From 63de1053dfda1faca22a84afb82d6b1315b8db6e Mon Sep 17 00:00:00 2001
From: Ben Fuhrmannek
Date: Wed, 9 Jul 2014 12:47:03 +0200
Subject: added sql.user_match + username character check

---
 execute.c | 51 ++++++++++++++++++++++++++++++++++++---------------
 1 file changed, 36 insertions(+), 15 deletions(-)

(limited to 'execute.c')

diff --git a/execute.c b/execute.c
index 098b074..2f280b7 100644
--- a/execute.c
+++ b/execute.c
@@ -24,6 +24,7 @@
 #endif
 
 #include <fcntl.h>
+#include <fnmatch.h>
 #include "php.h"
 #include "php_ini.h"
 #include "zend_hash.h"
@@ -1024,17 +1025,20 @@ int ih_fixusername(IH_HANDLER_PARAMS)
 	void **p = EG(argument_stack).top_element-2;
 #endif
 	unsigned long arg_count;
-	zval **arg;char *prefix, *postfix, *user;
+	zval **arg;
+	char *prefix, *postfix, *user, *user_match, *cp;
 	zval *backup, *my_user;
 	int prefix_len, postfix_len, len;
 	
-	SDEBUG("function: %s", ih->name);
+	SDEBUG("function (fixusername): %s", ih->name);
 	
 	prefix = SUHOSIN_G(sql_user_prefix);
 	postfix = SUHOSIN_G(sql_user_postfix);
+	user_match = SUHOSIN_G(sql_user_match);
 	
-	if ((prefix == NULL || prefix[0] == 0)&& 
-		(postfix == NULL || postfix[0] == 0)) {
+	if ((prefix == NULL || prefix[0] == 0) && 
+		(postfix == NULL || postfix[0] == 0) &&
+		(user_match == NULL || user_match[0] == 0)) {
 		return (0);
 	}
 	
@@ -1065,23 +1069,40 @@ int ih_fixusername(IH_HANDLER_PARAMS)
 		user = Z_STRVAL_P(backup);
 	}
 
-	if (prefix_len && prefix_len <= len) {
-		if (strncmp(prefix, user, prefix_len)==0) {
-			prefix = "";
-			len -= prefix_len;
-		}
-	}
-	
-	if (postfix_len && postfix_len <= len) {
-		if (strncmp(postfix, user+len-postfix_len, postfix_len)==0) {
-			postfix = "";
+	cp = user;
+	while (cp < user+len) {
+		if (*cp < 32) {
+			suhosin_log(S_SQL, "SQL username contains invalid characters");
+			if (!SUHOSIN_G(simulation)) {
+				suhosin_bailout(TSRMLS_C);
+			}
 		}
+		cp++;
 	}
-	
+
 	MAKE_STD_ZVAL(my_user);
 	my_user->type = IS_STRING;
 	my_user->value.str.len = spprintf(&my_user->value.str.val, 0, "%s%s%s", prefix, user, postfix);
 	
+	if (user_match && user_match[0]) {
+		len = Z_STRLEN_P(my_user);
+		user = Z_STRVAL_P(my_user);
+#ifdef HAVE_FNMATCH
+		if (fnmatch(user_match, user, 0) != 0) {
+			suhosin_log(S_SQL, "SQL username ('%s') does not match suhosin.sql.user_match ('%s')", user, user_match);
+			if (!SUHOSIN_G(simulation)) {
+				suhosin_bailout(TSRMLS_C);
+			}
+		}
+#else
+#warning no support for fnmatch() - setting suhosin.sql.user_match will always fail.
+		suhosin_log(S_SQL, "suhosin.sql.user_match specified, but system does not support fnmatch()");
+		if (!SUHOSIN_G(simulation)) {
+			suhosin_bailout(TSRMLS_C);
+		}
+#endif
+	}
+	
 	/* XXX: memory_leak? */
 	*arg = my_user;	
 	 
-- 
cgit v1.3