summaryrefslogtreecommitdiff
path: root/execute.c
diff options
context:
space:
mode:
Diffstat (limited to 'execute.c')
-rw-r--r--execute.c596
1 files changed, 293 insertions, 303 deletions
diff --git a/execute.c b/execute.c
index e3cd0b3..4d5d41b 100644
--- a/execute.c
+++ b/execute.c
@@ -85,7 +85,7 @@ conts:
85 for (t=h; *n; t++, n++) { 85 for (t=h; *n; t++, n++) {
86 if (toupper(*t) != toupper(*n)) goto conts; 86 if (toupper(*t) != toupper(*n)) goto conts;
87 } 87 }
88 return ((char*)h-1); 88 return ((char*)h-1);
89 } 89 }
90 } 90 }
91 91
@@ -126,7 +126,7 @@ static int suhosin_check_filename(char *s, int len TSRMLS_DC)
126 return SUHOSIN_CODE_TYPE_LONGNAME; 126 return SUHOSIN_CODE_TYPE_LONGNAME;
127 } 127 }
128 memcpy(fname, s, len); 128 memcpy(fname, s, len);
129 fname[len] = 0; 129 fname[len] = 0;
130 s = (char *)&fname; 130 s = (char *)&fname;
131 e = s + len; 131 e = s + len;
132 132
@@ -134,14 +134,14 @@ static int suhosin_check_filename(char *s, int len TSRMLS_DC)
134 if (len != strlen(s)) { 134 if (len != strlen(s)) {
135 return SUHOSIN_CODE_TYPE_0FILE; 135 return SUHOSIN_CODE_TYPE_0FILE;
136 } 136 }
137 137
138 /* disallow uploaded files */ 138 /* disallow uploaded files */
139 if (SG(rfc1867_uploaded_files)) { 139 if (SG(rfc1867_uploaded_files)) {
140 if (zend_hash_exists(SG(rfc1867_uploaded_files), (char *) s, e-s+1)) { 140 if (zend_hash_exists(SG(rfc1867_uploaded_files), (char *) s, e-s+1)) {
141 return SUHOSIN_CODE_TYPE_UPLOADED; 141 return SUHOSIN_CODE_TYPE_UPLOADED;
142 } 142 }
143 } 143 }
144 144
145 /* count number of directory traversals */ 145 /* count number of directory traversals */
146 for (i=0; i < len-3; i++) { 146 for (i=0; i < len-3; i++) {
147 if (s[i] == '.' && s[i+1] == '.' && (s[i+2] == '/' || s[i+2] == '\\')) { 147 if (s[i] == '.' && s[i+1] == '.' && (s[i+2] == '/' || s[i+2] == '\\')) {
@@ -152,7 +152,7 @@ static int suhosin_check_filename(char *s, int len TSRMLS_DC)
152 if (SUHOSIN_G(executor_include_max_traversal) && SUHOSIN_G(executor_include_max_traversal)<=count) { 152 if (SUHOSIN_G(executor_include_max_traversal) && SUHOSIN_G(executor_include_max_traversal)<=count) {
153 return SUHOSIN_CODE_TYPE_MANYDOTS; 153 return SUHOSIN_CODE_TYPE_MANYDOTS;
154 } 154 }
155 155
156SDEBUG("xxx %p %p",SUHOSIN_G(include_whitelist),SUHOSIN_G(include_blacklist)); 156SDEBUG("xxx %p %p",SUHOSIN_G(include_whitelist),SUHOSIN_G(include_blacklist));
157 /* no black or whitelist then disallow all */ 157 /* no black or whitelist then disallow all */
158 if (SUHOSIN_G(include_whitelist)==NULL && SUHOSIN_G(include_blacklist)==NULL) { 158 if (SUHOSIN_G(include_whitelist)==NULL && SUHOSIN_G(include_blacklist)==NULL) {
@@ -160,29 +160,29 @@ SDEBUG("xxx %p %p",SUHOSIN_G(include_whitelist),SUHOSIN_G(include_blacklist));
160 if (strstr(s, "://") != NULL || suhosin_strcasestr(s, "data:") != NULL) { 160 if (strstr(s, "://") != NULL || suhosin_strcasestr(s, "data:") != NULL) {
161 return SUHOSIN_CODE_TYPE_BADURL; 161 return SUHOSIN_CODE_TYPE_BADURL;
162 } 162 }
163 } else 163 } else
164 /* whitelist is stronger than blacklist */ 164 /* whitelist is stronger than blacklist */
165 if (SUHOSIN_G(include_whitelist)) { 165 if (SUHOSIN_G(include_whitelist)) {
166 166
167 do { 167 do {
168 isOk = 0; 168 isOk = 0;
169 169
170 h = strstr(s, "://"); 170 h = strstr(s, "://");
171 h2 = suhosin_strcasestr(s, "data:"); 171 h2 = suhosin_strcasestr(s, "data:");
172 h2 = h2 == NULL ? NULL : h2 + 4; 172 h2 = h2 == NULL ? NULL : h2 + 4;
173 t = h = (h == NULL) ? h2 : ( (h2 == NULL) ? h : ( (h < h2) ? h : h2 ) ); 173 t = h = (h == NULL) ? h2 : ( (h2 == NULL) ? h : ( (h < h2) ? h : h2 ) );
174 if (h == NULL) break; 174 if (h == NULL) break;
175 175
176 while (t > s && (isalnum(t[-1]) || t[-1]=='_' || t[-1]=='.')) { 176 while (t > s && (isalnum(t[-1]) || t[-1]=='_' || t[-1]=='.')) {
177 t--; 177 t--;
178 } 178 }
179 179
180 tlen = e-t; 180 tlen = e-t;
181 181
182 zend_hash_internal_pointer_reset(SUHOSIN_G(include_whitelist)); 182 zend_hash_internal_pointer_reset(SUHOSIN_G(include_whitelist));
183 do { 183 do {
184 int r = zend_hash_get_current_key_ex(SUHOSIN_G(include_whitelist), &index, &indexlen, &numindex, 0, NULL); 184 int r = zend_hash_get_current_key_ex(SUHOSIN_G(include_whitelist), &index, &indexlen, &numindex, 0, NULL);
185 185
186 if (r==HASH_KEY_NON_EXISTANT) { 186 if (r==HASH_KEY_NON_EXISTANT) {
187 break; 187 break;
188 } 188 }
@@ -194,28 +194,28 @@ SDEBUG("xxx %p %p",SUHOSIN_G(include_whitelist),SUHOSIN_G(include_blacklist));
194 } 194 }
195 } 195 }
196 } 196 }
197 197
198 zend_hash_move_forward(SUHOSIN_G(include_whitelist)); 198 zend_hash_move_forward(SUHOSIN_G(include_whitelist));
199 } while (1); 199 } while (1);
200 200
201 /* not found in whitelist */ 201 /* not found in whitelist */
202 if (!isOk) { 202 if (!isOk) {
203 return SUHOSIN_CODE_TYPE_BADURL; 203 return SUHOSIN_CODE_TYPE_BADURL;
204 } 204 }
205 205
206 s = h + 1; 206 s = h + 1;
207 } while (1); 207 } while (1);
208 } else { 208 } else {
209 209
210 do { 210 do {
211 int tlen; 211 int tlen;
212 212
213 h = strstr(s, "://"); 213 h = strstr(s, "://");
214 h2 = suhosin_strcasestr(s, "data:"); 214 h2 = suhosin_strcasestr(s, "data:");
215 h2 = h2 == NULL ? NULL : h2 + 4; 215 h2 = h2 == NULL ? NULL : h2 + 4;
216 t = h = (h == NULL) ? h2 : ( (h2 == NULL) ? h : ( (h < h2) ? h : h2 ) ); 216 t = h = (h == NULL) ? h2 : ( (h2 == NULL) ? h : ( (h < h2) ? h : h2 ) );
217 if (h == NULL) break; 217 if (h == NULL) break;
218 218
219 while (t > s && (isalnum(t[-1]) || t[-1]=='_' || t[-1]=='.')) { 219 while (t > s && (isalnum(t[-1]) || t[-1]=='_' || t[-1]=='.')) {
220 t--; 220 t--;
221 } 221 }
@@ -236,21 +236,21 @@ SDEBUG("xxx %p %p",SUHOSIN_G(include_whitelist),SUHOSIN_G(include_blacklist));
236 } 236 }
237 } 237 }
238 } 238 }
239 239
240 zend_hash_move_forward(SUHOSIN_G(include_blacklist)); 240 zend_hash_move_forward(SUHOSIN_G(include_blacklist));
241 } while (1); 241 } while (1);
242 242
243 s = h + 1; 243 s = h + 1;
244 } while (1); 244 } while (1);
245 } 245 }
246 246
247 /* disallow writable files */ 247 /* disallow writable files */
248 if (!SUHOSIN_G(executor_include_allow_writable_files)) { 248 if (!SUHOSIN_G(executor_include_allow_writable_files)) {
249 /* protection against *REMOTE* attacks, potential 249 /* protection against *REMOTE* attacks, potential
250 race condition of access() is irrelevant */ 250 race condition of access() is irrelevant */
251 if (access(s, W_OK) == 0) { 251 if (access(s, W_OK) == 0) {
252 return SUHOSIN_CODE_TYPE_WRITABLE; 252 return SUHOSIN_CODE_TYPE_WRITABLE;
253 } 253 }
254 } 254 }
255 255
256 return SUHOSIN_CODE_TYPE_GOODFILE; 256 return SUHOSIN_CODE_TYPE_GOODFILE;
@@ -265,39 +265,39 @@ static int suhosin_zend_stream_open(const char *filename, zend_file_handle *fh T
265 exd=EG(current_execute_data); 265 exd=EG(current_execute_data);
266 if (EG(in_execution) && (exd!=NULL) && (exd->opline != NULL) && (exd->opline->opcode == ZEND_INCLUDE_OR_EVAL)) { 266 if (EG(in_execution) && (exd!=NULL) && (exd->opline != NULL) && (exd->opline->opcode == ZEND_INCLUDE_OR_EVAL)) {
267 int filetype = suhosin_check_filename((char *)filename, strlen(filename) TSRMLS_CC); 267 int filetype = suhosin_check_filename((char *)filename, strlen(filename) TSRMLS_CC);
268 268
269 switch (filetype) { 269 switch (filetype) {
270 case SUHOSIN_CODE_TYPE_LONGNAME: 270 case SUHOSIN_CODE_TYPE_LONGNAME:
271 suhosin_log(S_INCLUDE, "Include filename ('%s') is too long", filename); 271 suhosin_log(S_INCLUDE, "Include filename ('%s') is too long", filename);
272 suhosin_bailout(TSRMLS_C); 272 suhosin_bailout(TSRMLS_C);
273 break; 273 break;
274 274
275 case SUHOSIN_CODE_TYPE_UPLOADED: 275 case SUHOSIN_CODE_TYPE_UPLOADED:
276 suhosin_log(S_INCLUDE, "Include filename is an uploaded file"); 276 suhosin_log(S_INCLUDE, "Include filename is an uploaded file");
277 suhosin_bailout(TSRMLS_C); 277 suhosin_bailout(TSRMLS_C);
278 break; 278 break;
279 279
280 case SUHOSIN_CODE_TYPE_0FILE: 280 case SUHOSIN_CODE_TYPE_0FILE:
281 suhosin_log(S_INCLUDE, "Include filename contains an ASCIIZ character"); 281 suhosin_log(S_INCLUDE, "Include filename contains an ASCIIZ character");
282 suhosin_bailout(TSRMLS_C); 282 suhosin_bailout(TSRMLS_C);
283 break; 283 break;
284 284
285 case SUHOSIN_CODE_TYPE_WRITABLE: 285 case SUHOSIN_CODE_TYPE_WRITABLE:
286 suhosin_log(S_INCLUDE, "Include filename ('%s') is writable by PHP process", filename); 286 suhosin_log(S_INCLUDE, "Include filename ('%s') is writable by PHP process", filename);
287 suhosin_bailout(TSRMLS_C); 287 suhosin_bailout(TSRMLS_C);
288 break; 288 break;
289 289
290 case SUHOSIN_CODE_TYPE_BLACKURL: 290 case SUHOSIN_CODE_TYPE_BLACKURL:
291 suhosin_log(S_INCLUDE, "Include filename ('%s') is a URL that is forbidden by the blacklist", filename); 291 suhosin_log(S_INCLUDE, "Include filename ('%s') is a URL that is forbidden by the blacklist", filename);
292 suhosin_bailout(TSRMLS_C); 292 suhosin_bailout(TSRMLS_C);
293 break; 293 break;
294 294
295 case SUHOSIN_CODE_TYPE_BADURL: 295 case SUHOSIN_CODE_TYPE_BADURL:
296 suhosin_log(S_INCLUDE, "Include filename ('%s') is a URL that is not allowed", filename); 296 suhosin_log(S_INCLUDE, "Include filename ('%s') is a URL that is not allowed", filename);
297 suhosin_bailout(TSRMLS_C); 297 suhosin_bailout(TSRMLS_C);
298 break; 298 break;
299 299
300 case SUHOSIN_CODE_TYPE_MANYDOTS: 300 case SUHOSIN_CODE_TYPE_MANYDOTS:
301 suhosin_log(S_INCLUDE, "Include filename ('%s') contains too many '../'", filename); 301 suhosin_log(S_INCLUDE, "Include filename ('%s') contains too many '../'", filename);
302 suhosin_bailout(TSRMLS_C); 302 suhosin_bailout(TSRMLS_C);
303 break; 303 break;
@@ -313,14 +313,13 @@ static int suhosin_detect_codetype(zend_op_array *op_array TSRMLS_DC)
313 int r; 313 int r;
314 314
315 s = (char *)op_array->filename; 315 s = (char *)op_array->filename;
316 316
317 /* eval, assert, create_function, preg_replace */ 317 /* eval, assert, create_function, preg_replace */
318 if (op_array->type == ZEND_EVAL_CODE) { 318 if (op_array->type == ZEND_EVAL_CODE) {
319
320 if (s == NULL) { 319 if (s == NULL) {
321 return SUHOSIN_CODE_TYPE_UNKNOWN; 320 return SUHOSIN_CODE_TYPE_UNKNOWN;
322 } 321 }
323 322
324 if (strstr(s, "eval()'d code") != NULL) { 323 if (strstr(s, "eval()'d code") != NULL) {
325 return SUHOSIN_CODE_TYPE_EVAL; 324 return SUHOSIN_CODE_TYPE_EVAL;
326 } 325 }
@@ -340,7 +339,7 @@ static int suhosin_detect_codetype(zend_op_array *op_array TSRMLS_DC)
340 if (strstr(s, "runtime-created function") != NULL) { 339 if (strstr(s, "runtime-created function") != NULL) {
341 return SUHOSIN_CODE_TYPE_CFUNC; 340 return SUHOSIN_CODE_TYPE_CFUNC;
342 } 341 }
343 342
344 if (strstr(s, "Command line code") != NULL) { 343 if (strstr(s, "Command line code") != NULL) {
345 return SUHOSIN_CODE_TYPE_COMMANDLINE; 344 return SUHOSIN_CODE_TYPE_COMMANDLINE;
346 } 345 }
@@ -356,22 +355,15 @@ static int suhosin_detect_codetype(zend_op_array *op_array TSRMLS_DC)
356 if (strstr(s, "Command line end code") != NULL) { 355 if (strstr(s, "Command line end code") != NULL) {
357 return SUHOSIN_CODE_TYPE_COMMANDLINE; 356 return SUHOSIN_CODE_TYPE_COMMANDLINE;
358 } 357 }
359 358
360 if (strstr(s, "suhosin internal code") != NULL) { 359 if (strstr(s, "suhosin internal code") != NULL) {
361 return SUHOSIN_CODE_TYPE_SUHOSIN; 360 return SUHOSIN_CODE_TYPE_SUHOSIN;
362 } 361 }
363
364 } else { 362 } else {
365
366 r = suhosin_check_filename(s, strlen(s) TSRMLS_CC); 363 r = suhosin_check_filename(s, strlen(s) TSRMLS_CC);
367/* switch (r) {
368 case SUHOSIN_CODE_TYPE_GOODFILE:
369 break;
370 } */
371 return r; 364 return r;
372
373 } 365 }
374 366
375 return SUHOSIN_CODE_TYPE_UNKNOWN; 367 return SUHOSIN_CODE_TYPE_UNKNOWN;
376} 368}
377 369
@@ -391,12 +383,12 @@ static void suhosin_execute_ex(zend_op_array *op_array, int zo, long dummy TSRML
391 zval cs; 383 zval cs;
392 zend_uint orig_code_type; 384 zend_uint orig_code_type;
393 unsigned long *suhosin_flags = NULL; 385 unsigned long *suhosin_flags = NULL;
394 386
395 /* log variable dropping statistics */ 387 /* log variable dropping statistics */
396 if (SUHOSIN_G(abort_request)) { 388 if (SUHOSIN_G(abort_request)) {
397 389
398 SUHOSIN_G(abort_request) = 0; /* we only want this to happen the first time */ 390 SUHOSIN_G(abort_request) = 0; /* we only want this to happen the first time */
399 391
400 if (SUHOSIN_G(att_request_variables)-SUHOSIN_G(cur_request_variables) > 0) { 392 if (SUHOSIN_G(att_request_variables)-SUHOSIN_G(cur_request_variables) > 0) {
401 suhosin_log(S_VARS, "dropped %u request variables - (%u in GET, %u in POST, %u in COOKIE)", 393 suhosin_log(S_VARS, "dropped %u request variables - (%u in GET, %u in POST, %u in COOKIE)",
402 SUHOSIN_G(att_request_variables)-SUHOSIN_G(cur_request_variables), 394 SUHOSIN_G(att_request_variables)-SUHOSIN_G(cur_request_variables),
@@ -404,33 +396,33 @@ static void suhosin_execute_ex(zend_op_array *op_array, int zo, long dummy TSRML
404 SUHOSIN_G(att_post_vars)-SUHOSIN_G(cur_post_vars), 396 SUHOSIN_G(att_post_vars)-SUHOSIN_G(cur_post_vars),
405 SUHOSIN_G(att_cookie_vars)-SUHOSIN_G(cur_cookie_vars)); 397 SUHOSIN_G(att_cookie_vars)-SUHOSIN_G(cur_cookie_vars));
406 } 398 }
407 399
408 if (!SUHOSIN_G(simulation) && SUHOSIN_G(filter_action)) { 400 if (!SUHOSIN_G(simulation) && SUHOSIN_G(filter_action)) {
409 401
410 char *action = SUHOSIN_G(filter_action); 402 char *action = SUHOSIN_G(filter_action);
411 long code = -1; 403 long code = -1;
412 404
413 while (*action == ' ' || *action == '\t') action++; 405 while (*action == ' ' || *action == '\t') action++;
414 406
415 if (*action >= '0' && *action <= '9') { 407 if (*action >= '0' && *action <= '9') {
416 char *end = action; 408 char *end = action;
417 while (*end && *end != ',' && *end != ';') end++; 409 while (*end && *end != ',' && *end != ';') end++;
418 code = zend_atoi(action, end-action); 410 code = zend_atoi(action, end-action);
419 action = end; 411 action = end;
420 } 412 }
421 413
422 while (*action == ' ' || *action == '\t' || *action == ',' || *action == ';') action++; 414 while (*action == ' ' || *action == '\t' || *action == ',' || *action == ';') action++;
423 415
424 if (*action) { 416 if (*action) {
425 417
426 if (strncasecmp("http://", action, sizeof("http://")-1)==0 418 if (strncasecmp("http://", action, sizeof("http://")-1)==0
427 || strncasecmp("https://", action, sizeof("https://")-1)==0) { 419 || strncasecmp("https://", action, sizeof("https://")-1)==0) {
428 sapi_header_line ctr = {0}; 420 sapi_header_line ctr = {0};
429 421
430 if (code == -1) { 422 if (code == -1) {
431 code = 302; 423 code = 302;
432 } 424 }
433 425
434 ctr.line_len = spprintf(&ctr.line, 0, "Location: %s", action); 426 ctr.line_len = spprintf(&ctr.line, 0, "Location: %s", action);
435 ctr.response_code = code; 427 ctr.response_code = code;
436 sapi_header_op(SAPI_HEADER_REPLACE, &ctr TSRMLS_CC); 428 sapi_header_op(SAPI_HEADER_REPLACE, &ctr TSRMLS_CC);
@@ -439,11 +431,11 @@ static void suhosin_execute_ex(zend_op_array *op_array, int zo, long dummy TSRML
439 zend_file_handle file_handle; 431 zend_file_handle file_handle;
440 zend_op_array *new_op_array; 432 zend_op_array *new_op_array;
441 zval *result = NULL; 433 zval *result = NULL;
442 434
443 if (code == -1) { 435 if (code == -1) {
444 code = 200; 436 code = 200;
445 } 437 }
446 438
447 if (zend_stream_open(action, &file_handle TSRMLS_CC) == SUCCESS) { 439 if (zend_stream_open(action, &file_handle TSRMLS_CC) == SUCCESS) {
448 if (!file_handle.opened_path) { 440 if (!file_handle.opened_path) {
449 file_handle.opened_path = estrndup(action, strlen(action)); 441 file_handle.opened_path = estrndup(action, strlen(action));
@@ -472,24 +464,24 @@ static void suhosin_execute_ex(zend_op_array *op_array, int zo, long dummy TSRML
472 } 464 }
473 } 465 }
474 } 466 }
475 467
476 sapi_header_op(SAPI_HEADER_SET_STATUS, (void *)code TSRMLS_CC); 468 sapi_header_op(SAPI_HEADER_SET_STATUS, (void *)code TSRMLS_CC);
477 zend_bailout(); 469 zend_bailout();
478 } 470 }
479 } 471 }
480 472
481 SDEBUG("%s %s", op_array->filename, op_array->function_name); 473 SDEBUG("%s %s", op_array->filename, op_array->function_name);
482 474
483 SUHOSIN_G(execution_depth)++; 475 SUHOSIN_G(execution_depth)++;
484 476
485 if (SUHOSIN_G(max_execution_depth) && SUHOSIN_G(execution_depth) > SUHOSIN_G(max_execution_depth)) { 477 if (SUHOSIN_G(max_execution_depth) && SUHOSIN_G(execution_depth) > SUHOSIN_G(max_execution_depth)) {
486 suhosin_log(S_EXECUTOR|S_GETCALLER, "maximum execution depth reached - script terminated"); 478 suhosin_log(S_EXECUTOR|S_GETCALLER, "maximum execution depth reached - script terminated");
487 suhosin_bailout(TSRMLS_C); 479 suhosin_bailout(TSRMLS_C);
488 } 480 }
489 481
490 fn = (char *)op_array->filename; 482 fn = (char *)op_array->filename;
491 len = strlen(fn); 483 len = strlen(fn);
492 484
493 orig_code_type = SUHOSIN_G(in_code_type); 485 orig_code_type = SUHOSIN_G(in_code_type);
494 if (op_array->type == ZEND_EVAL_CODE) { 486 if (op_array->type == ZEND_EVAL_CODE) {
495 SUHOSIN_G(in_code_type) = SUHOSIN_EVAL; 487 SUHOSIN_G(in_code_type) = SUHOSIN_EVAL;
@@ -497,7 +489,7 @@ static void suhosin_execute_ex(zend_op_array *op_array, int zo, long dummy TSRML
497 if (suhosin_zend_extension_entry.resource_number != -1) { 489 if (suhosin_zend_extension_entry.resource_number != -1) {
498 suhosin_flags = (unsigned long *) &op_array->reserved[suhosin_zend_extension_entry.resource_number]; 490 suhosin_flags = (unsigned long *) &op_array->reserved[suhosin_zend_extension_entry.resource_number];
499 SDEBUG("suhosin flags: %08lx", *suhosin_flags); 491 SDEBUG("suhosin flags: %08lx", *suhosin_flags);
500 492
501 if (*suhosin_flags & SUHOSIN_FLAG_CREATED_BY_EVAL) { 493 if (*suhosin_flags & SUHOSIN_FLAG_CREATED_BY_EVAL) {
502 SUHOSIN_G(in_code_type) = SUHOSIN_EVAL; 494 SUHOSIN_G(in_code_type) = SUHOSIN_EVAL;
503 } 495 }
@@ -505,7 +497,7 @@ static void suhosin_execute_ex(zend_op_array *op_array, int zo, long dummy TSRML
505 goto not_evaled_code; 497 goto not_evaled_code;
506 } 498 }
507 } 499 }
508 500
509 if (strstr(op_array->filename, "eval()'d code")) { 501 if (strstr(op_array->filename, "eval()'d code")) {
510 SUHOSIN_G(in_code_type) = SUHOSIN_EVAL; 502 SUHOSIN_G(in_code_type) = SUHOSIN_EVAL;
511 } else { 503 } else {
@@ -523,39 +515,39 @@ not_evaled_code:
523/* if (SUHOSIN_G(deactivate)) { 515/* if (SUHOSIN_G(deactivate)) {
524 goto continue_execution; 516 goto continue_execution;
525 } 517 }
526*/ 518*/
527 519
528 op_array_type = suhosin_detect_codetype(op_array TSRMLS_CC); 520 op_array_type = suhosin_detect_codetype(op_array TSRMLS_CC);
529 521
530 switch (op_array_type) { 522 switch (op_array_type) {
531 case SUHOSIN_CODE_TYPE_EVAL: 523 case SUHOSIN_CODE_TYPE_EVAL:
532 if (SUHOSIN_G(executor_disable_eval)) { 524 if (SUHOSIN_G(executor_disable_eval)) {
533 suhosin_log(S_EXECUTOR|S_GETCALLER, "use of eval is forbidden by configuration"); 525 suhosin_log(S_EXECUTOR|S_GETCALLER, "use of eval is forbidden by configuration");
534 if (!SUHOSIN_G(simulation)) { 526 if (!SUHOSIN_G(simulation)) {
535 zend_error(E_ERROR, "SUHOSIN - Use of eval is forbidden by configuration"); 527 zend_error(E_ERROR, "SUHOSIN - Use of eval is forbidden by configuration");
536 } 528 }
537 } 529 }
538 break; 530 break;
539 531
540 case SUHOSIN_CODE_TYPE_REGEXP: 532 case SUHOSIN_CODE_TYPE_REGEXP:
541 if (SUHOSIN_G(executor_disable_emod)) { 533 if (SUHOSIN_G(executor_disable_emod)) {
542 suhosin_log(S_EXECUTOR|S_GETCALLER, "use of preg_replace() with /e modifier is forbidden by configuration"); 534 suhosin_log(S_EXECUTOR|S_GETCALLER, "use of preg_replace() with /e modifier is forbidden by configuration");
543 if (!SUHOSIN_G(simulation)) { 535 if (!SUHOSIN_G(simulation)) {
544 zend_error(E_ERROR, "SUHOSIN - Use of preg_replace() with /e modifier is forbidden by configuration"); 536 zend_error(E_ERROR, "SUHOSIN - Use of preg_replace() with /e modifier is forbidden by configuration");
545 } 537 }
546 } 538 }
547 break; 539 break;
548 540
549 case SUHOSIN_CODE_TYPE_MBREGEXP: 541 case SUHOSIN_CODE_TYPE_MBREGEXP:
550 /* XXX TODO: Do we want to disallow this, too? */ 542 /* XXX TODO: Do we want to disallow this, too? */
551 break; 543 break;
552 544
553 case SUHOSIN_CODE_TYPE_ASSERT: 545 case SUHOSIN_CODE_TYPE_ASSERT:
554 break; 546 break;
555 547
556 case SUHOSIN_CODE_TYPE_CFUNC: 548 case SUHOSIN_CODE_TYPE_CFUNC:
557 break; 549 break;
558 550
559 case SUHOSIN_CODE_TYPE_LONGNAME: 551 case SUHOSIN_CODE_TYPE_LONGNAME:
560 suhosin_log(S_INCLUDE|S_GETCALLER, "Include filename ('%s') is too long", op_array->filename); 552 suhosin_log(S_INCLUDE|S_GETCALLER, "Include filename ('%s') is too long", op_array->filename);
561 suhosin_bailout(TSRMLS_C); 553 suhosin_bailout(TSRMLS_C);
@@ -565,49 +557,49 @@ not_evaled_code:
565 suhosin_log(S_INCLUDE|S_GETCALLER, "Include filename ('%s') contains too many '../'", op_array->filename); 557 suhosin_log(S_INCLUDE|S_GETCALLER, "Include filename ('%s') contains too many '../'", op_array->filename);
566 suhosin_bailout(TSRMLS_C); 558 suhosin_bailout(TSRMLS_C);
567 break; 559 break;
568 560
569 case SUHOSIN_CODE_TYPE_UPLOADED: 561 case SUHOSIN_CODE_TYPE_UPLOADED:
570 suhosin_log(S_INCLUDE|S_GETCALLER, "Include filename is an uploaded file"); 562 suhosin_log(S_INCLUDE|S_GETCALLER, "Include filename is an uploaded file");
571 suhosin_bailout(TSRMLS_C); 563 suhosin_bailout(TSRMLS_C);
572 break; 564 break;
573 565
574 case SUHOSIN_CODE_TYPE_0FILE: 566 case SUHOSIN_CODE_TYPE_0FILE:
575 suhosin_log(S_INCLUDE|S_GETCALLER, "Include filename contains an ASCIIZ character"); 567 suhosin_log(S_INCLUDE|S_GETCALLER, "Include filename contains an ASCIIZ character");
576 suhosin_bailout(TSRMLS_C); 568 suhosin_bailout(TSRMLS_C);
577 break; 569 break;
578
579 case SUHOSIN_CODE_TYPE_WRITABLE:
580 suhosin_log(S_INCLUDE|S_GETCALLER, "Include filename ('%s') is writable by PHP process", op_array->filename);
581 suhosin_bailout(TSRMLS_C);
582 break;
583 570
584 case SUHOSIN_CODE_TYPE_BLACKURL: 571 case SUHOSIN_CODE_TYPE_WRITABLE:
572 suhosin_log(S_INCLUDE|S_GETCALLER, "Include filename ('%s') is writable by PHP process", op_array->filename);
573 suhosin_bailout(TSRMLS_C);
574 break;
575
576 case SUHOSIN_CODE_TYPE_BLACKURL:
585 suhosin_log(S_INCLUDE|S_GETCALLER, "Include filename ('%s') is a URL that is forbidden by the blacklist", op_array->filename); 577 suhosin_log(S_INCLUDE|S_GETCALLER, "Include filename ('%s') is a URL that is forbidden by the blacklist", op_array->filename);
586 suhosin_bailout(TSRMLS_C); 578 suhosin_bailout(TSRMLS_C);
587 break; 579 break;
588 580
589 case SUHOSIN_CODE_TYPE_BADURL: 581 case SUHOSIN_CODE_TYPE_BADURL:
590 suhosin_log(S_INCLUDE|S_GETCALLER, "Include filename ('%s') is a URL that is not allowed", op_array->filename); 582 suhosin_log(S_INCLUDE|S_GETCALLER, "Include filename ('%s') is a URL that is not allowed", op_array->filename);
591 suhosin_bailout(TSRMLS_C); 583 suhosin_bailout(TSRMLS_C);
592 break; 584 break;
593 585
594 case SUHOSIN_CODE_TYPE_BADFILE: 586 case SUHOSIN_CODE_TYPE_BADFILE:
595 cs.type = IS_STRING; 587 cs.type = IS_STRING;
596#define DIE_WITH_MSG "die('disallowed_file'.chr(10).chr(10));" 588#define DIE_WITH_MSG "die('disallowed_file'.chr(10).chr(10));"
597 cs.value.str.val = estrndup(DIE_WITH_MSG, sizeof(DIE_WITH_MSG)-1); 589 cs.value.str.val = estrndup(DIE_WITH_MSG, sizeof(DIE_WITH_MSG)-1);
598 cs.value.str.len = sizeof(DIE_WITH_MSG)-1; 590 cs.value.str.len = sizeof(DIE_WITH_MSG)-1;
599 new_op_array = compile_string(&cs, "suhosin internal code" TSRMLS_CC); 591 new_op_array = compile_string(&cs, "suhosin internal code" TSRMLS_CC);
600 if (new_op_array) { 592 if (new_op_array) {
601 op_array = new_op_array; 593 op_array = new_op_array;
602 goto continue_execution; 594 goto continue_execution;
603 } 595 }
604 suhosin_bailout(TSRMLS_C); 596 suhosin_bailout(TSRMLS_C);
605 break; 597 break;
606 598
607 case SUHOSIN_CODE_TYPE_COMMANDLINE: 599 case SUHOSIN_CODE_TYPE_COMMANDLINE:
608 case SUHOSIN_CODE_TYPE_SUHOSIN: 600 case SUHOSIN_CODE_TYPE_SUHOSIN:
609 case SUHOSIN_CODE_TYPE_UNKNOWN: 601 case SUHOSIN_CODE_TYPE_UNKNOWN:
610 case SUHOSIN_CODE_TYPE_GOODFILE: 602 case SUHOSIN_CODE_TYPE_GOODFILE:
611 goto continue_execution; 603 goto continue_execution;
612 } 604 }
613 605
@@ -640,7 +632,7 @@ static void suhosin_execute(zend_op_array *op_array TSRMLS_DC)
640static void suhosin_execute_ZO(zend_op_array *op_array, long dummy TSRMLS_DC) 632static void suhosin_execute_ZO(zend_op_array *op_array, long dummy TSRMLS_DC)
641{ 633{
642 suhosin_execute_ex(op_array, 1, dummy TSRMLS_CC); 634 suhosin_execute_ex(op_array, 1, dummy TSRMLS_CC);
643} 635}
644/* }}} */ 636/* }}} */
645#endif 637#endif
646 638
@@ -676,28 +668,28 @@ int ih_preg_replace(IH_HANDLER_PARAMS)
676 if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ZZZ|ZZ", &regex, &replace, &subject, &limit, &zcount) == FAILURE) { 668 if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ZZZ|ZZ", &regex, &replace, &subject, &limit, &zcount) == FAILURE) {
677 return (1); 669 return (1);
678 } 670 }
679 671
680 if (Z_TYPE_PP(regex) == IS_ARRAY) { 672 if (Z_TYPE_PP(regex) == IS_ARRAY) {
681 zval **regex_entry; 673 zval **regex_entry;
682 674
683 zend_hash_internal_pointer_reset(Z_ARRVAL_PP(regex)); 675 zend_hash_internal_pointer_reset(Z_ARRVAL_PP(regex));
684 /* For each entry in the regex array, get the entry */ 676 /* For each entry in the regex array, get the entry */
685 while (zend_hash_get_current_data(Z_ARRVAL_PP(regex), (void **)&regex_entry) == SUCCESS) { 677 while (zend_hash_get_current_data(Z_ARRVAL_PP(regex), (void **)&regex_entry) == SUCCESS) {
686 678
687 if (Z_TYPE_PP(regex_entry) == IS_STRING) { 679 if (Z_TYPE_PP(regex_entry) == IS_STRING) {
688 if (strlen(Z_STRVAL_PP(regex_entry)) != Z_STRLEN_PP(regex_entry)) { 680 if (strlen(Z_STRVAL_PP(regex_entry)) != Z_STRLEN_PP(regex_entry)) {
689 suhosin_log(S_EXECUTOR, "string termination attack on first preg_replace parameter detected"); 681 suhosin_log(S_EXECUTOR, "string termination attack on first preg_replace parameter detected");
690 if (!SUHOSIN_G(simulation)) { 682 if (!SUHOSIN_G(simulation)) {
691 RETVAL_FALSE; 683 RETVAL_FALSE;
692 return (1); 684 return (1);
693 } 685 }
694 } 686 }
695 } 687 }
696 688
697 zend_hash_move_forward(Z_ARRVAL_PP(regex)); 689 zend_hash_move_forward(Z_ARRVAL_PP(regex));
698 690
699 } 691 }
700 692
701 } else if (Z_TYPE_PP(regex) == IS_STRING) { 693 } else if (Z_TYPE_PP(regex) == IS_STRING) {
702 if (strlen(Z_STRVAL_PP(regex)) != Z_STRLEN_PP(regex)) { 694 if (strlen(Z_STRVAL_PP(regex)) != Z_STRLEN_PP(regex)) {
703 suhosin_log(S_EXECUTOR, "string termination attack on first preg_replace parameter detected"); 695 suhosin_log(S_EXECUTOR, "string termination attack on first preg_replace parameter detected");
@@ -707,7 +699,7 @@ int ih_preg_replace(IH_HANDLER_PARAMS)
707 } 699 }
708 } 700 }
709 } 701 }
710 702
711 return (0); 703 return (0);
712} 704}
713 705
@@ -716,7 +708,7 @@ int ih_symlink(IH_HANDLER_PARAMS)
716 if (SUHOSIN_G(executor_allow_symlink)) { 708 if (SUHOSIN_G(executor_allow_symlink)) {
717 return (0); 709 return (0);
718 } 710 }
719 711
720 if (PG(open_basedir) && PG(open_basedir)[0]) { 712 if (PG(open_basedir) && PG(open_basedir)[0]) {
721 suhosin_log(S_EXECUTOR, "symlink called during open_basedir"); 713 suhosin_log(S_EXECUTOR, "symlink called during open_basedir");
722 if (!SUHOSIN_G(simulation)) { 714 if (!SUHOSIN_G(simulation)) {
@@ -724,7 +716,7 @@ int ih_symlink(IH_HANDLER_PARAMS)
724 return (1); 716 return (1);
725 } 717 }
726 } 718 }
727 719
728 return (0); 720 return (0);
729} 721}
730 722
@@ -796,7 +788,7 @@ int ih_mail(IH_HANDLER_PARAMS)
796 } 788 }
797 } 789 }
798 } 790 }
799 791
800 if (SUHOSIN_G(mailprotect) > 1) { 792 if (SUHOSIN_G(mailprotect) > 1) {
801 /* search for to, cc or bcc headers */ 793 /* search for to, cc or bcc headers */
802 if (headers_len > 0 && headers != NULL) { 794 if (headers_len > 0 && headers != NULL) {
@@ -807,7 +799,7 @@ int ih_mail(IH_HANDLER_PARAMS)
807 return (1); 799 return (1);
808 } 800 }
809 } 801 }
810 802
811 if (strncasecmp(headers, "cc:", sizeof("cc:") - 1) == 0 || suhosin_strcasestr(headers, "\ncc:")) { 803 if (strncasecmp(headers, "cc:", sizeof("cc:") - 1) == 0 || suhosin_strcasestr(headers, "\ncc:")) {
812 suhosin_log(S_MAIL, "mail() - CC: headers aren't allowed in the headers parameter."); 804 suhosin_log(S_MAIL, "mail() - CC: headers aren't allowed in the headers parameter.");
813 if (!SUHOSIN_G(simulation)) { 805 if (!SUHOSIN_G(simulation)) {
@@ -848,18 +840,18 @@ int ih_querycheck(IH_HANDLER_PARAMS)
848 int cnt_union = 0, cnt_select = 0, cnt_comment = 0, cnt_opencomment = 0; 840 int cnt_union = 0, cnt_select = 0, cnt_comment = 0, cnt_opencomment = 0;
849 int mysql_extension = 0; 841 int mysql_extension = 0;
850 842
851 843
852 SDEBUG("function: %s", ih->name); 844 SDEBUG("function: %s", ih->name);
853 arg_count = (unsigned long) *p; 845 arg_count = (unsigned long) *p;
854 846
855 if (ht < (long) ih->arg1) { 847 if (ht < (long) ih->arg1) {
856 return (0); 848 return (0);
857 } 849 }
858 850
859 if ((long) ih->arg2) { 851 if ((long) ih->arg2) {
860 mysql_extension = 1; 852 mysql_extension = 1;
861 } 853 }
862 854
863 arg = (zval **) p - (arg_count - (long) ih->arg1 + 1); /* count from 0 */ 855 arg = (zval **) p - (arg_count - (long) ih->arg1 + 1); /* count from 0 */
864 856
865 backup = *arg; 857 backup = *arg;
@@ -869,125 +861,125 @@ int ih_querycheck(IH_HANDLER_PARAMS)
869 len = Z_STRLEN_P(backup); 861 len = Z_STRLEN_P(backup);
870 query = Z_STRVAL_P(backup); 862 query = Z_STRVAL_P(backup);
871 SDEBUG("SQL |%s|", query); 863 SDEBUG("SQL |%s|", query);
872 864
873 s = query; 865 s = query;
874 e = s+len; 866 e = s+len;
875 867
876 while (s < e) { 868 while (s < e) {
877 switch (state) 869 switch (state)
878 { 870 {
879 case SQLSTATE_SQL: 871 case SQLSTATE_SQL:
880 switch (s[0]) 872 switch (s[0])
881 { 873 {
882 case '`': 874 case '`':
883 state = SQLSTATE_IDENTIFIER; 875 state = SQLSTATE_IDENTIFIER;
884 quote = '`'; 876 quote = '`';
885 break; 877 break;
886 case '\'': 878 case '\'':
887 case '"': 879 case '"':
888 state = SQLSTATE_STRING; 880 state = SQLSTATE_STRING;
889 quote = *s; 881 quote = *s;
890 break; 882 break;
891 case '/': 883 case '/':
892 if (s[1]=='*') { 884 if (s[1]=='*') {
893 if (mysql_extension == 1 && s[2] == '!') { 885 if (mysql_extension == 1 && s[2] == '!') {
894 s += 2; 886 s += 2;
895 break; 887 break;
896 } 888 }
897 s++; 889 s++;
898 state = SQLSTATE_MLCOMMENT; 890 state = SQLSTATE_MLCOMMENT;
899 cnt_comment++; 891 cnt_comment++;
900 } 892 }
901 break; 893 break;
902 case '-': 894 case '-':
903 if (s[1]=='-') { 895 if (s[1]=='-') {
904 s++; 896 s++;
905 state = SQLSTATE_COMMENT; 897 state = SQLSTATE_COMMENT;
906 cnt_comment++; 898 cnt_comment++;
907 } 899 }
908 break; 900 break;
909 case '#': 901 case '#':
910 state = SQLSTATE_COMMENT; 902 state = SQLSTATE_COMMENT;
911 cnt_comment++; 903 cnt_comment++;
912 break; 904 break;
913 case 'u': 905 case 'u':
914 case 'U': 906 case 'U':
915 if (strncasecmp("union", s, 5)==0) { 907 if (strncasecmp("union", s, 5)==0) {
916 s += 4; 908 s += 4;
917 cnt_union++; 909 cnt_union++;
918 } 910 }
919 break; 911 break;
920 case 's': 912 case 's':
921 case 'S': 913 case 'S':
922 if (strncasecmp("select", s, 6)==0) { 914 if (strncasecmp("select", s, 6)==0) {
923 s += 5; 915 s += 5;
924 cnt_select++; 916 cnt_select++;
925 } 917 }
926 break; 918 break;
927 } 919 }
928 break; 920 break;
929 case SQLSTATE_STRING: 921 case SQLSTATE_STRING:
930 case SQLSTATE_IDENTIFIER: 922 case SQLSTATE_IDENTIFIER:
931 if (s[0] == quote) { 923 if (s[0] == quote) {
932 if (s[1] == quote) { 924 if (s[1] == quote) {
933 s++; 925 s++;
934 } else { 926 } else {
935 state = SQLSTATE_SQL; 927 state = SQLSTATE_SQL;
936 } 928 }
937 } 929 }
938 if (s[0] == '\\') { 930 if (s[0] == '\\') {
939 s++; 931 s++;
940 } 932 }
941 break; 933 break;
942 case SQLSTATE_COMMENT: 934 case SQLSTATE_COMMENT:
943 while (s[0] && s[0] != '\n') { 935 while (s[0] && s[0] != '\n') {
944 s++; 936 s++;
945 } 937 }
946 state = SQLSTATE_SQL; 938 state = SQLSTATE_SQL;
947 break; 939 break;
948 case SQLSTATE_MLCOMMENT: 940 case SQLSTATE_MLCOMMENT:
949 while (s[0] && (s[0] != '*' || s[1] != '/')) { 941 while (s[0] && (s[0] != '*' || s[1] != '/')) {
950 s++; 942 s++;
951 } 943 }
952 if (s[0]) { 944 if (s[0]) {
953 state = SQLSTATE_SQL; 945 state = SQLSTATE_SQL;
954 } 946 }
955 break; 947 break;
956 } 948 }
957 s++; 949 s++;
958 } 950 }
959 if (state == SQLSTATE_MLCOMMENT) { 951 if (state == SQLSTATE_MLCOMMENT) {
960 cnt_opencomment = 1; 952 cnt_opencomment = 1;
961 } 953 }
962 954
963 if (cnt_opencomment && SUHOSIN_G(sql_opencomment)>0) { 955 if (cnt_opencomment && SUHOSIN_G(sql_opencomment)>0) {
964 suhosin_log(S_SQL, "Open comment in SQL query: '%*s'", len, query); 956 suhosin_log(S_SQL, "Open comment in SQL query: '%*s'", len, query);
965 if (SUHOSIN_G(sql_opencomment)>1) { 957 if (SUHOSIN_G(sql_opencomment)>1) {
966 suhosin_bailout(TSRMLS_C); 958 suhosin_bailout(TSRMLS_C);
967 } 959 }
968 } 960 }
969 961
970 if (cnt_comment && SUHOSIN_G(sql_comment)>0) { 962 if (cnt_comment && SUHOSIN_G(sql_comment)>0) {
971 suhosin_log(S_SQL, "Comment in SQL query: '%*s'", len, query); 963 suhosin_log(S_SQL, "Comment in SQL query: '%*s'", len, query);
972 if (SUHOSIN_G(sql_comment)>1) { 964 if (SUHOSIN_G(sql_comment)>1) {
973 suhosin_bailout(TSRMLS_C); 965 suhosin_bailout(TSRMLS_C);
974 } 966 }
975 } 967 }
976 968
977 if (cnt_union && SUHOSIN_G(sql_union)>0) { 969 if (cnt_union && SUHOSIN_G(sql_union)>0) {
978 suhosin_log(S_SQL, "UNION in SQL query: '%*s'", len, query); 970 suhosin_log(S_SQL, "UNION in SQL query: '%*s'", len, query);
979 if (SUHOSIN_G(sql_union)>1) { 971 if (SUHOSIN_G(sql_union)>1) {
980 suhosin_bailout(TSRMLS_C); 972 suhosin_bailout(TSRMLS_C);
981 } 973 }
982 } 974 }
983 975
984 if (cnt_select>1 && SUHOSIN_G(sql_mselect)>0) { 976 if (cnt_select>1 && SUHOSIN_G(sql_mselect)>0) {
985 suhosin_log(S_SQL, "Multiple SELECT in SQL query: '%*s'", len, query); 977 suhosin_log(S_SQL, "Multiple SELECT in SQL query: '%*s'", len, query);
986 if (SUHOSIN_G(sql_mselect)>1) { 978 if (SUHOSIN_G(sql_mselect)>1) {
987 suhosin_bailout(TSRMLS_C); 979 suhosin_bailout(TSRMLS_C);
988 } 980 }
989 } 981 }
990 982
991 return (0); 983 return (0);
992} 984}
993 985
@@ -1000,19 +992,19 @@ int ih_fixusername(IH_HANDLER_PARAMS)
1000 char *prefix, *postfix, *user, *user_match, *cp; 992 char *prefix, *postfix, *user, *user_match, *cp;
1001 zval *backup, *my_user; 993 zval *backup, *my_user;
1002 int prefix_len, postfix_len, len; 994 int prefix_len, postfix_len, len;
1003 995
1004 SDEBUG("function (fixusername): %s", ih->name); 996 SDEBUG("function (fixusername): %s", ih->name);
1005 997
1006 prefix = SUHOSIN_G(sql_user_prefix); 998 prefix = SUHOSIN_G(sql_user_prefix);
1007 postfix = SUHOSIN_G(sql_user_postfix); 999 postfix = SUHOSIN_G(sql_user_postfix);
1008 user_match = SUHOSIN_G(sql_user_match); 1000 user_match = SUHOSIN_G(sql_user_match);
1009 1001
1010 arg_count = (unsigned long) *p; 1002 arg_count = (unsigned long) *p;
1011 1003
1012 if (ht < (long) ih->arg1) { 1004 if (ht < (long) ih->arg1) {
1013 return (0); 1005 return (0);
1014 } 1006 }
1015 1007
1016 arg = (zval **) p - (arg_count - (long) ih->arg1 + 1); /* count from 0 */ 1008 arg = (zval **) p - (arg_count - (long) ih->arg1 + 1); /* count from 0 */
1017 1009
1018 backup = *arg; 1010 backup = *arg;
@@ -1046,18 +1038,18 @@ int ih_fixusername(IH_HANDLER_PARAMS)
1046 } 1038 }
1047 prefix_len = strlen(prefix); 1039 prefix_len = strlen(prefix);
1048 postfix_len = strlen(postfix); 1040 postfix_len = strlen(postfix);
1049 1041
1050 MAKE_STD_ZVAL(my_user); 1042 MAKE_STD_ZVAL(my_user);
1051 my_user->type = IS_STRING; 1043 my_user->type = IS_STRING;
1052 my_user->value.str.len = spprintf(&my_user->value.str.val, 0, "%s%s%s", prefix, user, postfix); 1044 my_user->value.str.len = spprintf(&my_user->value.str.val, 0, "%s%s%s", prefix, user, postfix);
1053 1045
1054 /* XXX: memory_leak? */ 1046 /* XXX: memory_leak? */
1055 *arg = my_user; 1047 *arg = my_user;
1056 1048
1057 len = Z_STRLEN_P(my_user); 1049 len = Z_STRLEN_P(my_user);
1058 user = Z_STRVAL_P(my_user); 1050 user = Z_STRVAL_P(my_user);
1059 } 1051 }
1060 1052
1061 if (user_match && user_match[0]) { 1053 if (user_match && user_match[0]) {
1062#ifdef HAVE_FNMATCH 1054#ifdef HAVE_FNMATCH
1063 if (fnmatch(user_match, user, 0) != 0) { 1055 if (fnmatch(user_match, user, 0) != 0) {
@@ -1076,7 +1068,7 @@ int ih_fixusername(IH_HANDLER_PARAMS)
1076 } 1068 }
1077#endif 1069#endif
1078 } 1070 }
1079 1071
1080 SDEBUG("function: %s - user: %s", ih->name, user); 1072 SDEBUG("function: %s - user: %s", ih->name, user);
1081 1073
1082 return (0); 1074 return (0);
@@ -1105,7 +1097,7 @@ static int ih_function_exists(IH_HANDLER_PARAMS)
1105 } 1097 }
1106 1098
1107 retval = (zend_hash_find(EG(function_table), name, name_len+1, (void **)&func) == SUCCESS); 1099 retval = (zend_hash_find(EG(function_table), name, name_len+1, (void **)&func) == SUCCESS);
1108 1100
1109 /* 1101 /*
1110 * A bit of a hack, but not a bad one: we see if the handler of the function 1102 * A bit of a hack, but not a bad one: we see if the handler of the function
1111 * is actually one that displays "function is disabled" message. 1103 * is actually one that displays "function is disabled" message.
@@ -1130,7 +1122,7 @@ static int ih_function_exists(IH_HANDLER_PARAMS)
1130 } 1122 }
1131 } 1123 }
1132 } 1124 }
1133 1125
1134 if (SUHOSIN_G(func_whitelist) != NULL) { 1126 if (SUHOSIN_G(func_whitelist) != NULL) {
1135 if (!zend_hash_exists(SUHOSIN_G(func_whitelist), name, name_len+1)) { 1127 if (!zend_hash_exists(SUHOSIN_G(func_whitelist), name, name_len+1)) {
1136 retval = 0; 1128 retval = 0;
@@ -1174,7 +1166,7 @@ ret:
1174 1166
1175 Copyright (C) 1997 - 2002, Makoto Matsumoto and Takuji Nishimura, 1167 Copyright (C) 1997 - 2002, Makoto Matsumoto and Takuji Nishimura,
1176 Copyright (C) 2000 - 2003, Richard J. Wagner 1168 Copyright (C) 2000 - 2003, Richard J. Wagner
1177 All rights reserved. 1169 All rights reserved.
1178 1170
1179 Redistribution and use in source and binary forms, with or without 1171 Redistribution and use in source and binary forms, with or without
1180 modification, are permitted provided that the following conditions 1172 modification, are permitted provided that the following conditions
@@ -1187,8 +1179,8 @@ ret:
1187 notice, this list of conditions and the following disclaimer in the 1179 notice, this list of conditions and the following disclaimer in the
1188 documentation and/or other materials provided with the distribution. 1180 documentation and/or other materials provided with the distribution.
1189 1181
1190 3. The names of its contributors may not be used to endorse or promote 1182 3. The names of its contributors may not be used to endorse or promote
1191 products derived from this software without specific prior written 1183 products derived from this software without specific prior written
1192 permission. 1184 permission.
1193 1185
1194 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 1186 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
@@ -1302,14 +1294,14 @@ static php_uint32 suhosin_mt_rand(TSRMLS_D)
1302{ 1294{
1303 /* Pull a 32-bit integer from the generator state 1295 /* Pull a 32-bit integer from the generator state
1304 Every other access function simply transforms the numbers extracted here */ 1296 Every other access function simply transforms the numbers extracted here */
1305 1297
1306 register php_uint32 s1; 1298 register php_uint32 s1;
1307 1299
1308 if (SUHOSIN_G(mt_left) == 0) { 1300 if (SUHOSIN_G(mt_left) == 0) {
1309 suhosin_mt_reload(SUHOSIN_G(mt_state), &SUHOSIN_G(mt_next), &SUHOSIN_G(mt_left)); 1301 suhosin_mt_reload(SUHOSIN_G(mt_state), &SUHOSIN_G(mt_next), &SUHOSIN_G(mt_left));
1310 } 1302 }
1311 --SUHOSIN_G(mt_left); 1303 --SUHOSIN_G(mt_left);
1312 1304
1313 s1 = *SUHOSIN_G(mt_next)++; 1305 s1 = *SUHOSIN_G(mt_next)++;
1314 s1 ^= (s1 >> 11); 1306 s1 ^= (s1 >> 11);
1315 s1 ^= (s1 << 7) & 0x9d2c5680U; 1307 s1 ^= (s1 << 7) & 0x9d2c5680U;
@@ -1329,11 +1321,11 @@ static void suhosin_gen_entropy(php_uint32 *entropybuf TSRMLS_DC)
1329 unsigned long heap_value = (unsigned long)SUHOSIN_G(r_state); 1321 unsigned long heap_value = (unsigned long)SUHOSIN_G(r_state);
1330 suhosin_SHA256_CTX context; 1322 suhosin_SHA256_CTX context;
1331 int fd; 1323 int fd;
1332 1324
1333 code_value ^= code_value >> 32; 1325 code_value ^= code_value >> 32;
1334 stack_value ^= stack_value >> 32; 1326 stack_value ^= stack_value >> 32;
1335 heap_value ^= heap_value >> 32; 1327 heap_value ^= heap_value >> 32;
1336 1328
1337 seedbuf[0] = code_value; 1329 seedbuf[0] = code_value;
1338 seedbuf[1] = stack_value; 1330 seedbuf[1] = stack_value;
1339 seedbuf[2] = heap_value; 1331 seedbuf[2] = heap_value;
@@ -1372,7 +1364,7 @@ static void suhosin_gen_entropy(php_uint32 *entropybuf TSRMLS_DC)
1372 */ 1364 */
1373static void suhosin_srand_auto(TSRMLS_D) 1365static void suhosin_srand_auto(TSRMLS_D)
1374{ 1366{
1375 php_uint32 seed[8]; 1367 php_uint32 seed[8];
1376 suhosin_gen_entropy(&seed[0] TSRMLS_CC); 1368 suhosin_gen_entropy(&seed[0] TSRMLS_CC);
1377 1369
1378 suhosin_mt_init_by_array(seed, 8, SUHOSIN_G(r_state)); 1370 suhosin_mt_init_by_array(seed, 8, SUHOSIN_G(r_state));
@@ -1387,7 +1379,7 @@ static void suhosin_srand_auto(TSRMLS_D)
1387 */ 1379 */
1388static void suhosin_mt_srand_auto(TSRMLS_D) 1380static void suhosin_mt_srand_auto(TSRMLS_D)
1389{ 1381{
1390 php_uint32 seed[8]; 1382 php_uint32 seed[8];
1391 suhosin_gen_entropy(&seed[0] TSRMLS_CC); 1383 suhosin_gen_entropy(&seed[0] TSRMLS_CC);
1392 1384
1393 suhosin_mt_init_by_array(seed, 8, SUHOSIN_G(mt_state)); 1385 suhosin_mt_init_by_array(seed, 8, SUHOSIN_G(mt_state));
@@ -1418,14 +1410,14 @@ static php_uint32 suhosin_rand(TSRMLS_D)
1418{ 1410{
1419 /* Pull a 32-bit integer from the generator state 1411 /* Pull a 32-bit integer from the generator state
1420 Every other access function simply transforms the numbers extracted here */ 1412 Every other access function simply transforms the numbers extracted here */
1421 1413
1422 register php_uint32 s1; 1414 register php_uint32 s1;
1423 1415
1424 if (SUHOSIN_G(r_left) == 0) { 1416 if (SUHOSIN_G(r_left) == 0) {
1425 suhosin_mt_reload(SUHOSIN_G(r_state), &SUHOSIN_G(r_next), &SUHOSIN_G(r_left)); 1417 suhosin_mt_reload(SUHOSIN_G(r_state), &SUHOSIN_G(r_next), &SUHOSIN_G(r_left));
1426 } 1418 }
1427 --SUHOSIN_G(r_left); 1419 --SUHOSIN_G(r_left);
1428 1420
1429 s1 = *SUHOSIN_G(r_next)++; 1421 s1 = *SUHOSIN_G(r_next)++;
1430 s1 ^= (s1 >> 11); 1422 s1 ^= (s1 >> 11);
1431 s1 ^= (s1 << 7) & 0x9d2c5680U; 1423 s1 ^= (s1 << 7) & 0x9d2c5680U;
@@ -1443,7 +1435,7 @@ static int ih_srand(IH_HANDLER_PARAMS)
1443 SUHOSIN_G(r_is_seeded) = 0; 1435 SUHOSIN_G(r_is_seeded) = 0;
1444 return 1; 1436 return 1;
1445 } 1437 }
1446 1438
1447 if (zend_parse_parameters(argc TSRMLS_CC, "|l", &seed) == FAILURE) { 1439 if (zend_parse_parameters(argc TSRMLS_CC, "|l", &seed) == FAILURE) {
1448 return 1; 1440 return 1;
1449 } 1441 }
@@ -1465,7 +1457,7 @@ static int ih_mt_srand(IH_HANDLER_PARAMS)
1465 SUHOSIN_G(mt_is_seeded) = 0; 1457 SUHOSIN_G(mt_is_seeded) = 0;
1466 return 1; 1458 return 1;
1467 } 1459 }
1468 1460
1469 if (zend_parse_parameters(argc TSRMLS_CC, "|l", &seed) == FAILURE) { 1461 if (zend_parse_parameters(argc TSRMLS_CC, "|l", &seed) == FAILURE) {
1470 return 1; 1462 return 1;
1471 } 1463 }
@@ -1486,7 +1478,7 @@ static int ih_mt_rand(IH_HANDLER_PARAMS)
1486 long number; 1478 long number;
1487 1479
1488 if (argc != 0 && zend_parse_parameters(argc TSRMLS_CC, "ll", &min, &max) == FAILURE) { 1480 if (argc != 0 && zend_parse_parameters(argc TSRMLS_CC, "ll", &min, &max) == FAILURE) {
1489 return (1); 1481 return (1);
1490 } 1482 }
1491 1483
1492 if (!SUHOSIN_G(mt_is_seeded)) { 1484 if (!SUHOSIN_G(mt_is_seeded)) {
@@ -1510,7 +1502,7 @@ static int ih_rand(IH_HANDLER_PARAMS)
1510 long number; 1502 long number;
1511 1503
1512 if (argc != 0 && zend_parse_parameters(argc TSRMLS_CC, "ll", &min, &max) == FAILURE) { 1504 if (argc != 0 && zend_parse_parameters(argc TSRMLS_CC, "ll", &min, &max) == FAILURE) {
1513 return (1); 1505 return (1);
1514 } 1506 }
1515 1507
1516 if (!SUHOSIN_G(r_is_seeded)) { 1508 if (!SUHOSIN_G(r_is_seeded)) {
@@ -1540,16 +1532,16 @@ internal_function_handler ihandlers[] = {
1540 { "preg_replace", ih_preg_replace, NULL, NULL, NULL }, 1532 { "preg_replace", ih_preg_replace, NULL, NULL, NULL },
1541 { "mail", ih_mail, NULL, NULL, NULL }, 1533 { "mail", ih_mail, NULL, NULL, NULL },
1542 { "symlink", ih_symlink, NULL, NULL, NULL }, 1534 { "symlink", ih_symlink, NULL, NULL, NULL },
1543 1535
1544 { "srand", ih_srand, NULL, NULL, NULL }, 1536 { "srand", ih_srand, NULL, NULL, NULL },
1545 { "mt_srand", ih_mt_srand, NULL, NULL, NULL }, 1537 { "mt_srand", ih_mt_srand, NULL, NULL, NULL },
1546 { "rand", ih_rand, NULL, NULL, NULL }, 1538 { "rand", ih_rand, NULL, NULL, NULL },
1547 { "mt_rand", ih_mt_rand, NULL, NULL, NULL }, 1539 { "mt_rand", ih_mt_rand, NULL, NULL, NULL },
1548 { "getrandmax", ih_getrandmax, NULL, NULL, NULL }, 1540 { "getrandmax", ih_getrandmax, NULL, NULL, NULL },
1549 { "mt_getrandmax", ih_getrandmax, NULL, NULL, NULL }, 1541 { "mt_getrandmax", ih_getrandmax, NULL, NULL, NULL },
1550 1542
1551 { "function_exists", ih_function_exists, NULL, NULL, NULL }, 1543 { "function_exists", ih_function_exists, NULL, NULL, NULL },
1552 1544
1553 /* Mysqli */ 1545 /* Mysqli */
1554 { "mysqli::mysqli", ih_fixusername, (void *)2, NULL, NULL }, 1546 { "mysqli::mysqli", ih_fixusername, (void *)2, NULL, NULL },
1555 { "mysqli_connect", ih_fixusername, (void *)2, NULL, NULL }, 1547 { "mysqli_connect", ih_fixusername, (void *)2, NULL, NULL },
@@ -1557,7 +1549,7 @@ internal_function_handler ihandlers[] = {
1557 { "mysqli_real_connect", ih_fixusername, (void *)3, NULL, NULL }, 1549 { "mysqli_real_connect", ih_fixusername, (void *)3, NULL, NULL },
1558 { "mysqli_change_user", ih_fixusername, (void *)2, NULL, NULL }, 1550 { "mysqli_change_user", ih_fixusername, (void *)2, NULL, NULL },
1559 { "mysqli::change_user", ih_fixusername, (void *)1, NULL, NULL }, 1551 { "mysqli::change_user", ih_fixusername, (void *)1, NULL, NULL },
1560 1552
1561 { "mysqli::query", ih_querycheck, (void *)1, (void *)1, NULL }, 1553 { "mysqli::query", ih_querycheck, (void *)1, (void *)1, NULL },
1562 { "mysqli_query", ih_querycheck, (void *)2, (void *)1, NULL }, 1554 { "mysqli_query", ih_querycheck, (void *)2, (void *)1, NULL },
1563 { "mysqli::multi_query", ih_querycheck, (void *)1, (void *)1, NULL }, 1555 { "mysqli::multi_query", ih_querycheck, (void *)1, (void *)1, NULL },
@@ -1572,14 +1564,14 @@ internal_function_handler ihandlers[] = {
1572 { "mysqli_master_query", ih_querycheck, (void *)2, (void *)1, NULL }, 1564 { "mysqli_master_query", ih_querycheck, (void *)2, (void *)1, NULL },
1573 { "mysqli_slave_query", ih_querycheck, (void *)2, (void *)1, NULL }, 1565 { "mysqli_slave_query", ih_querycheck, (void *)2, (void *)1, NULL },
1574 // ---- 1566 // ----
1575 1567
1576 /* Mysql API - deprecated in PHP 5.5 */ 1568 /* Mysql API - deprecated in PHP 5.5 */
1577 { "mysql_connect", ih_fixusername, (void *)2, NULL, NULL }, 1569 { "mysql_connect", ih_fixusername, (void *)2, NULL, NULL },
1578 { "mysql_pconnect", ih_fixusername, (void *)2, NULL, NULL }, 1570 { "mysql_pconnect", ih_fixusername, (void *)2, NULL, NULL },
1579 { "mysql_query", ih_querycheck, (void *)1, (void *)1, NULL }, 1571 { "mysql_query", ih_querycheck, (void *)1, (void *)1, NULL },
1580 { "mysql_db_query", ih_querycheck, (void *)2, (void *)1, NULL }, 1572 { "mysql_db_query", ih_querycheck, (void *)2, (void *)1, NULL },
1581 { "mysql_unbuffered_query", ih_querycheck, (void *)1, (void *)1, NULL }, 1573 { "mysql_unbuffered_query", ih_querycheck, (void *)1, (void *)1, NULL },
1582 1574
1583#ifdef SUHOSIN_EXPERIMENTAL 1575#ifdef SUHOSIN_EXPERIMENTAL
1584 /* MaxDB */ 1576 /* MaxDB */
1585 { "maxdb::maxdb", ih_fixusername, (void *)2, NULL, NULL }, 1577 { "maxdb::maxdb", ih_fixusername, (void *)2, NULL, NULL },
@@ -1588,7 +1580,7 @@ internal_function_handler ihandlers[] = {
1588 { "maxdb_real_connect", ih_fixusername, (void *)3, NULL, NULL }, 1580 { "maxdb_real_connect", ih_fixusername, (void *)3, NULL, NULL },
1589 { "maxdb::change_user", ih_fixusername, (void *)1, NULL, NULL }, 1581 { "maxdb::change_user", ih_fixusername, (void *)1, NULL, NULL },
1590 { "maxdb_change_user", ih_fixusername, (void *)2, NULL, NULL }, 1582 { "maxdb_change_user", ih_fixusername, (void *)2, NULL, NULL },
1591 1583
1592 { "maxdb_master_query", ih_querycheck, (void *)2, NULL, NULL }, 1584 { "maxdb_master_query", ih_querycheck, (void *)2, NULL, NULL },
1593 { "maxdb::multi_query", ih_querycheck, (void *)1, NULL, NULL }, 1585 { "maxdb::multi_query", ih_querycheck, (void *)1, NULL, NULL },
1594 { "maxdb_multi_query", ih_querycheck, (void *)2, NULL, NULL }, 1586 { "maxdb_multi_query", ih_querycheck, (void *)2, NULL, NULL },
@@ -1607,7 +1599,7 @@ internal_function_handler ihandlers[] = {
1607 { "pdo::query", ih_querycheck, (void *)1, NULL, NULL }, 1599 { "pdo::query", ih_querycheck, (void *)1, NULL, NULL },
1608 { "pdo::prepare", ih_querycheck, (void *)1, NULL, NULL }, 1600 { "pdo::prepare", ih_querycheck, (void *)1, NULL, NULL },
1609 { "pdo::exec", ih_querycheck, (void *)1, NULL, NULL }, 1601 { "pdo::exec", ih_querycheck, (void *)1, NULL, NULL },
1610 1602
1611 /* Oracle OCI8 */ 1603 /* Oracle OCI8 */
1612 { "ocilogon", ih_fixusername, (void *)1, NULL, NULL }, 1604 { "ocilogon", ih_fixusername, (void *)1, NULL, NULL },
1613 { "ociplogon", ih_fixusername, (void *)1, NULL, NULL }, 1605 { "ociplogon", ih_fixusername, (void *)1, NULL, NULL },
@@ -1653,7 +1645,7 @@ static void suhosin_execute_internal(zend_execute_data *execute_data_ptr, zend_f
1653 zval **return_value_ptr; 1645 zval **return_value_ptr;
1654 zval *this_ptr; 1646 zval *this_ptr;
1655 int ht; 1647 int ht;
1656 1648
1657 if (fci) { 1649 if (fci) {
1658 return_value = *fci->retval_ptr_ptr; 1650 return_value = *fci->retval_ptr_ptr;
1659 return_value_ptr = fci->retval_ptr_ptr; 1651 return_value_ptr = fci->retval_ptr_ptr;
@@ -1666,7 +1658,7 @@ static void suhosin_execute_internal(zend_execute_data *execute_data_ptr, zend_f
1666 return_value_ptr = (fbc->common.fn_flags & ZEND_ACC_RETURN_REFERENCE) ? &ret->var.ptr : NULL; 1658 return_value_ptr = (fbc->common.fn_flags & ZEND_ACC_RETURN_REFERENCE) ? &ret->var.ptr : NULL;
1667 this_ptr = execute_data_ptr->object; 1659 this_ptr = execute_data_ptr->object;
1668 ht = execute_data_ptr->opline->extended_value; 1660 ht = execute_data_ptr->opline->extended_value;
1669 } 1661 }
1670#else 1662#else
1671static void suhosin_execute_internal(zend_execute_data *execute_data_ptr, int return_value_used TSRMLS_DC) 1663static void suhosin_execute_internal(zend_execute_data *execute_data_ptr, int return_value_used TSRMLS_DC)
1672{ 1664{
@@ -1681,7 +1673,7 @@ static void suhosin_execute_internal(zend_execute_data *execute_data_ptr, int re
1681 ce = ((zend_internal_function *) execute_data_ptr->function_state.function)->scope; 1673 ce = ((zend_internal_function *) execute_data_ptr->function_state.function)->scope;
1682 lcname = (char *)((zend_internal_function *) execute_data_ptr->function_state.function)->function_name; 1674 lcname = (char *)((zend_internal_function *) execute_data_ptr->function_state.function)->function_name;
1683 function_name_strlen = strlen(lcname); 1675 function_name_strlen = strlen(lcname);
1684 1676
1685 /* handle methodcalls correctly */ 1677 /* handle methodcalls correctly */
1686 if (ce != NULL) { 1678 if (ce != NULL) {
1687 char *tmp = (char *) emalloc(function_name_strlen + 2 + ce->name_length + 1); 1679 char *tmp = (char *) emalloc(function_name_strlen + 2 + ce->name_length + 1);
@@ -1695,14 +1687,14 @@ static void suhosin_execute_internal(zend_execute_data *execute_data_ptr, int re
1695 zend_str_tolower(lcname, function_name_strlen); 1687 zend_str_tolower(lcname, function_name_strlen);
1696 } 1688 }
1697 1689
1698#if PHP_VERSION_ID < 50500 1690#if PHP_VERSION_ID < 50500
1699 return_value = (*(temp_variable *)((char *) execute_data_ptr->Ts + execute_data_ptr->opline->result.var)).var.ptr; 1691 return_value = (*(temp_variable *)((char *) execute_data_ptr->Ts + execute_data_ptr->opline->result.var)).var.ptr;
1700#endif 1692#endif
1701 1693
1702 SDEBUG("function: %s", lcname); 1694 SDEBUG("function: %s", lcname);
1703 1695
1704 if (SUHOSIN_G(in_code_type) == SUHOSIN_EVAL) { 1696 if (SUHOSIN_G(in_code_type) == SUHOSIN_EVAL) {
1705 1697
1706 if (SUHOSIN_G(eval_whitelist) != NULL) { 1698 if (SUHOSIN_G(eval_whitelist) != NULL) {
1707 if (!zend_hash_exists(SUHOSIN_G(eval_whitelist), lcname, function_name_strlen+1)) { 1699 if (!zend_hash_exists(SUHOSIN_G(eval_whitelist), lcname, function_name_strlen+1)) {
1708 suhosin_log(S_EXECUTOR|S_GETCALLER, "function outside of eval whitelist called: %s()", lcname); 1700 suhosin_log(S_EXECUTOR|S_GETCALLER, "function outside of eval whitelist called: %s()", lcname);
@@ -1723,7 +1715,7 @@ static void suhosin_execute_internal(zend_execute_data *execute_data_ptr, int re
1723 } 1715 }
1724 } 1716 }
1725 } 1717 }
1726 1718
1727 if (SUHOSIN_G(func_whitelist) != NULL) { 1719 if (SUHOSIN_G(func_whitelist) != NULL) {
1728 if (!zend_hash_exists(SUHOSIN_G(func_whitelist), lcname, function_name_strlen+1)) { 1720 if (!zend_hash_exists(SUHOSIN_G(func_whitelist), lcname, function_name_strlen+1)) {
1729 suhosin_log(S_EXECUTOR|S_GETCALLER, "function outside of whitelist called: %s()", lcname); 1721 suhosin_log(S_EXECUTOR|S_GETCALLER, "function outside of whitelist called: %s()", lcname);
@@ -1743,16 +1735,16 @@ static void suhosin_execute_internal(zend_execute_data *execute_data_ptr, int re
1743 } 1735 }
1744 } 1736 }
1745 } 1737 }
1746 1738
1747 if (zend_hash_find(&ihandler_table, lcname, function_name_strlen+1, (void **)&ih) == SUCCESS) { 1739 if (zend_hash_find(&ihandler_table, lcname, function_name_strlen+1, (void **)&ih) == SUCCESS) {
1748 1740
1749 int retval = 0; 1741 int retval = 0;
1750 void *handler = ((zend_internal_function *) execute_data_ptr->function_state.function)->handler; 1742 void *handler = ((zend_internal_function *) execute_data_ptr->function_state.function)->handler;
1751 1743
1752 if (handler != ZEND_FN(display_disabled_function)) { 1744 if (handler != ZEND_FN(display_disabled_function)) {
1753 retval = ih->handler(IH_HANDLER_PARAM_PASSTHRU); 1745 retval = ih->handler(IH_HANDLER_PARAM_PASSTHRU);
1754 } 1746 }
1755 1747
1756 if (retval == 0) { 1748 if (retval == 0) {
1757#if PHP_VERSION_ID >= 50500 1749#if PHP_VERSION_ID >= 50500
1758 old_execute_internal(execute_data_ptr, fci, return_value_used TSRMLS_CC); 1750 old_execute_internal(execute_data_ptr, fci, return_value_used TSRMLS_CC);
@@ -1788,12 +1780,10 @@ static int function_lookup(zend_extension *extension)
1788 if (zo_set_oe_ex != NULL) { 1780 if (zo_set_oe_ex != NULL) {
1789 return ZEND_HASH_APPLY_STOP; 1781 return ZEND_HASH_APPLY_STOP;
1790 } 1782 }
1791
1792 if (extension->handle != NULL) {
1793 1783
1794 zo_set_oe_ex = (void *)DL_FETCH_SYMBOL(extension->handle, "zend_optimizer_set_oe_ex"); 1784 if (extension->handle != NULL) {
1795 1785 zo_set_oe_ex = (void *)DL_FETCH_SYMBOL(extension->handle, "zend_optimizer_set_oe_ex");
1796 } 1786 }
1797 1787
1798 return 0; 1788 return 0;
1799} 1789}
@@ -1809,19 +1799,19 @@ void suhosin_hook_execute(TSRMLS_D)
1809#if PHP_VERSION_ID >= 50500 1799#if PHP_VERSION_ID >= 50500
1810 old_execute_ex = zend_execute_ex; 1800 old_execute_ex = zend_execute_ex;
1811 zend_execute_ex = suhosin_execute_ex; 1801 zend_execute_ex = suhosin_execute_ex;
1812#else 1802#else
1813 old_execute = zend_execute; 1803 old_execute = zend_execute;
1814 zend_execute = suhosin_execute; 1804 zend_execute = suhosin_execute;
1815#endif 1805#endif
1816 1806
1817/* old_compile_file = zend_compile_file; 1807/* old_compile_file = zend_compile_file;
1818 zend_compile_file = suhosin_compile_file; */ 1808 zend_compile_file = suhosin_compile_file; */
1819 1809
1820#if ZO_COMPATIBILITY_HACK_TEMPORARY_DISABLED 1810#if ZO_COMPATIBILITY_HACK_TEMPORARY_DISABLED
1821 if (zo_set_oe_ex == NULL) { 1811 if (zo_set_oe_ex == NULL) {
1822 zo_set_oe_ex = (void *)DL_FETCH_SYMBOL(NULL, "zend_optimizer_set_oe_ex"); 1812 zo_set_oe_ex = (void *)DL_FETCH_SYMBOL(NULL, "zend_optimizer_set_oe_ex");
1823 } 1813 }
1824 if (zo_set_oe_ex == NULL) { 1814 if (zo_set_oe_ex == NULL) {
1825 zend_llist_apply(&zend_extensions, (llist_apply_func_t)function_lookup TSRMLS_CC); 1815 zend_llist_apply(&zend_extensions, (llist_apply_func_t)function_lookup TSRMLS_CC);
1826 } 1816 }
1827 1817
@@ -1829,7 +1819,7 @@ void suhosin_hook_execute(TSRMLS_D)
1829 old_execute_ZO = zo_set_oe_ex(suhosin_execute_ZO); 1819 old_execute_ZO = zo_set_oe_ex(suhosin_execute_ZO);
1830 } 1820 }
1831#endif 1821#endif
1832 1822
1833 old_execute_internal = zend_execute_internal; 1823 old_execute_internal = zend_execute_internal;
1834 if (old_execute_internal == NULL) { 1824 if (old_execute_internal == NULL) {
1835 old_execute_internal = execute_internal; 1825 old_execute_internal = execute_internal;
@@ -1842,14 +1832,14 @@ void suhosin_hook_execute(TSRMLS_D)
1842 zend_hash_add(&ihandler_table, ih->name, strlen(ih->name)+1, ih, sizeof(internal_function_handler), NULL); 1832 zend_hash_add(&ihandler_table, ih->name, strlen(ih->name)+1, ih, sizeof(internal_function_handler), NULL);
1843 ih++; 1833 ih++;
1844 } 1834 }
1845 1835
1846 1836
1847 /* Add additional protection layer, that SHOULD 1837 /* Add additional protection layer, that SHOULD
1848 catch ZEND_INCLUDE_OR_EVAL *before* the engine tries 1838 catch ZEND_INCLUDE_OR_EVAL *before* the engine tries
1849 to execute */ 1839 to execute */
1850 old_zend_stream_open = zend_stream_open_function; 1840 old_zend_stream_open = zend_stream_open_function;
1851 zend_stream_open_function = suhosin_zend_stream_open; 1841 zend_stream_open_function = suhosin_zend_stream_open;
1852 1842
1853} 1843}
1854/* }}} */ 1844/* }}} */
1855 1845
@@ -1864,12 +1854,12 @@ void suhosin_unhook_execute()
1864 } 1854 }
1865#endif 1855#endif
1866 1856
1867#if PHP_VERSION_ID >= 50500 1857#if PHP_VERSION_ID >= 50500
1868 zend_execute_ex = old_execute_ex; 1858 zend_execute_ex = old_execute_ex;
1869#else 1859#else
1870 zend_execute = old_execute; 1860 zend_execute = old_execute;
1871#endif 1861#endif
1872 1862
1873/* zend_compile_file = old_compile_file; */ 1863/* zend_compile_file = old_compile_file; */
1874 1864
1875 if (old_execute_internal == execute_internal) { 1865 if (old_execute_internal == execute_internal) {
@@ -1877,10 +1867,10 @@ void suhosin_unhook_execute()
1877 } 1867 }
1878 zend_execute_internal = old_execute_internal; 1868 zend_execute_internal = old_execute_internal;
1879 zend_hash_clean(&ihandler_table); 1869 zend_hash_clean(&ihandler_table);
1880 1870
1881 /* remove zend_open protection */ 1871 /* remove zend_open protection */
1882 zend_stream_open_function = old_zend_stream_open; 1872 zend_stream_open_function = old_zend_stream_open;
1883 1873
1884} 1874}
1885/* }}} */ 1875/* }}} */
1886 1876