summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--Changelog1
-rw-r--r--ex_imp.c3
-rw-r--r--execute.c49
-rw-r--r--log.c6
-rw-r--r--rfc1867.c8
-rw-r--r--session.c93
-rw-r--r--sha256.c4
-rw-r--r--suhosin.c12
-rw-r--r--tests/executor/negative_memory_limit.phpt2
9 files changed, 127 insertions, 51 deletions
diff --git a/Changelog b/Changelog
index 248a523..7793afb 100644
--- a/Changelog
+++ b/Changelog
@@ -1,5 +1,6 @@
12012-02-12 - 0.9.34 12012-02-12 - 0.9.34
2 2
3 - Added initial support for PHP 5.4.0
3 - Fix read after efree() that lets function_exists() malfunction 4 - Fix read after efree() that lets function_exists() malfunction
4 - Fix build with clang compiler 5 - Fix build with clang compiler
5 - Added a request variable drop statistic log message 6 - Added a request variable drop statistic log message
diff --git a/ex_imp.c b/ex_imp.c
index fe08fe5..412b5b3 100644
--- a/ex_imp.c
+++ b/ex_imp.c
@@ -727,14 +727,13 @@ ZEND_END_ARG_INFO()
727 727
728/* {{{ suhosin_ex_imp_functions[] 728/* {{{ suhosin_ex_imp_functions[]
729 */ 729 */
730function_entry suhosin_ex_imp_functions[] = { 730zend_function_entry suhosin_ex_imp_functions[] = {
731 PHP_NAMED_FE(extract, PHP_FN(suhosin_extract), suhosin_arginfo_extract) 731 PHP_NAMED_FE(extract, PHP_FN(suhosin_extract), suhosin_arginfo_extract)
732 PHP_NAMED_FE(import_request_variables, PHP_FN(suhosin_import_request_variables), suhosin_arginfo_import_request_variables) 732 PHP_NAMED_FE(import_request_variables, PHP_FN(suhosin_import_request_variables), suhosin_arginfo_import_request_variables)
733 {NULL, NULL, NULL} 733 {NULL, NULL, NULL}
734}; 734};
735/* }}} */ 735/* }}} */
736 736
737
738void suhosin_hook_ex_imp() 737void suhosin_hook_ex_imp()
739{ 738{
740 TSRMLS_FETCH(); 739 TSRMLS_FETCH();
diff --git a/execute.c b/execute.c
index 40a7cca..8f736b9 100644
--- a/execute.c
+++ b/execute.c
@@ -1031,50 +1031,6 @@ int ih_fixusername(IH_HANDLER_PARAMS)
1031 return (0); 1031 return (0);
1032} 1032}
1033 1033
1034static int suhosin_php_body_write(const char *str, uint str_length TSRMLS_DC)
1035{
1036#define P_META_ROBOTS "<meta name=\"ROBOTS\" content=\"NOINDEX,NOFOLLOW,NOARCHIVE\" />"
1037#define S_META_ROBOTS "<meta name=\"ROBOTS\" content=\"NOINDEX,FOLLOW,NOARCHIVE\" />"
1038
1039 SDEBUG("bw: %s", str);
1040
1041 if ((str_length == sizeof("</head>\n")-1) && (strcmp(str, "</head>\n")==0)) {
1042 SUHOSIN_G(old_php_body_write)(S_META_ROBOTS, sizeof(S_META_ROBOTS)-1 TSRMLS_CC);
1043 OG(php_body_write) = SUHOSIN_G(old_php_body_write);
1044 return SUHOSIN_G(old_php_body_write)(str, str_length TSRMLS_CC);
1045 } else if ((str_length == sizeof(P_META_ROBOTS)-1) && (strcmp(str, P_META_ROBOTS)==0)) {
1046 return str_length;
1047 }
1048 return SUHOSIN_G(old_php_body_write)(str, str_length TSRMLS_CC);
1049}
1050
1051static int ih_phpinfo(IH_HANDLER_PARAMS)
1052{
1053 int argc = ZEND_NUM_ARGS();
1054 long flag;
1055
1056 if (zend_parse_parameters(argc TSRMLS_CC, "|l", &flag) == FAILURE) {
1057 RETVAL_FALSE;
1058 return (1);
1059 }
1060
1061 if(!argc) {
1062 flag = PHP_INFO_ALL;
1063 }
1064
1065 /* Andale! Andale! Yee-Hah! */
1066 php_start_ob_buffer(NULL, 4096, 0 TSRMLS_CC);
1067 if (!sapi_module.phpinfo_as_text) {
1068 SUHOSIN_G(old_php_body_write) = OG(php_body_write);
1069 OG(php_body_write) = suhosin_php_body_write;
1070 }
1071 php_print_info(flag TSRMLS_CC);
1072 php_end_ob_buffer(1, 0 TSRMLS_CC);
1073
1074 RETVAL_TRUE;
1075 return (1);
1076}
1077
1078 1034
1079static int ih_function_exists(IH_HANDLER_PARAMS) 1035static int ih_function_exists(IH_HANDLER_PARAMS)
1080{ 1036{
@@ -1527,7 +1483,6 @@ internal_function_handler ihandlers[] = {
1527 { "preg_replace", ih_preg_replace, NULL, NULL, NULL }, 1483 { "preg_replace", ih_preg_replace, NULL, NULL, NULL },
1528 { "mail", ih_mail, NULL, NULL, NULL }, 1484 { "mail", ih_mail, NULL, NULL, NULL },
1529 { "symlink", ih_symlink, NULL, NULL, NULL }, 1485 { "symlink", ih_symlink, NULL, NULL, NULL },
1530 { "phpinfo", ih_phpinfo, NULL, NULL, NULL },
1531 1486
1532 { "srand", ih_srand, NULL, NULL, NULL }, 1487 { "srand", ih_srand, NULL, NULL, NULL },
1533 { "mt_srand", ih_mt_srand, NULL, NULL, NULL }, 1488 { "mt_srand", ih_mt_srand, NULL, NULL, NULL },
@@ -1615,7 +1570,11 @@ static void suhosin_execute_internal(zend_execute_data *execute_data_ptr, int re
1615 } 1570 }
1616 1571
1617#ifdef ZEND_ENGINE_2 1572#ifdef ZEND_ENGINE_2
1573# if PHP_VERSION_ID < 50400
1618 return_value = (*(temp_variable *)((char *) execute_data_ptr->Ts + execute_data_ptr->opline->result.u.var)).var.ptr; 1574 return_value = (*(temp_variable *)((char *) execute_data_ptr->Ts + execute_data_ptr->opline->result.u.var)).var.ptr;
1575# else
1576 return_value = (*(temp_variable *)((char *) execute_data_ptr->Ts + execute_data_ptr->opline->result.var)).var.ptr;
1577# endif
1619#else 1578#else
1620 return_value = execute_data_ptr->Ts[execute_data_ptr->opline->result.u.var].var.ptr; 1579 return_value = execute_data_ptr->Ts[execute_data_ptr->opline->result.u.var].var.ptr;
1621#endif 1580#endif
diff --git a/log.c b/log.c
index 2e3d7a1..7268864 100644
--- a/log.c
+++ b/log.c
@@ -317,7 +317,9 @@ log_phpscript:
317 zval *result = NULL; 317 zval *result = NULL;
318 318
319 long orig_execution_depth = SUHOSIN_G(execution_depth); 319 long orig_execution_depth = SUHOSIN_G(execution_depth);
320#if PHP_VERSION_ID < 50400
320 zend_bool orig_safe_mode = PG(safe_mode); 321 zend_bool orig_safe_mode = PG(safe_mode);
322#endif
321 char *orig_basedir = PG(open_basedir); 323 char *orig_basedir = PG(open_basedir);
322 324
323 char *phpscript = SUHOSIN_G(log_phpscriptname); 325 char *phpscript = SUHOSIN_G(log_phpscriptname);
@@ -354,14 +356,18 @@ SDEBUG("scriptname %s", SUHOSIN_G(log_phpscriptname));
354 356
355 SUHOSIN_G(execution_depth) = 0; 357 SUHOSIN_G(execution_depth) = 0;
356 if (SUHOSIN_G(log_phpscript_is_safe)) { 358 if (SUHOSIN_G(log_phpscript_is_safe)) {
359#if PHP_VERSION_ID < 50400
357 PG(safe_mode) = 0; 360 PG(safe_mode) = 0;
361#endif
358 PG(open_basedir) = NULL; 362 PG(open_basedir) = NULL;
359 } 363 }
360 364
361 zend_execute(new_op_array TSRMLS_CC); 365 zend_execute(new_op_array TSRMLS_CC);
362 366
363 SUHOSIN_G(execution_depth) = orig_execution_depth; 367 SUHOSIN_G(execution_depth) = orig_execution_depth;
368#if PHP_VERSION_ID < 50400
364 PG(safe_mode) = orig_safe_mode; 369 PG(safe_mode) = orig_safe_mode;
370#endif
365 PG(open_basedir) = orig_basedir; 371 PG(open_basedir) = orig_basedir;
366 372
367#ifdef ZEND_ENGINE_2 373#ifdef ZEND_ENGINE_2
diff --git a/rfc1867.c b/rfc1867.c
index 8285329..b07ed68 100644
--- a/rfc1867.c
+++ b/rfc1867.c
@@ -244,21 +244,29 @@ static void safe_php_register_variable_ex(char *var, zval *val, zval *track_vars
244 244
245static void register_http_post_files_variable(char *strvar, char *val, zval *http_post_files, zend_bool override_protection TSRMLS_DC) 245static void register_http_post_files_variable(char *strvar, char *val, zval *http_post_files, zend_bool override_protection TSRMLS_DC)
246{ 246{
247#if PHP_VERSION_ID < 50400
247 int register_globals = PG(register_globals); 248 int register_globals = PG(register_globals);
248 249
249 PG(register_globals) = 0; 250 PG(register_globals) = 0;
251#endif
250 safe_php_register_variable(strvar, val, http_post_files, override_protection TSRMLS_CC); 252 safe_php_register_variable(strvar, val, http_post_files, override_protection TSRMLS_CC);
253#if PHP_VERSION_ID < 50400
251 PG(register_globals) = register_globals; 254 PG(register_globals) = register_globals;
255#endif
252} 256}
253 257
254 258
255static void register_http_post_files_variable_ex(char *var, zval *val, zval *http_post_files, zend_bool override_protection TSRMLS_DC) 259static void register_http_post_files_variable_ex(char *var, zval *val, zval *http_post_files, zend_bool override_protection TSRMLS_DC)
256{ 260{
261#if PHP_VERSION_ID < 50400
257 int register_globals = PG(register_globals); 262 int register_globals = PG(register_globals);
258 263
259 PG(register_globals) = 0; 264 PG(register_globals) = 0;
265#endif
260 safe_php_register_variable_ex(var, val, http_post_files, override_protection TSRMLS_CC); 266 safe_php_register_variable_ex(var, val, http_post_files, override_protection TSRMLS_CC);
267#if PHP_VERSION_ID < 50400
261 PG(register_globals) = register_globals; 268 PG(register_globals) = register_globals;
269#endif
262} 270}
263 271
264/* 272/*
diff --git a/session.c b/session.c
index f045a36..1045a93 100644
--- a/session.c
+++ b/session.c
@@ -233,9 +233,94 @@ typedef struct _php_ps_globals_53 {
233 zend_bool invalid_session_id; /* allows the driver to report about an invalid session id and request id regeneration */ 233 zend_bool invalid_session_id; /* allows the driver to report about an invalid session id and request id regeneration */
234} php_ps_globals_53; 234} php_ps_globals_53;
235 235
236#if PHP_VERSION_ID >= 50400
237typedef struct _php_session_rfc1867_progress_54 {
238
239 size_t sname_len;
240 zval sid;
241 smart_str key;
242
243 long update_step;
244 long next_update;
245 double next_update_time;
246 zend_bool cancel_upload;
247 zend_bool apply_trans_sid;
248 size_t content_length;
249
250 zval *data; /* the array exported to session data */
251 zval *post_bytes_processed; /* data["bytes_processed"] */
252 zval *files; /* data["files"] array */
253 zval *current_file; /* array of currently uploading file */
254 zval *current_file_bytes_processed;
255} php_session_rfc1867_progress_54;
256
257typedef struct _php_ps_globals_54 {
258 char *save_path;
259 char *session_name;
260 char *id;
261 char *extern_referer_chk;
262 char *entropy_file;
263 char *cache_limiter;
264 long entropy_length;
265 long cookie_lifetime;
266 char *cookie_path;
267 char *cookie_domain;
268 zend_bool cookie_secure;
269 zend_bool cookie_httponly;
270 ps_module *mod;
271 ps_module *default_mod;
272 void *mod_data;
273 php_session_status session_status;
274 long gc_probability;
275 long gc_divisor;
276 long gc_maxlifetime;
277 int module_number;
278 long cache_expire;
279 union {
280 zval *names[6];
281 struct {
282 zval *ps_open;
283 zval *ps_close;
284 zval *ps_read;
285 zval *ps_write;
286 zval *ps_destroy;
287 zval *ps_gc;
288 } name;
289 } mod_user_names;
290 int mod_user_implemented;
291 int mod_user_is_open;
292 const struct ps_serializer_struct *serializer;
293 zval *http_session_vars;
294 zend_bool auto_start;
295 zend_bool use_cookies;
296 zend_bool use_only_cookies;
297 zend_bool use_trans_sid; /* contains the INI value of whether to use trans-sid */
298 zend_bool apply_trans_sid; /* whether or not to enable trans-sid for the current request */
299
300 long hash_func;
301#if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH)
302 php_hash_ops *hash_ops;
303#endif
304 long hash_bits_per_character;
305 int send_cookie;
306 int define_sid;
307 zend_bool invalid_session_id; /* allows the driver to report about an invalid session id and request id regeneration */
308
309 php_session_rfc1867_progress_54 *rfc1867_progress;
310 zend_bool rfc1867_enabled; /* session.upload_progress.enabled */
311 zend_bool rfc1867_cleanup; /* session.upload_progress.cleanup */
312 smart_str rfc1867_prefix; /* session.upload_progress.prefix */
313 smart_str rfc1867_name; /* session.upload_progress.name */
314 long rfc1867_freq; /* session.upload_progress.freq */
315 double rfc1867_min_freq; /* session.upload_progress.min_freq */
316} php_ps_globals_54;
317#endif
318
236#ifdef ZTS 319#ifdef ZTS
237static ts_rsrc_id session_globals_id = 0; 320static ts_rsrc_id session_globals_id = 0;
238# if (PHP_MAJOR_VERSION == 5 && PHP_MINOR_VERSION >= 3) 321# if (PHP_MAJOR_VERSION == 5 && PHP_MINOR_VERSION >= 4)
322# define SESSION_G(v) TSRMG(session_globals_id, php_ps_globals_54 *, v)
323# elif (PHP_MAJOR_VERSION == 5 && PHP_MINOR_VERSION >= 3)
239# define SESSION_G(v) TSRMG(session_globals_id, php_ps_globals_53 *, v) 324# define SESSION_G(v) TSRMG(session_globals_id, php_ps_globals_53 *, v)
240# elif (PHP_MAJOR_VERSION == 5 && PHP_MINOR_VERSION >= 2) 325# elif (PHP_MAJOR_VERSION == 5 && PHP_MINOR_VERSION >= 2)
241# define SESSION_G(v) TSRMG(session_globals_id, php_ps_globals_52 *, v) 326# define SESSION_G(v) TSRMG(session_globals_id, php_ps_globals_52 *, v)
@@ -247,7 +332,9 @@ static ts_rsrc_id session_globals_id = 0;
247 UNSUPPORTED PHP VERSION 332 UNSUPPORTED PHP VERSION
248# endif 333# endif
249#else 334#else
250# if (PHP_MAJOR_VERSION == 5 && PHP_MINOR_VERSION >= 3) 335# if (PHP_MAJOR_VERSION == 5 && PHP_MINOR_VERSION >= 4)
336static php_ps_globals_54 *session_globals = NULL;
337# elif (PHP_MAJOR_VERSION == 5 && PHP_MINOR_VERSION >= 3)
251static php_ps_globals_53 *session_globals = NULL; 338static php_ps_globals_53 *session_globals = NULL;
252# elif (PHP_MAJOR_VERSION == 5 && PHP_MINOR_VERSION >= 2) 339# elif (PHP_MAJOR_VERSION == 5 && PHP_MINOR_VERSION >= 2)
253static php_ps_globals_52 *session_globals = NULL; 340static php_ps_globals_52 *session_globals = NULL;
@@ -294,6 +381,7 @@ static int suhosin_get_session_var(char *name, size_t namelen, zval ***state_var
294 if (SESSION_G(http_session_vars) && SESSION_G(http_session_vars)->type == IS_ARRAY) { 381 if (SESSION_G(http_session_vars) && SESSION_G(http_session_vars)->type == IS_ARRAY) {
295 ret = zend_hash_find(Z_ARRVAL_P(SESSION_G(http_session_vars)), name, namelen + 1, (void **) state_var); 382 ret = zend_hash_find(Z_ARRVAL_P(SESSION_G(http_session_vars)), name, namelen + 1, (void **) state_var);
296 383
384#if PHP_VERSION_ID < 50400
297 /* If register_globals is enabled, and 385 /* If register_globals is enabled, and
298 * if there is an entry for the slot in $_SESSION, and 386 * if there is an entry for the slot in $_SESSION, and
299 * if that entry is still set to NULL, and 387 * if that entry is still set to NULL, and
@@ -307,6 +395,7 @@ static int suhosin_get_session_var(char *name, size_t namelen, zval ***state_var
307 *state_var = tmp; 395 *state_var = tmp;
308 } 396 }
309 } 397 }
398#endif
310 } 399 }
311 return ret; 400 return ret;
312} 401}
diff --git a/sha256.c b/sha256.c
index e8df13d..61c5a6a 100644
--- a/sha256.c
+++ b/sha256.c
@@ -86,9 +86,11 @@ static PHP_FUNCTION(suhosin_sha256_file)
86 return; 86 return;
87 } 87 }
88 88
89#if PHP_VERSION_ID < 50400
89 if (PG(safe_mode) && (!php_checkuid(arg, NULL, CHECKUID_CHECK_FILE_AND_DIR))) { 90 if (PG(safe_mode) && (!php_checkuid(arg, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
90 RETURN_FALSE; 91 RETURN_FALSE;
91 } 92 }
93#endif
92 94
93 if (php_check_open_basedir(arg TSRMLS_CC)) { 95 if (php_check_open_basedir(arg TSRMLS_CC)) {
94 RETURN_FALSE; 96 RETURN_FALSE;
@@ -392,7 +394,7 @@ unsigned int len;
392 394
393/* {{{ suhosin_sha256_functions[] 395/* {{{ suhosin_sha256_functions[]
394 */ 396 */
395static function_entry suhosin_sha256_functions[] = { 397static zend_function_entry suhosin_sha256_functions[] = {
396 PHP_NAMED_FE(sha256, PHP_FN(suhosin_sha256), NULL) 398 PHP_NAMED_FE(sha256, PHP_FN(suhosin_sha256), NULL)
397 PHP_NAMED_FE(sha256_file, PHP_FN(suhosin_sha256_file), NULL) 399 PHP_NAMED_FE(sha256_file, PHP_FN(suhosin_sha256_file), NULL)
398 {NULL, NULL, NULL} 400 {NULL, NULL, NULL}
diff --git a/suhosin.c b/suhosin.c
index 8570081..c04655b 100644
--- a/suhosin.c
+++ b/suhosin.c
@@ -649,12 +649,16 @@ static void suhosin_register_cookie_variable(char *var, zval *val, zval *track_v
649 array_init(gpc_element); 649 array_init(gpc_element);
650 zend_hash_next_index_insert(symtable1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); 650 zend_hash_next_index_insert(symtable1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
651 } else { 651 } else {
652#if PHP_VERSION_ID < 50400
652 if (PG(magic_quotes_gpc) && (index != var)) { 653 if (PG(magic_quotes_gpc) && (index != var)) {
653 /* no need to addslashes() the index if it's the main variable name */ 654 /* no need to addslashes() the index if it's the main variable name */
654 escaped_index = php_addslashes(index, index_len, &index_len, 0 TSRMLS_CC); 655 escaped_index = php_addslashes(index, index_len, &index_len, 0 TSRMLS_CC);
655 } else { 656 } else {
657#endif
656 escaped_index = index; 658 escaped_index = index;
659#if PHP_VERSION_ID < 50400
657 } 660 }
661#endif
658 if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE 662 if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE
659 || Z_TYPE_PP(gpc_element_p) != IS_ARRAY) { 663 || Z_TYPE_PP(gpc_element_p) != IS_ARRAY) {
660 MAKE_STD_ZVAL(gpc_element); 664 MAKE_STD_ZVAL(gpc_element);
@@ -686,11 +690,15 @@ plain_var:
686 if (!index) { 690 if (!index) {
687 zend_hash_next_index_insert(symtable1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); 691 zend_hash_next_index_insert(symtable1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
688 } else { 692 } else {
693#if PHP_VERSION_ID < 50400
689 if (PG(magic_quotes_gpc)) { 694 if (PG(magic_quotes_gpc)) {
690 escaped_index = php_addslashes(index, index_len, &index_len, 0 TSRMLS_CC); 695 escaped_index = php_addslashes(index, index_len, &index_len, 0 TSRMLS_CC);
691 } else { 696 } else {
697#endif
692 escaped_index = index; 698 escaped_index = index;
699#if PHP_VERSION_ID < 50400
693 } 700 }
701#endif
694 /* 702 /*
695 * According to rfc2965, more specific paths are listed above the less specific ones. 703 * According to rfc2965, more specific paths are listed above the less specific ones.
696 * If we encounter a duplicate cookie name, we should skip it, since it is not possible 704 * If we encounter a duplicate cookie name, we should skip it, since it is not possible
@@ -717,11 +725,15 @@ static void suhosin_register_cookie_variable_safe(char *var, char *strval, int s
717 725
718 /* Prepare value */ 726 /* Prepare value */
719 Z_STRLEN(new_entry) = str_len; 727 Z_STRLEN(new_entry) = str_len;
728#if PHP_VERSION_ID < 50400
720 if (PG(magic_quotes_gpc)) { 729 if (PG(magic_quotes_gpc)) {
721 Z_STRVAL(new_entry) = php_addslashes(strval, Z_STRLEN(new_entry), &Z_STRLEN(new_entry), 0 TSRMLS_CC); 730 Z_STRVAL(new_entry) = php_addslashes(strval, Z_STRLEN(new_entry), &Z_STRLEN(new_entry), 0 TSRMLS_CC);
722 } else { 731 } else {
732#endif
723 Z_STRVAL(new_entry) = estrndup(strval, Z_STRLEN(new_entry)); 733 Z_STRVAL(new_entry) = estrndup(strval, Z_STRLEN(new_entry));
734#if PHP_VERSION_ID < 50400
724 } 735 }
736#endif
725 Z_TYPE(new_entry) = IS_STRING; 737 Z_TYPE(new_entry) = IS_STRING;
726 738
727 suhosin_register_cookie_variable(var, &new_entry, track_vars_array TSRMLS_CC); 739 suhosin_register_cookie_variable(var, &new_entry, track_vars_array TSRMLS_CC);
diff --git a/tests/executor/negative_memory_limit.phpt b/tests/executor/negative_memory_limit.phpt
index 8582cc9..7fad546 100644
--- a/tests/executor/negative_memory_limit.phpt
+++ b/tests/executor/negative_memory_limit.phpt
@@ -13,6 +13,6 @@ suhosin.log.sapi=2
13 ini_set("memory_limit", "-200000"); echo ini_get("memory_limit"), "\n"; 13 ini_set("memory_limit", "-200000"); echo ini_get("memory_limit"), "\n";
14?> 14?>
15--EXPECTF-- 15--EXPECTF--
16ALERT - script tried to increase memory_limit to %d bytes which is above the allowed value (attacker 'REMOTE_ADDR not set', file '%s', line 2) 16ALERT - script tried to disable memory_limit by setting it to a negative value -%d bytes which is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 2)
1716M 1716M
18 18