From 200e697807b4de3af042edb3dea4d3db8fba9f03 Mon Sep 17 00:00:00 2001 From: Ben Fuhrmannek Date: Fri, 23 Sep 2016 17:35:03 +0200 Subject: whitespace / code indentation --- execute.c | 598 ++++++++++++++++++++++++++++++-------------------------------- 1 file changed, 294 insertions(+), 304 deletions(-) (limited to 'execute.c') diff --git a/execute.c b/execute.c index e3cd0b3..4d5d41b 100644 --- a/execute.c +++ b/execute.c @@ -85,7 +85,7 @@ conts: for (t=h; *n; t++, n++) { if (toupper(*t) != toupper(*n)) goto conts; } - return ((char*)h-1); + return ((char*)h-1); } } @@ -126,7 +126,7 @@ static int suhosin_check_filename(char *s, int len TSRMLS_DC) return SUHOSIN_CODE_TYPE_LONGNAME; } memcpy(fname, s, len); - fname[len] = 0; + fname[len] = 0; s = (char *)&fname; e = s + len; @@ -134,14 +134,14 @@ static int suhosin_check_filename(char *s, int len TSRMLS_DC) if (len != strlen(s)) { return SUHOSIN_CODE_TYPE_0FILE; } - + /* disallow uploaded files */ if (SG(rfc1867_uploaded_files)) { if (zend_hash_exists(SG(rfc1867_uploaded_files), (char *) s, e-s+1)) { return SUHOSIN_CODE_TYPE_UPLOADED; } } - + /* count number of directory traversals */ for (i=0; i < len-3; i++) { if (s[i] == '.' && s[i+1] == '.' && (s[i+2] == '/' || s[i+2] == '\\')) { @@ -152,7 +152,7 @@ static int suhosin_check_filename(char *s, int len TSRMLS_DC) if (SUHOSIN_G(executor_include_max_traversal) && SUHOSIN_G(executor_include_max_traversal)<=count) { return SUHOSIN_CODE_TYPE_MANYDOTS; } - + SDEBUG("xxx %p %p",SUHOSIN_G(include_whitelist),SUHOSIN_G(include_blacklist)); /* no black or whitelist then disallow all */ if (SUHOSIN_G(include_whitelist)==NULL && SUHOSIN_G(include_blacklist)==NULL) { @@ -160,29 +160,29 @@ SDEBUG("xxx %p %p",SUHOSIN_G(include_whitelist),SUHOSIN_G(include_blacklist)); if (strstr(s, "://") != NULL || suhosin_strcasestr(s, "data:") != NULL) { return SUHOSIN_CODE_TYPE_BADURL; } - } else + } else /* whitelist is stronger than blacklist */ if (SUHOSIN_G(include_whitelist)) { - + do { isOk = 0; - + h = strstr(s, "://"); h2 = suhosin_strcasestr(s, "data:"); h2 = h2 == NULL ? NULL : h2 + 4; t = h = (h == NULL) ? h2 : ( (h2 == NULL) ? h : ( (h < h2) ? h : h2 ) ); if (h == NULL) break; - + while (t > s && (isalnum(t[-1]) || t[-1]=='_' || t[-1]=='.')) { t--; } - + tlen = e-t; - + zend_hash_internal_pointer_reset(SUHOSIN_G(include_whitelist)); do { int r = zend_hash_get_current_key_ex(SUHOSIN_G(include_whitelist), &index, &indexlen, &numindex, 0, NULL); - + if (r==HASH_KEY_NON_EXISTANT) { break; } @@ -194,28 +194,28 @@ SDEBUG("xxx %p %p",SUHOSIN_G(include_whitelist),SUHOSIN_G(include_blacklist)); } } } - + zend_hash_move_forward(SUHOSIN_G(include_whitelist)); } while (1); - + /* not found in whitelist */ if (!isOk) { return SUHOSIN_CODE_TYPE_BADURL; } - + s = h + 1; } while (1); } else { - + do { int tlen; - + h = strstr(s, "://"); h2 = suhosin_strcasestr(s, "data:"); h2 = h2 == NULL ? NULL : h2 + 4; t = h = (h == NULL) ? h2 : ( (h2 == NULL) ? h : ( (h < h2) ? h : h2 ) ); if (h == NULL) break; - + while (t > s && (isalnum(t[-1]) || t[-1]=='_' || t[-1]=='.')) { t--; } @@ -236,21 +236,21 @@ SDEBUG("xxx %p %p",SUHOSIN_G(include_whitelist),SUHOSIN_G(include_blacklist)); } } } - + zend_hash_move_forward(SUHOSIN_G(include_blacklist)); } while (1); - + s = h + 1; } while (1); } /* disallow writable files */ if (!SUHOSIN_G(executor_include_allow_writable_files)) { - /* protection against *REMOTE* attacks, potential - race condition of access() is irrelevant */ - if (access(s, W_OK) == 0) { - return SUHOSIN_CODE_TYPE_WRITABLE; - } + /* protection against *REMOTE* attacks, potential + race condition of access() is irrelevant */ + if (access(s, W_OK) == 0) { + return SUHOSIN_CODE_TYPE_WRITABLE; + } } return SUHOSIN_CODE_TYPE_GOODFILE; @@ -265,39 +265,39 @@ static int suhosin_zend_stream_open(const char *filename, zend_file_handle *fh T exd=EG(current_execute_data); if (EG(in_execution) && (exd!=NULL) && (exd->opline != NULL) && (exd->opline->opcode == ZEND_INCLUDE_OR_EVAL)) { int filetype = suhosin_check_filename((char *)filename, strlen(filename) TSRMLS_CC); - + switch (filetype) { - case SUHOSIN_CODE_TYPE_LONGNAME: + case SUHOSIN_CODE_TYPE_LONGNAME: suhosin_log(S_INCLUDE, "Include filename ('%s') is too long", filename); suhosin_bailout(TSRMLS_C); break; - case SUHOSIN_CODE_TYPE_UPLOADED: + case SUHOSIN_CODE_TYPE_UPLOADED: suhosin_log(S_INCLUDE, "Include filename is an uploaded file"); suhosin_bailout(TSRMLS_C); break; - - case SUHOSIN_CODE_TYPE_0FILE: + + case SUHOSIN_CODE_TYPE_0FILE: suhosin_log(S_INCLUDE, "Include filename contains an ASCIIZ character"); suhosin_bailout(TSRMLS_C); break; - - case SUHOSIN_CODE_TYPE_WRITABLE: + + case SUHOSIN_CODE_TYPE_WRITABLE: suhosin_log(S_INCLUDE, "Include filename ('%s') is writable by PHP process", filename); suhosin_bailout(TSRMLS_C); - break; + break; - case SUHOSIN_CODE_TYPE_BLACKURL: + case SUHOSIN_CODE_TYPE_BLACKURL: suhosin_log(S_INCLUDE, "Include filename ('%s') is a URL that is forbidden by the blacklist", filename); suhosin_bailout(TSRMLS_C); break; - - case SUHOSIN_CODE_TYPE_BADURL: + + case SUHOSIN_CODE_TYPE_BADURL: suhosin_log(S_INCLUDE, "Include filename ('%s') is a URL that is not allowed", filename); suhosin_bailout(TSRMLS_C); break; - case SUHOSIN_CODE_TYPE_MANYDOTS: + case SUHOSIN_CODE_TYPE_MANYDOTS: suhosin_log(S_INCLUDE, "Include filename ('%s') contains too many '../'", filename); suhosin_bailout(TSRMLS_C); break; @@ -313,14 +313,13 @@ static int suhosin_detect_codetype(zend_op_array *op_array TSRMLS_DC) int r; s = (char *)op_array->filename; - + /* eval, assert, create_function, preg_replace */ if (op_array->type == ZEND_EVAL_CODE) { - if (s == NULL) { return SUHOSIN_CODE_TYPE_UNKNOWN; } - + if (strstr(s, "eval()'d code") != NULL) { return SUHOSIN_CODE_TYPE_EVAL; } @@ -340,7 +339,7 @@ static int suhosin_detect_codetype(zend_op_array *op_array TSRMLS_DC) if (strstr(s, "runtime-created function") != NULL) { return SUHOSIN_CODE_TYPE_CFUNC; } - + if (strstr(s, "Command line code") != NULL) { return SUHOSIN_CODE_TYPE_COMMANDLINE; } @@ -356,22 +355,15 @@ static int suhosin_detect_codetype(zend_op_array *op_array TSRMLS_DC) if (strstr(s, "Command line end code") != NULL) { return SUHOSIN_CODE_TYPE_COMMANDLINE; } - + if (strstr(s, "suhosin internal code") != NULL) { return SUHOSIN_CODE_TYPE_SUHOSIN; } - } else { - r = suhosin_check_filename(s, strlen(s) TSRMLS_CC); -/* switch (r) { - case SUHOSIN_CODE_TYPE_GOODFILE: - break; - } */ return r; - } - + return SUHOSIN_CODE_TYPE_UNKNOWN; } @@ -391,12 +383,12 @@ static void suhosin_execute_ex(zend_op_array *op_array, int zo, long dummy TSRML zval cs; zend_uint orig_code_type; unsigned long *suhosin_flags = NULL; - + /* log variable dropping statistics */ if (SUHOSIN_G(abort_request)) { - + SUHOSIN_G(abort_request) = 0; /* we only want this to happen the first time */ - + if (SUHOSIN_G(att_request_variables)-SUHOSIN_G(cur_request_variables) > 0) { suhosin_log(S_VARS, "dropped %u request variables - (%u in GET, %u in POST, %u in COOKIE)", SUHOSIN_G(att_request_variables)-SUHOSIN_G(cur_request_variables), @@ -404,33 +396,33 @@ static void suhosin_execute_ex(zend_op_array *op_array, int zo, long dummy TSRML SUHOSIN_G(att_post_vars)-SUHOSIN_G(cur_post_vars), SUHOSIN_G(att_cookie_vars)-SUHOSIN_G(cur_cookie_vars)); } - + if (!SUHOSIN_G(simulation) && SUHOSIN_G(filter_action)) { - + char *action = SUHOSIN_G(filter_action); long code = -1; - + while (*action == ' ' || *action == '\t') action++; - + if (*action >= '0' && *action <= '9') { char *end = action; while (*end && *end != ',' && *end != ';') end++; code = zend_atoi(action, end-action); action = end; } - + while (*action == ' ' || *action == '\t' || *action == ',' || *action == ';') action++; - + if (*action) { - + if (strncasecmp("http://", action, sizeof("http://")-1)==0 || strncasecmp("https://", action, sizeof("https://")-1)==0) { sapi_header_line ctr = {0}; - + if (code == -1) { code = 302; } - + ctr.line_len = spprintf(&ctr.line, 0, "Location: %s", action); ctr.response_code = code; sapi_header_op(SAPI_HEADER_REPLACE, &ctr TSRMLS_CC); @@ -439,11 +431,11 @@ static void suhosin_execute_ex(zend_op_array *op_array, int zo, long dummy TSRML zend_file_handle file_handle; zend_op_array *new_op_array; zval *result = NULL; - + if (code == -1) { code = 200; } - + if (zend_stream_open(action, &file_handle TSRMLS_CC) == SUCCESS) { if (!file_handle.opened_path) { file_handle.opened_path = estrndup(action, strlen(action)); @@ -472,24 +464,24 @@ static void suhosin_execute_ex(zend_op_array *op_array, int zo, long dummy TSRML } } } - + sapi_header_op(SAPI_HEADER_SET_STATUS, (void *)code TSRMLS_CC); zend_bailout(); } } - + SDEBUG("%s %s", op_array->filename, op_array->function_name); - + SUHOSIN_G(execution_depth)++; - + if (SUHOSIN_G(max_execution_depth) && SUHOSIN_G(execution_depth) > SUHOSIN_G(max_execution_depth)) { suhosin_log(S_EXECUTOR|S_GETCALLER, "maximum execution depth reached - script terminated"); suhosin_bailout(TSRMLS_C); } - + fn = (char *)op_array->filename; len = strlen(fn); - + orig_code_type = SUHOSIN_G(in_code_type); if (op_array->type == ZEND_EVAL_CODE) { SUHOSIN_G(in_code_type) = SUHOSIN_EVAL; @@ -497,7 +489,7 @@ static void suhosin_execute_ex(zend_op_array *op_array, int zo, long dummy TSRML if (suhosin_zend_extension_entry.resource_number != -1) { suhosin_flags = (unsigned long *) &op_array->reserved[suhosin_zend_extension_entry.resource_number]; SDEBUG("suhosin flags: %08lx", *suhosin_flags); - + if (*suhosin_flags & SUHOSIN_FLAG_CREATED_BY_EVAL) { SUHOSIN_G(in_code_type) = SUHOSIN_EVAL; } @@ -505,7 +497,7 @@ static void suhosin_execute_ex(zend_op_array *op_array, int zo, long dummy TSRML goto not_evaled_code; } } - + if (strstr(op_array->filename, "eval()'d code")) { SUHOSIN_G(in_code_type) = SUHOSIN_EVAL; } else { @@ -523,39 +515,39 @@ not_evaled_code: /* if (SUHOSIN_G(deactivate)) { goto continue_execution; } -*/ +*/ op_array_type = suhosin_detect_codetype(op_array TSRMLS_CC); - + switch (op_array_type) { - case SUHOSIN_CODE_TYPE_EVAL: - if (SUHOSIN_G(executor_disable_eval)) { - suhosin_log(S_EXECUTOR|S_GETCALLER, "use of eval is forbidden by configuration"); - if (!SUHOSIN_G(simulation)) { - zend_error(E_ERROR, "SUHOSIN - Use of eval is forbidden by configuration"); - } - } - break; - - case SUHOSIN_CODE_TYPE_REGEXP: - if (SUHOSIN_G(executor_disable_emod)) { - suhosin_log(S_EXECUTOR|S_GETCALLER, "use of preg_replace() with /e modifier is forbidden by configuration"); - if (!SUHOSIN_G(simulation)) { - zend_error(E_ERROR, "SUHOSIN - Use of preg_replace() with /e modifier is forbidden by configuration"); - } - } - break; - + case SUHOSIN_CODE_TYPE_EVAL: + if (SUHOSIN_G(executor_disable_eval)) { + suhosin_log(S_EXECUTOR|S_GETCALLER, "use of eval is forbidden by configuration"); + if (!SUHOSIN_G(simulation)) { + zend_error(E_ERROR, "SUHOSIN - Use of eval is forbidden by configuration"); + } + } + break; + + case SUHOSIN_CODE_TYPE_REGEXP: + if (SUHOSIN_G(executor_disable_emod)) { + suhosin_log(S_EXECUTOR|S_GETCALLER, "use of preg_replace() with /e modifier is forbidden by configuration"); + if (!SUHOSIN_G(simulation)) { + zend_error(E_ERROR, "SUHOSIN - Use of preg_replace() with /e modifier is forbidden by configuration"); + } + } + break; + case SUHOSIN_CODE_TYPE_MBREGEXP: /* XXX TODO: Do we want to disallow this, too? */ break; - - case SUHOSIN_CODE_TYPE_ASSERT: - break; - - case SUHOSIN_CODE_TYPE_CFUNC: - break; - + + case SUHOSIN_CODE_TYPE_ASSERT: + break; + + case SUHOSIN_CODE_TYPE_CFUNC: + break; + case SUHOSIN_CODE_TYPE_LONGNAME: suhosin_log(S_INCLUDE|S_GETCALLER, "Include filename ('%s') is too long", op_array->filename); suhosin_bailout(TSRMLS_C); @@ -565,49 +557,49 @@ not_evaled_code: suhosin_log(S_INCLUDE|S_GETCALLER, "Include filename ('%s') contains too many '../'", op_array->filename); suhosin_bailout(TSRMLS_C); break; - + case SUHOSIN_CODE_TYPE_UPLOADED: - suhosin_log(S_INCLUDE|S_GETCALLER, "Include filename is an uploaded file"); - suhosin_bailout(TSRMLS_C); - break; - - case SUHOSIN_CODE_TYPE_0FILE: + suhosin_log(S_INCLUDE|S_GETCALLER, "Include filename is an uploaded file"); + suhosin_bailout(TSRMLS_C); + break; + + case SUHOSIN_CODE_TYPE_0FILE: suhosin_log(S_INCLUDE|S_GETCALLER, "Include filename contains an ASCIIZ character"); suhosin_bailout(TSRMLS_C); break; - - case SUHOSIN_CODE_TYPE_WRITABLE: - suhosin_log(S_INCLUDE|S_GETCALLER, "Include filename ('%s') is writable by PHP process", op_array->filename); - suhosin_bailout(TSRMLS_C); - break; - case SUHOSIN_CODE_TYPE_BLACKURL: + case SUHOSIN_CODE_TYPE_WRITABLE: + suhosin_log(S_INCLUDE|S_GETCALLER, "Include filename ('%s') is writable by PHP process", op_array->filename); + suhosin_bailout(TSRMLS_C); + break; + + case SUHOSIN_CODE_TYPE_BLACKURL: suhosin_log(S_INCLUDE|S_GETCALLER, "Include filename ('%s') is a URL that is forbidden by the blacklist", op_array->filename); suhosin_bailout(TSRMLS_C); break; - - case SUHOSIN_CODE_TYPE_BADURL: + + case SUHOSIN_CODE_TYPE_BADURL: suhosin_log(S_INCLUDE|S_GETCALLER, "Include filename ('%s') is a URL that is not allowed", op_array->filename); - suhosin_bailout(TSRMLS_C); + suhosin_bailout(TSRMLS_C); break; - case SUHOSIN_CODE_TYPE_BADFILE: - cs.type = IS_STRING; + case SUHOSIN_CODE_TYPE_BADFILE: + cs.type = IS_STRING; #define DIE_WITH_MSG "die('disallowed_file'.chr(10).chr(10));" - cs.value.str.val = estrndup(DIE_WITH_MSG, sizeof(DIE_WITH_MSG)-1); - cs.value.str.len = sizeof(DIE_WITH_MSG)-1; - new_op_array = compile_string(&cs, "suhosin internal code" TSRMLS_CC); - if (new_op_array) { + cs.value.str.val = estrndup(DIE_WITH_MSG, sizeof(DIE_WITH_MSG)-1); + cs.value.str.len = sizeof(DIE_WITH_MSG)-1; + new_op_array = compile_string(&cs, "suhosin internal code" TSRMLS_CC); + if (new_op_array) { op_array = new_op_array; goto continue_execution; - } - suhosin_bailout(TSRMLS_C); - break; - - case SUHOSIN_CODE_TYPE_COMMANDLINE: - case SUHOSIN_CODE_TYPE_SUHOSIN: - case SUHOSIN_CODE_TYPE_UNKNOWN: - case SUHOSIN_CODE_TYPE_GOODFILE: + } + suhosin_bailout(TSRMLS_C); + break; + + case SUHOSIN_CODE_TYPE_COMMANDLINE: + case SUHOSIN_CODE_TYPE_SUHOSIN: + case SUHOSIN_CODE_TYPE_UNKNOWN: + case SUHOSIN_CODE_TYPE_GOODFILE: goto continue_execution; } @@ -640,7 +632,7 @@ static void suhosin_execute(zend_op_array *op_array TSRMLS_DC) static void suhosin_execute_ZO(zend_op_array *op_array, long dummy TSRMLS_DC) { suhosin_execute_ex(op_array, 1, dummy TSRMLS_CC); -} +} /* }}} */ #endif @@ -676,28 +668,28 @@ int ih_preg_replace(IH_HANDLER_PARAMS) if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ZZZ|ZZ", ®ex, &replace, &subject, &limit, &zcount) == FAILURE) { return (1); } - + if (Z_TYPE_PP(regex) == IS_ARRAY) { zval **regex_entry; - + zend_hash_internal_pointer_reset(Z_ARRVAL_PP(regex)); /* For each entry in the regex array, get the entry */ while (zend_hash_get_current_data(Z_ARRVAL_PP(regex), (void **)®ex_entry) == SUCCESS) { - + if (Z_TYPE_PP(regex_entry) == IS_STRING) { if (strlen(Z_STRVAL_PP(regex_entry)) != Z_STRLEN_PP(regex_entry)) { suhosin_log(S_EXECUTOR, "string termination attack on first preg_replace parameter detected"); - if (!SUHOSIN_G(simulation)) { + if (!SUHOSIN_G(simulation)) { RETVAL_FALSE; return (1); } } } - + zend_hash_move_forward(Z_ARRVAL_PP(regex)); - + } - + } else if (Z_TYPE_PP(regex) == IS_STRING) { if (strlen(Z_STRVAL_PP(regex)) != Z_STRLEN_PP(regex)) { suhosin_log(S_EXECUTOR, "string termination attack on first preg_replace parameter detected"); @@ -707,7 +699,7 @@ int ih_preg_replace(IH_HANDLER_PARAMS) } } } - + return (0); } @@ -716,7 +708,7 @@ int ih_symlink(IH_HANDLER_PARAMS) if (SUHOSIN_G(executor_allow_symlink)) { return (0); } - + if (PG(open_basedir) && PG(open_basedir)[0]) { suhosin_log(S_EXECUTOR, "symlink called during open_basedir"); if (!SUHOSIN_G(simulation)) { @@ -724,7 +716,7 @@ int ih_symlink(IH_HANDLER_PARAMS) return (1); } } - + return (0); } @@ -796,7 +788,7 @@ int ih_mail(IH_HANDLER_PARAMS) } } } - + if (SUHOSIN_G(mailprotect) > 1) { /* search for to, cc or bcc headers */ if (headers_len > 0 && headers != NULL) { @@ -807,7 +799,7 @@ int ih_mail(IH_HANDLER_PARAMS) return (1); } } - + if (strncasecmp(headers, "cc:", sizeof("cc:") - 1) == 0 || suhosin_strcasestr(headers, "\ncc:")) { suhosin_log(S_MAIL, "mail() - CC: headers aren't allowed in the headers parameter."); if (!SUHOSIN_G(simulation)) { @@ -848,18 +840,18 @@ int ih_querycheck(IH_HANDLER_PARAMS) int cnt_union = 0, cnt_select = 0, cnt_comment = 0, cnt_opencomment = 0; int mysql_extension = 0; - + SDEBUG("function: %s", ih->name); arg_count = (unsigned long) *p; if (ht < (long) ih->arg1) { return (0); } - + if ((long) ih->arg2) { - mysql_extension = 1; + mysql_extension = 1; } - + arg = (zval **) p - (arg_count - (long) ih->arg1 + 1); /* count from 0 */ backup = *arg; @@ -869,125 +861,125 @@ int ih_querycheck(IH_HANDLER_PARAMS) len = Z_STRLEN_P(backup); query = Z_STRVAL_P(backup); SDEBUG("SQL |%s|", query); - + s = query; e = s+len; - + while (s < e) { - switch (state) - { - case SQLSTATE_SQL: - switch (s[0]) - { - case '`': - state = SQLSTATE_IDENTIFIER; - quote = '`'; - break; - case '\'': - case '"': - state = SQLSTATE_STRING; - quote = *s; - break; - case '/': - if (s[1]=='*') { - if (mysql_extension == 1 && s[2] == '!') { - s += 2; - break; - } - s++; - state = SQLSTATE_MLCOMMENT; - cnt_comment++; - } - break; - case '-': - if (s[1]=='-') { - s++; - state = SQLSTATE_COMMENT; - cnt_comment++; - } - break; - case '#': - state = SQLSTATE_COMMENT; - cnt_comment++; - break; - case 'u': - case 'U': - if (strncasecmp("union", s, 5)==0) { - s += 4; - cnt_union++; - } - break; - case 's': - case 'S': - if (strncasecmp("select", s, 6)==0) { - s += 5; - cnt_select++; - } - break; - } - break; - case SQLSTATE_STRING: + switch (state) + { + case SQLSTATE_SQL: + switch (s[0]) + { + case '`': + state = SQLSTATE_IDENTIFIER; + quote = '`'; + break; + case '\'': + case '"': + state = SQLSTATE_STRING; + quote = *s; + break; + case '/': + if (s[1]=='*') { + if (mysql_extension == 1 && s[2] == '!') { + s += 2; + break; + } + s++; + state = SQLSTATE_MLCOMMENT; + cnt_comment++; + } + break; + case '-': + if (s[1]=='-') { + s++; + state = SQLSTATE_COMMENT; + cnt_comment++; + } + break; + case '#': + state = SQLSTATE_COMMENT; + cnt_comment++; + break; + case 'u': + case 'U': + if (strncasecmp("union", s, 5)==0) { + s += 4; + cnt_union++; + } + break; + case 's': + case 'S': + if (strncasecmp("select", s, 6)==0) { + s += 5; + cnt_select++; + } + break; + } + break; + case SQLSTATE_STRING: case SQLSTATE_IDENTIFIER: - if (s[0] == quote) { - if (s[1] == quote) { - s++; - } else { - state = SQLSTATE_SQL; - } - } - if (s[0] == '\\') { - s++; - } - break; + if (s[0] == quote) { + if (s[1] == quote) { + s++; + } else { + state = SQLSTATE_SQL; + } + } + if (s[0] == '\\') { + s++; + } + break; case SQLSTATE_COMMENT: - while (s[0] && s[0] != '\n') { - s++; - } - state = SQLSTATE_SQL; - break; - case SQLSTATE_MLCOMMENT: - while (s[0] && (s[0] != '*' || s[1] != '/')) { - s++; - } - if (s[0]) { - state = SQLSTATE_SQL; - } - break; - } - s++; + while (s[0] && s[0] != '\n') { + s++; + } + state = SQLSTATE_SQL; + break; + case SQLSTATE_MLCOMMENT: + while (s[0] && (s[0] != '*' || s[1] != '/')) { + s++; + } + if (s[0]) { + state = SQLSTATE_SQL; + } + break; + } + s++; } if (state == SQLSTATE_MLCOMMENT) { - cnt_opencomment = 1; + cnt_opencomment = 1; } - + if (cnt_opencomment && SUHOSIN_G(sql_opencomment)>0) { - suhosin_log(S_SQL, "Open comment in SQL query: '%*s'", len, query); - if (SUHOSIN_G(sql_opencomment)>1) { + suhosin_log(S_SQL, "Open comment in SQL query: '%*s'", len, query); + if (SUHOSIN_G(sql_opencomment)>1) { suhosin_bailout(TSRMLS_C); - } + } } - + if (cnt_comment && SUHOSIN_G(sql_comment)>0) { - suhosin_log(S_SQL, "Comment in SQL query: '%*s'", len, query); - if (SUHOSIN_G(sql_comment)>1) { + suhosin_log(S_SQL, "Comment in SQL query: '%*s'", len, query); + if (SUHOSIN_G(sql_comment)>1) { suhosin_bailout(TSRMLS_C); - } + } } if (cnt_union && SUHOSIN_G(sql_union)>0) { - suhosin_log(S_SQL, "UNION in SQL query: '%*s'", len, query); - if (SUHOSIN_G(sql_union)>1) { + suhosin_log(S_SQL, "UNION in SQL query: '%*s'", len, query); + if (SUHOSIN_G(sql_union)>1) { suhosin_bailout(TSRMLS_C); - } + } } if (cnt_select>1 && SUHOSIN_G(sql_mselect)>0) { - suhosin_log(S_SQL, "Multiple SELECT in SQL query: '%*s'", len, query); - if (SUHOSIN_G(sql_mselect)>1) { + suhosin_log(S_SQL, "Multiple SELECT in SQL query: '%*s'", len, query); + if (SUHOSIN_G(sql_mselect)>1) { suhosin_bailout(TSRMLS_C); - } + } } - + return (0); } @@ -1000,19 +992,19 @@ int ih_fixusername(IH_HANDLER_PARAMS) char *prefix, *postfix, *user, *user_match, *cp; zval *backup, *my_user; int prefix_len, postfix_len, len; - + SDEBUG("function (fixusername): %s", ih->name); - + prefix = SUHOSIN_G(sql_user_prefix); postfix = SUHOSIN_G(sql_user_postfix); user_match = SUHOSIN_G(sql_user_match); - + arg_count = (unsigned long) *p; if (ht < (long) ih->arg1) { return (0); } - + arg = (zval **) p - (arg_count - (long) ih->arg1 + 1); /* count from 0 */ backup = *arg; @@ -1046,18 +1038,18 @@ int ih_fixusername(IH_HANDLER_PARAMS) } prefix_len = strlen(prefix); postfix_len = strlen(postfix); - + MAKE_STD_ZVAL(my_user); my_user->type = IS_STRING; my_user->value.str.len = spprintf(&my_user->value.str.val, 0, "%s%s%s", prefix, user, postfix); - + /* XXX: memory_leak? */ - *arg = my_user; - + *arg = my_user; + len = Z_STRLEN_P(my_user); user = Z_STRVAL_P(my_user); } - + if (user_match && user_match[0]) { #ifdef HAVE_FNMATCH if (fnmatch(user_match, user, 0) != 0) { @@ -1076,7 +1068,7 @@ int ih_fixusername(IH_HANDLER_PARAMS) } #endif } - + SDEBUG("function: %s - user: %s", ih->name, user); return (0); @@ -1105,7 +1097,7 @@ static int ih_function_exists(IH_HANDLER_PARAMS) } retval = (zend_hash_find(EG(function_table), name, name_len+1, (void **)&func) == SUCCESS); - + /* * A bit of a hack, but not a bad one: we see if the handler of the function * is actually one that displays "function is disabled" message. @@ -1130,7 +1122,7 @@ static int ih_function_exists(IH_HANDLER_PARAMS) } } } - + if (SUHOSIN_G(func_whitelist) != NULL) { if (!zend_hash_exists(SUHOSIN_G(func_whitelist), name, name_len+1)) { retval = 0; @@ -1174,7 +1166,7 @@ ret: Copyright (C) 1997 - 2002, Makoto Matsumoto and Takuji Nishimura, Copyright (C) 2000 - 2003, Richard J. Wagner - All rights reserved. + All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions @@ -1187,8 +1179,8 @@ ret: notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. - 3. The names of its contributors may not be used to endorse or promote - products derived from this software without specific prior written + 3. The names of its contributors may not be used to endorse or promote + products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS @@ -1302,14 +1294,14 @@ static php_uint32 suhosin_mt_rand(TSRMLS_D) { /* Pull a 32-bit integer from the generator state Every other access function simply transforms the numbers extracted here */ - + register php_uint32 s1; if (SUHOSIN_G(mt_left) == 0) { suhosin_mt_reload(SUHOSIN_G(mt_state), &SUHOSIN_G(mt_next), &SUHOSIN_G(mt_left)); } --SUHOSIN_G(mt_left); - + s1 = *SUHOSIN_G(mt_next)++; s1 ^= (s1 >> 11); s1 ^= (s1 << 7) & 0x9d2c5680U; @@ -1329,11 +1321,11 @@ static void suhosin_gen_entropy(php_uint32 *entropybuf TSRMLS_DC) unsigned long heap_value = (unsigned long)SUHOSIN_G(r_state); suhosin_SHA256_CTX context; int fd; - + code_value ^= code_value >> 32; stack_value ^= stack_value >> 32; heap_value ^= heap_value >> 32; - + seedbuf[0] = code_value; seedbuf[1] = stack_value; seedbuf[2] = heap_value; @@ -1372,7 +1364,7 @@ static void suhosin_gen_entropy(php_uint32 *entropybuf TSRMLS_DC) */ static void suhosin_srand_auto(TSRMLS_D) { - php_uint32 seed[8]; + php_uint32 seed[8]; suhosin_gen_entropy(&seed[0] TSRMLS_CC); suhosin_mt_init_by_array(seed, 8, SUHOSIN_G(r_state)); @@ -1387,7 +1379,7 @@ static void suhosin_srand_auto(TSRMLS_D) */ static void suhosin_mt_srand_auto(TSRMLS_D) { - php_uint32 seed[8]; + php_uint32 seed[8]; suhosin_gen_entropy(&seed[0] TSRMLS_CC); suhosin_mt_init_by_array(seed, 8, SUHOSIN_G(mt_state)); @@ -1418,14 +1410,14 @@ static php_uint32 suhosin_rand(TSRMLS_D) { /* Pull a 32-bit integer from the generator state Every other access function simply transforms the numbers extracted here */ - + register php_uint32 s1; if (SUHOSIN_G(r_left) == 0) { suhosin_mt_reload(SUHOSIN_G(r_state), &SUHOSIN_G(r_next), &SUHOSIN_G(r_left)); } --SUHOSIN_G(r_left); - + s1 = *SUHOSIN_G(r_next)++; s1 ^= (s1 >> 11); s1 ^= (s1 << 7) & 0x9d2c5680U; @@ -1443,7 +1435,7 @@ static int ih_srand(IH_HANDLER_PARAMS) SUHOSIN_G(r_is_seeded) = 0; return 1; } - + if (zend_parse_parameters(argc TSRMLS_CC, "|l", &seed) == FAILURE) { return 1; } @@ -1465,7 +1457,7 @@ static int ih_mt_srand(IH_HANDLER_PARAMS) SUHOSIN_G(mt_is_seeded) = 0; return 1; } - + if (zend_parse_parameters(argc TSRMLS_CC, "|l", &seed) == FAILURE) { return 1; } @@ -1486,7 +1478,7 @@ static int ih_mt_rand(IH_HANDLER_PARAMS) long number; if (argc != 0 && zend_parse_parameters(argc TSRMLS_CC, "ll", &min, &max) == FAILURE) { - return (1); + return (1); } if (!SUHOSIN_G(mt_is_seeded)) { @@ -1510,7 +1502,7 @@ static int ih_rand(IH_HANDLER_PARAMS) long number; if (argc != 0 && zend_parse_parameters(argc TSRMLS_CC, "ll", &min, &max) == FAILURE) { - return (1); + return (1); } if (!SUHOSIN_G(r_is_seeded)) { @@ -1540,16 +1532,16 @@ internal_function_handler ihandlers[] = { { "preg_replace", ih_preg_replace, NULL, NULL, NULL }, { "mail", ih_mail, NULL, NULL, NULL }, { "symlink", ih_symlink, NULL, NULL, NULL }, - + { "srand", ih_srand, NULL, NULL, NULL }, { "mt_srand", ih_mt_srand, NULL, NULL, NULL }, { "rand", ih_rand, NULL, NULL, NULL }, { "mt_rand", ih_mt_rand, NULL, NULL, NULL }, { "getrandmax", ih_getrandmax, NULL, NULL, NULL }, { "mt_getrandmax", ih_getrandmax, NULL, NULL, NULL }, - + { "function_exists", ih_function_exists, NULL, NULL, NULL }, - + /* Mysqli */ { "mysqli::mysqli", ih_fixusername, (void *)2, NULL, NULL }, { "mysqli_connect", ih_fixusername, (void *)2, NULL, NULL }, @@ -1557,7 +1549,7 @@ internal_function_handler ihandlers[] = { { "mysqli_real_connect", ih_fixusername, (void *)3, NULL, NULL }, { "mysqli_change_user", ih_fixusername, (void *)2, NULL, NULL }, { "mysqli::change_user", ih_fixusername, (void *)1, NULL, NULL }, - + { "mysqli::query", ih_querycheck, (void *)1, (void *)1, NULL }, { "mysqli_query", ih_querycheck, (void *)2, (void *)1, NULL }, { "mysqli::multi_query", ih_querycheck, (void *)1, (void *)1, NULL }, @@ -1572,14 +1564,14 @@ internal_function_handler ihandlers[] = { { "mysqli_master_query", ih_querycheck, (void *)2, (void *)1, NULL }, { "mysqli_slave_query", ih_querycheck, (void *)2, (void *)1, NULL }, // ---- - + /* Mysql API - deprecated in PHP 5.5 */ { "mysql_connect", ih_fixusername, (void *)2, NULL, NULL }, { "mysql_pconnect", ih_fixusername, (void *)2, NULL, NULL }, { "mysql_query", ih_querycheck, (void *)1, (void *)1, NULL }, { "mysql_db_query", ih_querycheck, (void *)2, (void *)1, NULL }, { "mysql_unbuffered_query", ih_querycheck, (void *)1, (void *)1, NULL }, - + #ifdef SUHOSIN_EXPERIMENTAL /* MaxDB */ { "maxdb::maxdb", ih_fixusername, (void *)2, NULL, NULL }, @@ -1588,7 +1580,7 @@ internal_function_handler ihandlers[] = { { "maxdb_real_connect", ih_fixusername, (void *)3, NULL, NULL }, { "maxdb::change_user", ih_fixusername, (void *)1, NULL, NULL }, { "maxdb_change_user", ih_fixusername, (void *)2, NULL, NULL }, - + { "maxdb_master_query", ih_querycheck, (void *)2, NULL, NULL }, { "maxdb::multi_query", ih_querycheck, (void *)1, NULL, NULL }, { "maxdb_multi_query", ih_querycheck, (void *)2, NULL, NULL }, @@ -1607,7 +1599,7 @@ internal_function_handler ihandlers[] = { { "pdo::query", ih_querycheck, (void *)1, NULL, NULL }, { "pdo::prepare", ih_querycheck, (void *)1, NULL, NULL }, { "pdo::exec", ih_querycheck, (void *)1, NULL, NULL }, - + /* Oracle OCI8 */ { "ocilogon", ih_fixusername, (void *)1, NULL, NULL }, { "ociplogon", ih_fixusername, (void *)1, NULL, NULL }, @@ -1653,7 +1645,7 @@ static void suhosin_execute_internal(zend_execute_data *execute_data_ptr, zend_f zval **return_value_ptr; zval *this_ptr; int ht; - + if (fci) { return_value = *fci->retval_ptr_ptr; return_value_ptr = fci->retval_ptr_ptr; @@ -1666,7 +1658,7 @@ static void suhosin_execute_internal(zend_execute_data *execute_data_ptr, zend_f return_value_ptr = (fbc->common.fn_flags & ZEND_ACC_RETURN_REFERENCE) ? &ret->var.ptr : NULL; this_ptr = execute_data_ptr->object; ht = execute_data_ptr->opline->extended_value; - } + } #else static void suhosin_execute_internal(zend_execute_data *execute_data_ptr, int return_value_used TSRMLS_DC) { @@ -1681,7 +1673,7 @@ static void suhosin_execute_internal(zend_execute_data *execute_data_ptr, int re ce = ((zend_internal_function *) execute_data_ptr->function_state.function)->scope; lcname = (char *)((zend_internal_function *) execute_data_ptr->function_state.function)->function_name; function_name_strlen = strlen(lcname); - + /* handle methodcalls correctly */ if (ce != NULL) { char *tmp = (char *) emalloc(function_name_strlen + 2 + ce->name_length + 1); @@ -1695,14 +1687,14 @@ static void suhosin_execute_internal(zend_execute_data *execute_data_ptr, int re zend_str_tolower(lcname, function_name_strlen); } -#if PHP_VERSION_ID < 50500 +#if PHP_VERSION_ID < 50500 return_value = (*(temp_variable *)((char *) execute_data_ptr->Ts + execute_data_ptr->opline->result.var)).var.ptr; #endif SDEBUG("function: %s", lcname); if (SUHOSIN_G(in_code_type) == SUHOSIN_EVAL) { - + if (SUHOSIN_G(eval_whitelist) != NULL) { if (!zend_hash_exists(SUHOSIN_G(eval_whitelist), lcname, function_name_strlen+1)) { suhosin_log(S_EXECUTOR|S_GETCALLER, "function outside of eval whitelist called: %s()", lcname); @@ -1723,7 +1715,7 @@ static void suhosin_execute_internal(zend_execute_data *execute_data_ptr, int re } } } - + if (SUHOSIN_G(func_whitelist) != NULL) { if (!zend_hash_exists(SUHOSIN_G(func_whitelist), lcname, function_name_strlen+1)) { suhosin_log(S_EXECUTOR|S_GETCALLER, "function outside of whitelist called: %s()", lcname); @@ -1743,16 +1735,16 @@ static void suhosin_execute_internal(zend_execute_data *execute_data_ptr, int re } } } - + if (zend_hash_find(&ihandler_table, lcname, function_name_strlen+1, (void **)&ih) == SUCCESS) { - + int retval = 0; void *handler = ((zend_internal_function *) execute_data_ptr->function_state.function)->handler; - + if (handler != ZEND_FN(display_disabled_function)) { retval = ih->handler(IH_HANDLER_PARAM_PASSTHRU); } - + if (retval == 0) { #if PHP_VERSION_ID >= 50500 old_execute_internal(execute_data_ptr, fci, return_value_used TSRMLS_CC); @@ -1788,12 +1780,10 @@ static int function_lookup(zend_extension *extension) if (zo_set_oe_ex != NULL) { return ZEND_HASH_APPLY_STOP; } - - if (extension->handle != NULL) { - zo_set_oe_ex = (void *)DL_FETCH_SYMBOL(extension->handle, "zend_optimizer_set_oe_ex"); - - } + if (extension->handle != NULL) { + zo_set_oe_ex = (void *)DL_FETCH_SYMBOL(extension->handle, "zend_optimizer_set_oe_ex"); + } return 0; } @@ -1809,19 +1799,19 @@ void suhosin_hook_execute(TSRMLS_D) #if PHP_VERSION_ID >= 50500 old_execute_ex = zend_execute_ex; zend_execute_ex = suhosin_execute_ex; -#else +#else old_execute = zend_execute; zend_execute = suhosin_execute; #endif - + /* old_compile_file = zend_compile_file; zend_compile_file = suhosin_compile_file; */ #if ZO_COMPATIBILITY_HACK_TEMPORARY_DISABLED - if (zo_set_oe_ex == NULL) { + if (zo_set_oe_ex == NULL) { zo_set_oe_ex = (void *)DL_FETCH_SYMBOL(NULL, "zend_optimizer_set_oe_ex"); } - if (zo_set_oe_ex == NULL) { + if (zo_set_oe_ex == NULL) { zend_llist_apply(&zend_extensions, (llist_apply_func_t)function_lookup TSRMLS_CC); } @@ -1829,7 +1819,7 @@ void suhosin_hook_execute(TSRMLS_D) old_execute_ZO = zo_set_oe_ex(suhosin_execute_ZO); } #endif - + old_execute_internal = zend_execute_internal; if (old_execute_internal == NULL) { old_execute_internal = execute_internal; @@ -1842,14 +1832,14 @@ void suhosin_hook_execute(TSRMLS_D) zend_hash_add(&ihandler_table, ih->name, strlen(ih->name)+1, ih, sizeof(internal_function_handler), NULL); ih++; } - - + + /* Add additional protection layer, that SHOULD catch ZEND_INCLUDE_OR_EVAL *before* the engine tries to execute */ old_zend_stream_open = zend_stream_open_function; zend_stream_open_function = suhosin_zend_stream_open; - + } /* }}} */ @@ -1864,12 +1854,12 @@ void suhosin_unhook_execute() } #endif -#if PHP_VERSION_ID >= 50500 +#if PHP_VERSION_ID >= 50500 zend_execute_ex = old_execute_ex; #else zend_execute = old_execute; #endif - + /* zend_compile_file = old_compile_file; */ if (old_execute_internal == execute_internal) { @@ -1877,10 +1867,10 @@ void suhosin_unhook_execute() } zend_execute_internal = old_execute_internal; zend_hash_clean(&ihandler_table); - + /* remove zend_open protection */ zend_stream_open_function = old_zend_stream_open; - + } /* }}} */ -- cgit v1.3