1 files changed, 36 insertions, 80 deletions
diff --git a/ifilter.c b/ifilter.c
index 8b2e8a3..dfe7c6b 100644
--- a/ifilter.c
+++ b/ifilter.c
@@ -29,6 +29,7 @@
 #include "ext/standard/info.h"
 #include "php_suhosin.h"
 #include "php_variables.h"
+#include "ext/standard/php_var.h"
 static void (*orig_register_server_variables)(zval *track_vars_array TSRMLS_DC) = NULL;
@@ -150,7 +151,6 @@ static void suhosin_server_encode(HashTable *arr, char *key, int klen)
                
                temp = (unsigned char *)Z_STRVAL_PP(tzval);
                
-                t = temp;
                for (t = temp; *t; t++) {
                        if (suhosin_is_dangerous_char[*t]) {
                                extra += 2;
@@ -186,30 +186,29 @@ static void suhosin_server_encode(HashTable *arr, char *key, int klen)
 */
 void suhosin_register_server_variables(zval *track_vars_array TSRMLS_DC)
 {
-        HashTable *svars;
+        HashTable *svars;
-        int retval, failure=0;
+        int retval = 0, failure = 0;
-        
-                orig_register_server_variables(track_vars_array TSRMLS_CC);
-        svars = Z_ARRVAL_P(track_vars_array);
+        orig_register_server_variables(track_vars_array TSRMLS_CC);
-        
+        svars = Z_ARRVAL_P(track_vars_array);
        if (!SUHOSIN_G(simulation)) {
-                retval = zend_hash_del(svars, "HTTP_GET_VARS", sizeof("HTTP_GET_VARS"));
+                retval = zend_hash_del(svars, "HTTP_GET_VARS", sizeof("HTTP_GET_VARS"));
-                if (retval == SUCCESS) failure = 1;
+                if (retval == SUCCESS) failure = 1;
-                retval = zend_hash_del(svars, "HTTP_POST_VARS", sizeof("HTTP_POST_VARS"));
+                retval = zend_hash_del(svars, "HTTP_POST_VARS", sizeof("HTTP_POST_VARS"));
-                if (retval == SUCCESS) failure = 1;
+                if (retval == SUCCESS) failure = 1;
-                retval = zend_hash_del(svars, "HTTP_COOKIE_VARS", sizeof("HTTP_COOKIE_VARS"));
+                retval = zend_hash_del(svars, "HTTP_COOKIE_VARS", sizeof("HTTP_COOKIE_VARS"));
-                if (retval == SUCCESS) failure = 1;
+                if (retval == SUCCESS) failure = 1;
-                retval = zend_hash_del(svars, "HTTP_ENV_VARS", sizeof("HTTP_ENV_VARS"));
+                retval = zend_hash_del(svars, "HTTP_ENV_VARS", sizeof("HTTP_ENV_VARS"));
-                if (retval == SUCCESS) failure = 1;
+                if (retval == SUCCESS) failure = 1;
-                retval = zend_hash_del(svars, "HTTP_SERVER_VARS", sizeof("HTTP_SERVER_VARS"));
+                retval = zend_hash_del(svars, "HTTP_SERVER_VARS", sizeof("HTTP_SERVER_VARS"));
-                if (retval == SUCCESS) failure = 1;
+                if (retval == SUCCESS) failure = 1;
-                retval = zend_hash_del(svars, "HTTP_SESSION_VARS", sizeof("HTTP_SESSION_VARS"));
+                retval = zend_hash_del(svars, "HTTP_SESSION_VARS", sizeof("HTTP_SESSION_VARS"));
-                if (retval == SUCCESS) failure = 1;
+                if (retval == SUCCESS) failure = 1;
-                retval = zend_hash_del(svars, "HTTP_POST_FILES", sizeof("HTTP_POST_FILES"));
+                retval = zend_hash_del(svars, "HTTP_POST_FILES", sizeof("HTTP_POST_FILES"));
-                if (retval == SUCCESS) failure = 1;
+                if (retval == SUCCESS) failure = 1;
-                retval = zend_hash_del(svars, "HTTP_RAW_POST_DATA", sizeof("HTTP_RAW_POST_DATA"));
+                retval = zend_hash_del(svars, "HTTP_RAW_POST_DATA", sizeof("HTTP_RAW_POST_DATA"));
-                if (retval == SUCCESS) failure = 1;
+                if (retval == SUCCESS) failure = 1;
        } else {
                retval = zend_hash_exists(svars, "HTTP_GET_VARS", sizeof("HTTP_GET_VARS"));
                retval+= zend_hash_exists(svars, "HTTP_POST_VARS", sizeof("HTTP_POST_VARS"));
@@ -221,19 +220,19 @@ void suhosin_register_server_variables(zval *track_vars_array TSRMLS_DC)
                retval+= zend_hash_exists(svars, "HTTP_RAW_POST_DATA", sizeof("HTTP_RAW_POST_DATA"));
                if (retval > 0) failure = 1;
        }
-        
-        if (failure) {
+        if (failure) {
-                suhosin_log(S_VARS, "Attacker tried to overwrite a superglobal through a HTTP header");
+                suhosin_log(S_VARS, "Attacker tried to overwrite a superglobal through a HTTP header");
-        }
+        }
        
        if (SUHOSIN_G(raw_cookie)) {
-        zval *z;
+                zval *z;
-        MAKE_STD_ZVAL(z);
+                MAKE_STD_ZVAL(z);
                ZVAL_STRING(z, SUHOSIN_G(raw_cookie), 1);
                zend_hash_add(svars, "RAW_HTTP_COOKIE", sizeof("RAW_HTTP_COOKIE"), (void **)&z, sizeof(zval *), NULL);
-    }
+        }
-    if (SUHOSIN_G(decrypted_cookie)) {
+        if (SUHOSIN_G(decrypted_cookie)) {
-        zval *z;
+                zval *z;
                MAKE_STD_ZVAL(z);
                ZVAL_STRING(z, SUHOSIN_G(decrypted_cookie), 0);
                zend_hash_update(svars, "HTTP_COOKIE", sizeof("HTTP_COOKIE"), (void **)&z, sizeof(zval *), NULL);
@@ -629,47 +628,11 @@ unsigned int suhosin_input_filter(int arg, char *var, char **val, unsigned int v
        
        /* Drop this variable if it is one of GLOBALS, _GET, _POST, ... */
        /* This is to protect several silly scripts that do globalizing themself */
-        
+        if (suhosin_is_protected_varname(var, var_len)) {
-        switch (var_len) {
+                suhosin_log(S_VARS, "tried to register forbidden variable '%s' through %s variables", var, arg == PARSE_GET ? "GET" : arg == PARSE_POST ? "POST" : "COOKIE");
-            case 18:
+                if (!SUHOSIN_G(simulation)) {
-                if (memcmp(var, "HTTP_RAW_POST_DATA", 18)==0) goto protected_varname;
+                        return 0;
-                break;
+                }
-            case 17:
-                if (memcmp(var, "HTTP_SESSION_VARS", 17)==0) goto protected_varname;
-                break;
-            case 16:
-                if (memcmp(var, "HTTP_SERVER_VARS", 16)==0) goto protected_varname;
-                if (memcmp(var, "HTTP_COOKIE_VARS", 16)==0) goto protected_varname;
-                break;
-            case 15:
-                if (memcmp(var, "HTTP_POST_FILES", 15)==0) goto protected_varname;
-                break;
-            case 14:
-                if (memcmp(var, "HTTP_POST_VARS", 14)==0) goto protected_varname;
-                break;
-            case 13:
-                if (memcmp(var, "HTTP_GET_VARS", 13)==0) goto protected_varname;
-                if (memcmp(var, "HTTP_ENV_VARS", 13)==0) goto protected_varname;
-                break;
-            case 8:
-                if (memcmp(var, "_SESSION", 8)==0) goto protected_varname;
-                if (memcmp(var, "_REQUEST", 8)==0) goto protected_varname;
-                break;
-            case 7:
-                if (memcmp(var, "GLOBALS", 7)==0) goto protected_varname;
-                if (memcmp(var, "_COOKIE", 7)==0) goto protected_varname;
-                if (memcmp(var, "_SERVER", 7)==0) goto protected_varname;
-                break;
-            case 6:
-                if (memcmp(var, "_FILES", 6)==0) goto protected_varname;
-                break;
-            case 5:
-                if (memcmp(var, "_POST", 5)==0) goto protected_varname;
-                break;
-            case 4:
-                if (memcmp(var, "_ENV", 4)==0) goto protected_varname;
-                if (memcmp(var, "_GET", 4)==0) goto protected_varname;
-                break;
        }
        /* Okay let PHP register this variable */
@@ -691,13 +654,6 @@ unsigned int suhosin_input_filter(int arg, char *var, char **val, unsigned int v
        }
        return 1;
-protected_varname:
-        suhosin_log(S_VARS, "tried to register forbidden variable '%s' through %s variables", var, arg == PARSE_GET ? "GET" : arg == PARSE_POST ? "POST" : "COOKIE");
-        if (!SUHOSIN_G(simulation)) {
-                return 0;
-        } else {
-                return 1;
-        }
 }
 /* }}} */

diff --git a/ifilter.c b/ifilter.c index 8b2e8a3..dfe7c6b 100644 --- a/ifilter.c +++ b/ifilter.c
@@ -29,6 +29,7 @@
29	#include "ext/standard/info.h"	29	#include "ext/standard/info.h"
30	#include "php_suhosin.h"	30	#include "php_suhosin.h"
31	#include "php_variables.h"	31	#include "php_variables.h"
		32	#include "ext/standard/php_var.h"
32		33
33		34
34	static void (orig_register_server_variables)(zval track_vars_array TSRMLS_DC) = NULL;	35	static void (orig_register_server_variables)(zval track_vars_array TSRMLS_DC) = NULL;
@@ -150,7 +151,6 @@ static void suhosin_server_encode(HashTable arr, char key, int klen)
150		151
151	temp = (unsigned char *)Z_STRVAL_PP(tzval);	152	temp = (unsigned char *)Z_STRVAL_PP(tzval);
152		153
153	t = temp;
154	for (t = temp; *t; t++) {	154	for (t = temp; *t; t++) {
155	if (suhosin_is_dangerous_char[*t]) {	155	if (suhosin_is_dangerous_char[*t]) {
156	extra += 2;	156	extra += 2;
@@ -186,30 +186,29 @@ static void suhosin_server_encode(HashTable arr, char key, int klen)
186	*/	186	*/
187	void suhosin_register_server_variables(zval *track_vars_array TSRMLS_DC)	187	void suhosin_register_server_variables(zval *track_vars_array TSRMLS_DC)
188	{	188	{
189	HashTable *svars;	189	HashTable *svars;
190	int retval, failure=0;	190	int retval = 0, failure = 0;
191
192	orig_register_server_variables(track_vars_array TSRMLS_CC);
193		191
194	svars = Z_ARRVAL_P(track_vars_array);	192	orig_register_server_variables(track_vars_array TSRMLS_CC);
195		193
		194	svars = Z_ARRVAL_P(track_vars_array);
196	if (!SUHOSIN_G(simulation)) {	195	if (!SUHOSIN_G(simulation)) {
197	retval = zend_hash_del(svars, "HTTP_GET_VARS", sizeof("HTTP_GET_VARS"));	196	retval = zend_hash_del(svars, "HTTP_GET_VARS", sizeof("HTTP_GET_VARS"));
198	if (retval == SUCCESS) failure = 1;	197	if (retval == SUCCESS) failure = 1;
199	retval = zend_hash_del(svars, "HTTP_POST_VARS", sizeof("HTTP_POST_VARS"));	198	retval = zend_hash_del(svars, "HTTP_POST_VARS", sizeof("HTTP_POST_VARS"));
200	if (retval == SUCCESS) failure = 1;	199	if (retval == SUCCESS) failure = 1;
201	retval = zend_hash_del(svars, "HTTP_COOKIE_VARS", sizeof("HTTP_COOKIE_VARS"));	200	retval = zend_hash_del(svars, "HTTP_COOKIE_VARS", sizeof("HTTP_COOKIE_VARS"));
202	if (retval == SUCCESS) failure = 1;	201	if (retval == SUCCESS) failure = 1;
203	retval = zend_hash_del(svars, "HTTP_ENV_VARS", sizeof("HTTP_ENV_VARS"));	202	retval = zend_hash_del(svars, "HTTP_ENV_VARS", sizeof("HTTP_ENV_VARS"));
204	if (retval == SUCCESS) failure = 1;	203	if (retval == SUCCESS) failure = 1;
205	retval = zend_hash_del(svars, "HTTP_SERVER_VARS", sizeof("HTTP_SERVER_VARS"));	204	retval = zend_hash_del(svars, "HTTP_SERVER_VARS", sizeof("HTTP_SERVER_VARS"));
206	if (retval == SUCCESS) failure = 1;	205	if (retval == SUCCESS) failure = 1;
207	retval = zend_hash_del(svars, "HTTP_SESSION_VARS", sizeof("HTTP_SESSION_VARS"));	206	retval = zend_hash_del(svars, "HTTP_SESSION_VARS", sizeof("HTTP_SESSION_VARS"));
208	if (retval == SUCCESS) failure = 1;	207	if (retval == SUCCESS) failure = 1;
209	retval = zend_hash_del(svars, "HTTP_POST_FILES", sizeof("HTTP_POST_FILES"));	208	retval = zend_hash_del(svars, "HTTP_POST_FILES", sizeof("HTTP_POST_FILES"));
210	if (retval == SUCCESS) failure = 1;	209	if (retval == SUCCESS) failure = 1;
211	retval = zend_hash_del(svars, "HTTP_RAW_POST_DATA", sizeof("HTTP_RAW_POST_DATA"));	210	retval = zend_hash_del(svars, "HTTP_RAW_POST_DATA", sizeof("HTTP_RAW_POST_DATA"));
212	if (retval == SUCCESS) failure = 1;	211	if (retval == SUCCESS) failure = 1;
213	} else {	212	} else {
214	retval = zend_hash_exists(svars, "HTTP_GET_VARS", sizeof("HTTP_GET_VARS"));	213	retval = zend_hash_exists(svars, "HTTP_GET_VARS", sizeof("HTTP_GET_VARS"));
215	retval+= zend_hash_exists(svars, "HTTP_POST_VARS", sizeof("HTTP_POST_VARS"));	214	retval+= zend_hash_exists(svars, "HTTP_POST_VARS", sizeof("HTTP_POST_VARS"));
@@ -221,19 +220,19 @@ void suhosin_register_server_variables(zval *track_vars_array TSRMLS_DC)
221	retval+= zend_hash_exists(svars, "HTTP_RAW_POST_DATA", sizeof("HTTP_RAW_POST_DATA"));	220	retval+= zend_hash_exists(svars, "HTTP_RAW_POST_DATA", sizeof("HTTP_RAW_POST_DATA"));
222	if (retval > 0) failure = 1;	221	if (retval > 0) failure = 1;
223	}	222	}
224		223
225	if (failure) {	224	if (failure) {
226	suhosin_log(S_VARS, "Attacker tried to overwrite a superglobal through a HTTP header");	225	suhosin_log(S_VARS, "Attacker tried to overwrite a superglobal through a HTTP header");
227	}	226	}
228		227
229	if (SUHOSIN_G(raw_cookie)) {	228	if (SUHOSIN_G(raw_cookie)) {
230	zval *z;	229	zval *z;
231	MAKE_STD_ZVAL(z);	230	MAKE_STD_ZVAL(z);
232	ZVAL_STRING(z, SUHOSIN_G(raw_cookie), 1);	231	ZVAL_STRING(z, SUHOSIN_G(raw_cookie), 1);
233	zend_hash_add(svars, "RAW_HTTP_COOKIE", sizeof("RAW_HTTP_COOKIE"), (void *)&z, sizeof(zval ), NULL);	232	zend_hash_add(svars, "RAW_HTTP_COOKIE", sizeof("RAW_HTTP_COOKIE"), (void *)&z, sizeof(zval ), NULL);
234	}	233	}
235	if (SUHOSIN_G(decrypted_cookie)) {	234	if (SUHOSIN_G(decrypted_cookie)) {
236	zval *z;	235	zval *z;
237	MAKE_STD_ZVAL(z);	236	MAKE_STD_ZVAL(z);
238	ZVAL_STRING(z, SUHOSIN_G(decrypted_cookie), 0);	237	ZVAL_STRING(z, SUHOSIN_G(decrypted_cookie), 0);
239	zend_hash_update(svars, "HTTP_COOKIE", sizeof("HTTP_COOKIE"), (void *)&z, sizeof(zval ), NULL);	238	zend_hash_update(svars, "HTTP_COOKIE", sizeof("HTTP_COOKIE"), (void *)&z, sizeof(zval ), NULL);
@@ -629,47 +628,11 @@ unsigned int suhosin_input_filter(int arg, char var, char *val, unsigned int v
629		628
630	/* Drop this variable if it is one of GLOBALS, _GET, _POST, ... */	629	/* Drop this variable if it is one of GLOBALS, _GET, _POST, ... */
631	/* This is to protect several silly scripts that do globalizing themself */	630	/* This is to protect several silly scripts that do globalizing themself */
632		631	if (suhosin_is_protected_varname(var, var_len)) {
633	switch (var_len) {	632	suhosin_log(S_VARS, "tried to register forbidden variable '%s' through %s variables", var, arg == PARSE_GET ? "GET" : arg == PARSE_POST ? "POST" : "COOKIE");
634	case 18:	633	if (!SUHOSIN_G(simulation)) {
635	if (memcmp(var, "HTTP_RAW_POST_DATA", 18)==0) goto protected_varname;	634	return 0;
636	break;	635	}
637	case 17:
638	if (memcmp(var, "HTTP_SESSION_VARS", 17)==0) goto protected_varname;
639	break;
640	case 16:
641	if (memcmp(var, "HTTP_SERVER_VARS", 16)==0) goto protected_varname;
642	if (memcmp(var, "HTTP_COOKIE_VARS", 16)==0) goto protected_varname;
643	break;
644	case 15:
645	if (memcmp(var, "HTTP_POST_FILES", 15)==0) goto protected_varname;
646	break;
647	case 14:
648	if (memcmp(var, "HTTP_POST_VARS", 14)==0) goto protected_varname;
649	break;
650	case 13:
651	if (memcmp(var, "HTTP_GET_VARS", 13)==0) goto protected_varname;
652	if (memcmp(var, "HTTP_ENV_VARS", 13)==0) goto protected_varname;
653	break;
654	case 8:
655	if (memcmp(var, "_SESSION", 8)==0) goto protected_varname;
656	if (memcmp(var, "_REQUEST", 8)==0) goto protected_varname;
657	break;
658	case 7:
659	if (memcmp(var, "GLOBALS", 7)==0) goto protected_varname;
660	if (memcmp(var, "_COOKIE", 7)==0) goto protected_varname;
661	if (memcmp(var, "_SERVER", 7)==0) goto protected_varname;
662	break;
663	case 6:
664	if (memcmp(var, "_FILES", 6)==0) goto protected_varname;
665	break;
666	case 5:
667	if (memcmp(var, "_POST", 5)==0) goto protected_varname;
668	break;
669	case 4:
670	if (memcmp(var, "_ENV", 4)==0) goto protected_varname;
671	if (memcmp(var, "_GET", 4)==0) goto protected_varname;
672	break;
673	}	636	}
674		637
675	/* Okay let PHP register this variable */	638	/* Okay let PHP register this variable */
@@ -691,13 +654,6 @@ unsigned int suhosin_input_filter(int arg, char var, char *val, unsigned int v
691	}	654	}
692		655
693	return 1;	656	return 1;
694	protected_varname:
695	suhosin_log(S_VARS, "tried to register forbidden variable '%s' through %s variables", var, arg == PARSE_GET ? "GET" : arg == PARSE_POST ? "POST" : "COOKIE");
696	if (!SUHOSIN_G(simulation)) {
697	return 0;
698	} else {
699	return 1;
700	}
701	}	657	}
702	/* }}} */	658	/* }}} */
703		659