Refactor array index handling in input filter, to make it work in all cases.

author: Stefan Esser 2014-02-16 13:05:36 +0100
committer: Stefan Esser 2014-02-16 13:05:36 +0100
commit: d5ea5d30d8e400b73d2a5abf2d1e2d8fc3485bd6 (patch)
tree: 5ddafde4fd62a368330b2c2b05201043448d82e7 /ufilter.c
parent: f7ef68966204b2ac1e45f1c7e8c72aae2becc382 (diff)
1 files changed, 24 insertions, 17 deletions
diff --git a/ufilter.c b/ufilter.c
index efab2ce..67bb114 100644
--- a/ufilter.c
+++ b/ufilter.c
@@ -131,29 +131,36 @@ static int check_fileupload_varname(char *varname)
        
        /* Find out array depth */
        while (index) {
+                char *index_end;
                unsigned int index_length;
                
+                /* overjump '[' */
+                index++;
+                
+                /* increase array depth */
                depth++;
-                index = strchr(index+1, '[');
+                                
+                index_end = strchr(index, ']');
+                if (index_end == NULL) {
+                        index_end = index+strlen(index);
+                }
                
-                if (prev_index) {
+                index_length = index_end - index;
-                        index_length = index ? index - 1 - prev_index - 1: strlen(prev_index);
                        
-                        if (SUHOSIN_G(max_array_index_length) && SUHOSIN_G(max_array_index_length) < index_length) {
+                if (SUHOSIN_G(max_array_index_length) && SUHOSIN_G(max_array_index_length) < index_length) {
-                                suhosin_log(S_FILES, "configured request variable array index length limit exceeded - dropped variable '%s'", var);
+                        suhosin_log(S_FILES, "configured request variable array index length limit exceeded - dropped variable '%s'", var);
-                                if (!SUHOSIN_G(simulation)) {
+                        if (!SUHOSIN_G(simulation)) {
-                                        goto return_failure;
+                                goto return_failure;
-                                }
+                        }
-                        } 
+                } 
-                        if (SUHOSIN_G(max_post_array_index_length) && SUHOSIN_G(max_post_array_index_length) < index_length) {
+                if (SUHOSIN_G(max_post_array_index_length) && SUHOSIN_G(max_post_array_index_length) < index_length) {
-                                suhosin_log(S_FILES, "configured POST variable array index length limit exceeded - dropped variable '%s'", var);
+                        suhosin_log(S_FILES, "configured POST variable array index length limit exceeded - dropped variable '%s'", var);
-                                if (!SUHOSIN_G(simulation)) {
+                        if (!SUHOSIN_G(simulation)) {
-                                        goto return_failure;
+                                goto return_failure;
-                                }
+                        }
-                        } 
+                } 
-                        prev_index = index;
-                }
                
+                index = strchr(index, '[');             
        }
        
        /* Drop this variable if it exceeds the array depth limit */
author	Stefan Esser	2014-02-16 13:05:36 +0100
committer	Stefan Esser	2014-02-16 13:05:36 +0100
commit	d5ea5d30d8e400b73d2a5abf2d1e2d8fc3485bd6 (patch)
tree	5ddafde4fd62a368330b2c2b05201043448d82e7 /ufilter.c
parent	f7ef68966204b2ac1e45f1c7e8c72aae2becc382 (diff)

diff --git a/ufilter.c b/ufilter.c index efab2ce..67bb114 100644 --- a/ufilter.c +++ b/ufilter.c
@@ -131,29 +131,36 @@ static int check_fileupload_varname(char *varname)
131		131
132	/* Find out array depth */	132	/* Find out array depth */
133	while (index) {	133	while (index) {
		134	char *index_end;
134	unsigned int index_length;	135	unsigned int index_length;
135		136
		137	/* overjump '[' */
		138	index++;
		139
		140	/* increase array depth */
136	depth++;	141	depth++;
137	index = strchr(index+1, '[');	142
		143	index_end = strchr(index, ']');
		144	if (index_end == NULL) {
		145	index_end = index+strlen(index);
		146	}
138		147
139	if (prev_index) {	148	index_length = index_end - index;
140	index_length = index ? index - 1 - prev_index - 1: strlen(prev_index);
141		149
142	if (SUHOSIN_G(max_array_index_length) && SUHOSIN_G(max_array_index_length) < index_length) {	150	if (SUHOSIN_G(max_array_index_length) && SUHOSIN_G(max_array_index_length) < index_length) {
143	suhosin_log(S_FILES, "configured request variable array index length limit exceeded - dropped variable '%s'", var);	151	suhosin_log(S_FILES, "configured request variable array index length limit exceeded - dropped variable '%s'", var);
144	if (!SUHOSIN_G(simulation)) {	152	if (!SUHOSIN_G(simulation)) {
145	goto return_failure;	153	goto return_failure;
146	}	154	}
147	}	155	}
148	if (SUHOSIN_G(max_post_array_index_length) && SUHOSIN_G(max_post_array_index_length) < index_length) {	156	if (SUHOSIN_G(max_post_array_index_length) && SUHOSIN_G(max_post_array_index_length) < index_length) {
149	suhosin_log(S_FILES, "configured POST variable array index length limit exceeded - dropped variable '%s'", var);	157	suhosin_log(S_FILES, "configured POST variable array index length limit exceeded - dropped variable '%s'", var);
150	if (!SUHOSIN_G(simulation)) {	158	if (!SUHOSIN_G(simulation)) {
151	goto return_failure;	159	goto return_failure;
152	}	160	}
153	}	161	}
154	prev_index = index;
155	}
156		162
		163	index = strchr(index, '[');
157	}	164	}
158		165
159	/* Drop this variable if it exceeds the array depth limit */	166	/* Drop this variable if it exceeds the array depth limit */