From 0fa87e1ab1697cb3b39e3a5663f97dc15cf8d98f Mon Sep 17 00:00:00 2001 From: Ben Fuhrmannek Date: Mon, 24 Nov 2014 15:26:50 +0100 Subject: extra null check for old startup handler. (#70) --- suhosin.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/suhosin.c b/suhosin.c index b186fbb..8ce279d 100644 --- a/suhosin.c +++ b/suhosin.c @@ -211,7 +211,7 @@ static void suhosin_shutdown(zend_extension *extension) static int suhosin_startup_wrapper(zend_extension *ext) { - int res; + int res = SUCCESS; zend_extension *ex = &suhosin_zend_extension_entry; char *new_info; int new_info_length; @@ -244,7 +244,9 @@ static int suhosin_startup_wrapper(zend_extension *ext) ze->op_array_dtor = stealth_op_array_dtor; /*}*/ - res = old_startup(ext); + if (old_startup != NULL) { + res = old_startup(ext); + } /* ex->name = NULL; ex->author = NULL; -- cgit v1.3 From 720190413f66caa347cc7f386ca7abd43273e4ca Mon Sep 17 00:00:00 2001 From: Ben Fuhrmannek Date: Tue, 25 Nov 2014 15:21:33 +0100 Subject: corrected ugly grammar mistake "an URL" -> "a URL" --- execute.c | 8 ++++---- tests/include/include_constant.phpt | 2 +- tests/include/include_once_constant.phpt | 2 +- tests/include/include_once_tmpvar.phpt | 2 +- tests/include/include_once_var.phpt | 2 +- tests/include/include_tmpvar.phpt | 2 +- tests/include/include_var.phpt | 2 +- tests/include/require_constant.phpt | 2 +- tests/include/require_once_constant.phpt | 2 +- tests/include/require_once_tmpvar.phpt | 2 +- tests/include/require_once_var.phpt | 2 +- tests/include/require_tmpvar.phpt | 2 +- tests/include/require_var.phpt | 2 +- 13 files changed, 16 insertions(+), 16 deletions(-) diff --git a/execute.c b/execute.c index fb91284..aa37fb9 100644 --- a/execute.c +++ b/execute.c @@ -299,12 +299,12 @@ static zend_bool suhosin_zend_open(const char *filename, zend_file_handle *fh) break; case SUHOSIN_CODE_TYPE_BLACKURL: - suhosin_log(S_INCLUDE, "Include filename ('%s') is an URL that is forbidden by the blacklist", filename); + suhosin_log(S_INCLUDE, "Include filename ('%s') is a URL that is forbidden by the blacklist", filename); suhosin_bailout(TSRMLS_C); break; case SUHOSIN_CODE_TYPE_BADURL: - suhosin_log(S_INCLUDE, "Include filename ('%s') is an URL that is not allowed", filename); + suhosin_log(S_INCLUDE, "Include filename ('%s') is a URL that is not allowed", filename); suhosin_bailout(TSRMLS_C); break; @@ -607,12 +607,12 @@ not_evaled_code: break; case SUHOSIN_CODE_TYPE_BLACKURL: - suhosin_log(S_INCLUDE|S_GETCALLER, "Include filename ('%s') is an URL that is forbidden by the blacklist", op_array->filename); + suhosin_log(S_INCLUDE|S_GETCALLER, "Include filename ('%s') is a URL that is forbidden by the blacklist", op_array->filename); suhosin_bailout(TSRMLS_C); break; case SUHOSIN_CODE_TYPE_BADURL: - suhosin_log(S_INCLUDE|S_GETCALLER, "Include filename ('%s') is an URL that is not allowed", op_array->filename); + suhosin_log(S_INCLUDE|S_GETCALLER, "Include filename ('%s') is a URL that is not allowed", op_array->filename); suhosin_bailout(TSRMLS_C); break; diff --git a/tests/include/include_constant.phpt b/tests/include/include_constant.phpt index 180aa69..9fdb5ac 100644 --- a/tests/include/include_constant.phpt +++ b/tests/include/include_constant.phpt @@ -14,4 +14,4 @@ suhosin.executor.include.blacklist= include "http://127.0.0.1/"; ?> --EXPECTF-- -ALERT - Include filename ('http://127.0.0.1/') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 2) +ALERT - Include filename ('http://127.0.0.1/') is a URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 2) diff --git a/tests/include/include_once_constant.phpt b/tests/include/include_once_constant.phpt index 3faac33..66823cd 100644 --- a/tests/include/include_once_constant.phpt +++ b/tests/include/include_once_constant.phpt @@ -14,4 +14,4 @@ suhosin.executor.include.blacklist= include_once "http://127.0.0.1/"; ?> --EXPECTF-- -ALERT - Include filename ('http://127.0.0.1/') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 2) +ALERT - Include filename ('http://127.0.0.1/') is a URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 2) diff --git a/tests/include/include_once_tmpvar.phpt b/tests/include/include_once_tmpvar.phpt index 1f94c5a..4206893 100644 --- a/tests/include/include_once_tmpvar.phpt +++ b/tests/include/include_once_tmpvar.phpt @@ -16,4 +16,4 @@ suhosin.executor.include.blacklist= include_once $var.$app; ?> --EXPECTF-- -ALERT - Include filename ('http://127.0.0.1/?') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 4) +ALERT - Include filename ('http://127.0.0.1/?') is a URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 4) diff --git a/tests/include/include_once_var.phpt b/tests/include/include_once_var.phpt index bf38377..3ba3ff7 100644 --- a/tests/include/include_once_var.phpt +++ b/tests/include/include_once_var.phpt @@ -15,4 +15,4 @@ suhosin.executor.include.blacklist= include_once $var; ?> --EXPECTF-- -ALERT - Include filename ('http://127.0.0.1/') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 3) +ALERT - Include filename ('http://127.0.0.1/') is a URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 3) diff --git a/tests/include/include_tmpvar.phpt b/tests/include/include_tmpvar.phpt index 8ad26d7..31d2f0f 100644 --- a/tests/include/include_tmpvar.phpt +++ b/tests/include/include_tmpvar.phpt @@ -16,4 +16,4 @@ suhosin.executor.include.blacklist= include $var.$app; ?> --EXPECTF-- -ALERT - Include filename ('http://127.0.0.1/?') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 4) +ALERT - Include filename ('http://127.0.0.1/?') is a URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 4) diff --git a/tests/include/include_var.phpt b/tests/include/include_var.phpt index 7431240..598c093 100644 --- a/tests/include/include_var.phpt +++ b/tests/include/include_var.phpt @@ -15,4 +15,4 @@ suhosin.executor.include.blacklist= include $var; ?> --EXPECTF-- -ALERT - Include filename ('http://127.0.0.1/') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 3) +ALERT - Include filename ('http://127.0.0.1/') is a URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 3) diff --git a/tests/include/require_constant.phpt b/tests/include/require_constant.phpt index 6ee79fb..358d69d 100644 --- a/tests/include/require_constant.phpt +++ b/tests/include/require_constant.phpt @@ -14,4 +14,4 @@ suhosin.executor.include.blacklist= require "http://127.0.0.1/"; ?> --EXPECTF-- -ALERT - Include filename ('http://127.0.0.1/') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 2) +ALERT - Include filename ('http://127.0.0.1/') is a URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 2) diff --git a/tests/include/require_once_constant.phpt b/tests/include/require_once_constant.phpt index 43c69c8..699720a 100644 --- a/tests/include/require_once_constant.phpt +++ b/tests/include/require_once_constant.phpt @@ -14,4 +14,4 @@ suhosin.executor.include.blacklist= require_once "http://127.0.0.1/"; ?> --EXPECTF-- -ALERT - Include filename ('http://127.0.0.1/') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 2) +ALERT - Include filename ('http://127.0.0.1/') is a URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 2) diff --git a/tests/include/require_once_tmpvar.phpt b/tests/include/require_once_tmpvar.phpt index 2be24b2..956b563 100644 --- a/tests/include/require_once_tmpvar.phpt +++ b/tests/include/require_once_tmpvar.phpt @@ -16,4 +16,4 @@ suhosin.executor.include.blacklist= require_once $var.$app; ?> --EXPECTF-- -ALERT - Include filename ('http://127.0.0.1/?') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 4) +ALERT - Include filename ('http://127.0.0.1/?') is a URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 4) diff --git a/tests/include/require_once_var.phpt b/tests/include/require_once_var.phpt index b3857f5..7a2e813 100644 --- a/tests/include/require_once_var.phpt +++ b/tests/include/require_once_var.phpt @@ -15,4 +15,4 @@ suhosin.executor.include.blacklist= require_once $var; ?> --EXPECTF-- -ALERT - Include filename ('http://127.0.0.1/') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 3) +ALERT - Include filename ('http://127.0.0.1/') is a URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 3) diff --git a/tests/include/require_tmpvar.phpt b/tests/include/require_tmpvar.phpt index d411067..e0b504f 100644 --- a/tests/include/require_tmpvar.phpt +++ b/tests/include/require_tmpvar.phpt @@ -16,4 +16,4 @@ suhosin.executor.include.blacklist= require $var.$app; ?> --EXPECTF-- -ALERT - Include filename ('http://127.0.0.1/?') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 4) +ALERT - Include filename ('http://127.0.0.1/?') is a URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 4) diff --git a/tests/include/require_var.phpt b/tests/include/require_var.phpt index 20468d4..3ff9745 100644 --- a/tests/include/require_var.phpt +++ b/tests/include/require_var.phpt @@ -15,4 +15,4 @@ suhosin.executor.include.blacklist= require $var; ?> --EXPECTF-- -ALERT - Include filename ('http://127.0.0.1/') is an URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 3) +ALERT - Include filename ('http://127.0.0.1/') is a URL that is not allowed (attacker 'REMOTE_ADDR not set', file '%s', line 3) -- cgit v1.3 From 72572c6633843074c5ac355410cd622be775afd9 Mon Sep 17 00:00:00 2001 From: Ben Fuhrmannek Date: Tue, 25 Nov 2014 15:24:31 +0100 Subject: typo in filename --- tests/executor/function_whilelist.phpt | 17 ----------------- tests/executor/function_whilelist_absmax.phpt | 15 --------------- tests/executor/function_whilelist_call_user_func.phpt | 15 --------------- tests/executor/function_whilelist_maxabs.phpt | 15 --------------- tests/executor/function_whiletist_absmax.phpt | 15 +++++++++++++++ tests/executor/function_whitelist.phpt | 17 +++++++++++++++++ tests/executor/function_whitelist_call_user_func.phpt | 15 +++++++++++++++ tests/executor/function_whitelist_maxabs.phpt | 15 +++++++++++++++ 8 files changed, 62 insertions(+), 62 deletions(-) delete mode 100644 tests/executor/function_whilelist.phpt delete mode 100644 tests/executor/function_whilelist_absmax.phpt delete mode 100644 tests/executor/function_whilelist_call_user_func.phpt delete mode 100644 tests/executor/function_whilelist_maxabs.phpt create mode 100644 tests/executor/function_whiletist_absmax.phpt create mode 100644 tests/executor/function_whitelist.phpt create mode 100644 tests/executor/function_whitelist_call_user_func.phpt create mode 100644 tests/executor/function_whitelist_maxabs.phpt diff --git a/tests/executor/function_whilelist.phpt b/tests/executor/function_whilelist.phpt deleted file mode 100644 index 9017ab4..0000000 --- a/tests/executor/function_whilelist.phpt +++ /dev/null @@ -1,17 +0,0 @@ ---TEST-- -Testing: suhosin.executor.func.whitelist=abs ---SKIPIF-- - ---INI-- -suhosin.log.sapi=64 -suhosin.executor.func.whitelist=abs ---FILE-- - ---EXPECTF-- -ALERT - function outside of whitelist called: max() (attacker 'REMOTE_ADDR not set', file '%s', line 3) - -Warning: max() has been disabled for security reasons in %s on line 3 diff --git a/tests/executor/function_whilelist_absmax.phpt b/tests/executor/function_whilelist_absmax.phpt deleted file mode 100644 index f240e69..0000000 --- a/tests/executor/function_whilelist_absmax.phpt +++ /dev/null @@ -1,15 +0,0 @@ ---TEST-- -Testing: suhosin.executor.func.whitelist=abs,max ---SKIPIF-- - ---INI-- -suhosin.log.sapi=64 -suhosin.executor.func.whitelist=abs,max ---FILE-- - ---EXPECTF-- - diff --git a/tests/executor/function_whilelist_call_user_func.phpt b/tests/executor/function_whilelist_call_user_func.phpt deleted file mode 100644 index a54010f..0000000 --- a/tests/executor/function_whilelist_call_user_func.phpt +++ /dev/null @@ -1,15 +0,0 @@ ---TEST-- -Testing: suhosin.executor.func.whitelist=call_user_func ---SKIPIF-- - ---INI-- -suhosin.log.sapi=64 -suhosin.executor.func.whitelist=call_user_func ---FILE-- - ---EXPECTF-- -ALERT - function outside of whitelist called: printf() (attacker 'REMOTE_ADDR not set', file '%s', line 2) - -Warning: printf() has been disabled for security reasons in %s on line 2 diff --git a/tests/executor/function_whilelist_maxabs.phpt b/tests/executor/function_whilelist_maxabs.phpt deleted file mode 100644 index 88a356e..0000000 --- a/tests/executor/function_whilelist_maxabs.phpt +++ /dev/null @@ -1,15 +0,0 @@ ---TEST-- -Testing: suhosin.executor.func.whitelist=max,abs ---SKIPIF-- - ---INI-- -suhosin.log.sapi=64 -suhosin.executor.func.whitelist=max,abs ---FILE-- - ---EXPECTF-- - diff --git a/tests/executor/function_whiletist_absmax.phpt b/tests/executor/function_whiletist_absmax.phpt new file mode 100644 index 0000000..f240e69 --- /dev/null +++ b/tests/executor/function_whiletist_absmax.phpt @@ -0,0 +1,15 @@ +--TEST-- +Testing: suhosin.executor.func.whitelist=abs,max +--SKIPIF-- + +--INI-- +suhosin.log.sapi=64 +suhosin.executor.func.whitelist=abs,max +--FILE-- + +--EXPECTF-- + diff --git a/tests/executor/function_whitelist.phpt b/tests/executor/function_whitelist.phpt new file mode 100644 index 0000000..9017ab4 --- /dev/null +++ b/tests/executor/function_whitelist.phpt @@ -0,0 +1,17 @@ +--TEST-- +Testing: suhosin.executor.func.whitelist=abs +--SKIPIF-- + +--INI-- +suhosin.log.sapi=64 +suhosin.executor.func.whitelist=abs +--FILE-- + +--EXPECTF-- +ALERT - function outside of whitelist called: max() (attacker 'REMOTE_ADDR not set', file '%s', line 3) + +Warning: max() has been disabled for security reasons in %s on line 3 diff --git a/tests/executor/function_whitelist_call_user_func.phpt b/tests/executor/function_whitelist_call_user_func.phpt new file mode 100644 index 0000000..a54010f --- /dev/null +++ b/tests/executor/function_whitelist_call_user_func.phpt @@ -0,0 +1,15 @@ +--TEST-- +Testing: suhosin.executor.func.whitelist=call_user_func +--SKIPIF-- + +--INI-- +suhosin.log.sapi=64 +suhosin.executor.func.whitelist=call_user_func +--FILE-- + +--EXPECTF-- +ALERT - function outside of whitelist called: printf() (attacker 'REMOTE_ADDR not set', file '%s', line 2) + +Warning: printf() has been disabled for security reasons in %s on line 2 diff --git a/tests/executor/function_whitelist_maxabs.phpt b/tests/executor/function_whitelist_maxabs.phpt new file mode 100644 index 0000000..88a356e --- /dev/null +++ b/tests/executor/function_whitelist_maxabs.phpt @@ -0,0 +1,15 @@ +--TEST-- +Testing: suhosin.executor.func.whitelist=max,abs +--SKIPIF-- + +--INI-- +suhosin.log.sapi=64 +suhosin.executor.func.whitelist=max,abs +--FILE-- + +--EXPECTF-- + -- cgit v1.3 From 7ea20b91eaa4d977991ef81bf1000758c9d3b6c6 Mon Sep 17 00:00:00 2001 From: Ben Fuhrmannek Date: Tue, 25 Nov 2014 16:11:40 +0100 Subject: clarification how include black-/whitelists work --- suhosin.ini | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/suhosin.ini b/suhosin.ini index f844b9e..e739dff 100644 --- a/suhosin.ini +++ b/suhosin.ini @@ -338,7 +338,12 @@ ; specify the beginning of allowed URLs. (f.e.: php://stdin) If no whitelist is ; specified, then the blacklist is evaluated. ; -; Note: This setting deactivates suhosin.executor.include.blacklist. +; Notes: +; +; * This setting deactivates suhosin.executor.include.blacklist. +; * If both suhosin.executor.include.whitelist and +; suhosin.executor.include.blacklist are unset or empty, all URLs will be +; blocked. This is the default. ; ;suhosin.executor.include.whitelist = ; -- cgit v1.3