length = index ? index - 1 - prev_index - 1: strlen(prev_index);
512		520
513	if (SUHOSIN_G(max_array_index_length) && SUHOSIN_G(max_array_index_length) < index_length) {	521	if (SUHOSIN_G(max_array_index_length) && SUHOSIN_G(max_array_index_length) < index_length) {
514	suhosin_log(S_VARS, "configured request variable array index length limit exceeded - dropped variable '%s'", var);	522	suhosin_log(S_VARS, "configured request variable array index length limit exceeded - dropped variable '%s'", var);
515	if (!SUHOSIN_G(simulation)) {	523	if (!SUHOSIN_G(simulation)) {
516	return 0;	524	return 0;
517	}
518	}
519	switch (arg) {
520	case PARSE_GET:
521	if (SUHOSIN_G(max_get_array_index_length) && SUHOSIN_G(max_get_array_index_length) < index_length) {
522	suhosin_log(S_VARS, "configured GET variable array index length limit exceeded - dropped variable '%s'", var);
523	if (!SUHOSIN_G(simulation)) {
524	return 0;
525	}
526	}
527	break;
528	case PARSE_COOKIE:
529	if (SUHOSIN_G(max_cookie_array_index_length) && SUHOSIN_G(max_cookie_array_index_length) < index_length) {
530	suhosin_log(S_VARS, "configured COOKIE variable array index length limit exceeded - dropped variable '%s'", var);
531	if (!SUHOSIN_G(simulation)) {
532	return 0;
533	}
534	}
535	break;
536	case PARSE_POST:
537	if (SUHOSIN_G(max_post_array_index_length) && SUHOSIN_G(max_post_array_index_length) < index_length) {
538	suhosin_log(S_VARS, "configured POST variable array index length limit exceeded - dropped variable '%s'", var);
539	if (!SUHOSIN_G(simulation)) {
540	return 0;
541	}
542	}
543	break;
544	}	525	}
545	prev_index = index;	526	}
		527	switch (arg) {
		528	case PARSE_GET:
		529	if (SUHOSIN_G(max_get_array_index_length) && SUHOSIN_G(max_get_array_index_length) < index_length) {
		530	suhosin_log(S_VARS, "configured GET variable array index length limit exceeded - dropped variable '%s'", var);
		531	if (!SUHOSIN_G(simulation)) {
		532	return 0;
		533	}
		534	}
		535	break;
		536	case PARSE_COOKIE:
		537	if (SUHOSIN_G(max_cookie_array_index_length) && SUHOSIN_G(max_cookie_array_index_length) < index_length) {
		538	suhosin_log(S_VARS, "configured COOKIE variable array index length limit exceeded - dropped variable '%s'", var);
		539	if (!SUHOSIN_G(simulation)) {
		540	return 0;
		541	}
		542	}
		543	break;
		544	case PARSE_POST:
		545	if (SUHOSIN_G(max_post_array_index_length) && SUHOSIN_G(max_post_array_index_length) < index_length) {
		546	suhosin_log(S_VARS, "configured POST variable array index length limit exceeded - dropped variable '%s'", var);
		547	if (!SUHOSIN_G(simulation)) {
		548	return 0;
		549	}
		550	}
		551	break;
546	}	552	}
547		553
		554	index = strchr(index, '[');
548	}	555	}
549		556
550	/* Drop this variable if it exceeds the array depth limit */	557	/* Drop this variable if it exceeds the array depth limit */