From d5ea5d30d8e400b73d2a5abf2d1e2d8fc3485bd6 Mon Sep 17 00:00:00 2001
From: Stefan Esser
Date: Sun, 16 Feb 2014 13:05:36 +0100
Subject: Refactor array index handling in input filter, to make it work in all
 cases.

---
 ifilter.c | 77 ++++++++++++++++++++++++++++++++++-----------------------------
 1 file changed, 42 insertions(+), 35 deletions(-)

(limited to 'ifilter.c')

diff --git a/ifilter.c b/ifilter.c
index 42f5d9b..d73106b 100644
--- a/ifilter.c
+++ b/ifilter.c
@@ -502,49 +502,56 @@ unsigned int suhosin_input_filter(int arg, char *var, char **val, unsigned int v
 	
 	/* Find out array depth */
 	while (index) {
+		char *index_end;
 		unsigned int index_length;
 		
+		/* overjump '[' */
+		index++;
+		
+		/* increase array depth */
 		depth++;
-		index = strchr(index+1, '[');
+				
+		index_end = strchr(index, ']');
+		if (index_end == NULL) {
+			index_end = index+strlen(index);
+		}
 		
-		if (prev_index) {
-			index_length = index ? index - 1 - prev_index - 1: strlen(prev_index);
+		index_length = index_end - index;
 			
-			if (SUHOSIN_G(max_array_index_length) && SUHOSIN_G(max_array_index_length) < index_length) {
-				suhosin_log(S_VARS, "configured request variable array index length limit exceeded - dropped variable '%s'", var);
-				if (!SUHOSIN_G(simulation)) {
-					return 0;
-				}
-			} 
-			switch (arg) {
-			    case PARSE_GET:
-					if (SUHOSIN_G(max_get_array_index_length) && SUHOSIN_G(max_get_array_index_length) < index_length) {
-						suhosin_log(S_VARS, "configured GET variable array index length limit exceeded - dropped variable '%s'", var);
-						if (!SUHOSIN_G(simulation)) {
-							return 0;
-						}
-					} 
-					break;
-			    case PARSE_COOKIE:
-					if (SUHOSIN_G(max_cookie_array_index_length) && SUHOSIN_G(max_cookie_array_index_length) < index_length) {
-						suhosin_log(S_VARS, "configured COOKIE variable array index length limit exceeded - dropped variable '%s'", var);
-						if (!SUHOSIN_G(simulation)) {
-							return 0;
-						}
-					} 
-					break;
-			    case PARSE_POST:
-					if (SUHOSIN_G(max_post_array_index_length) && SUHOSIN_G(max_post_array_index_length) < index_length) {
-						suhosin_log(S_VARS, "configured POST variable array index length limit exceeded - dropped variable '%s'", var);
-						if (!SUHOSIN_G(simulation)) {
-							return 0;
-						}
-					} 
-					break;
+		if (SUHOSIN_G(max_array_index_length) && SUHOSIN_G(max_array_index_length) < index_length) {
+			suhosin_log(S_VARS, "configured request variable array index length limit exceeded - dropped variable '%s'", var);
+			if (!SUHOSIN_G(simulation)) {
+				return 0;
 			}
-			prev_index = index;
+		} 
+		switch (arg) {
+		    case PARSE_GET:
+				if (SUHOSIN_G(max_get_array_index_length) && SUHOSIN_G(max_get_array_index_length) < index_length) {
+					suhosin_log(S_VARS, "configured GET variable array index length limit exceeded - dropped variable '%s'", var);
+					if (!SUHOSIN_G(simulation)) {
+						return 0;
+					}
+				} 
+				break;
+		    case PARSE_COOKIE:
+				if (SUHOSIN_G(max_cookie_array_index_length) && SUHOSIN_G(max_cookie_array_index_length) < index_length) {
+					suhosin_log(S_VARS, "configured COOKIE variable array index length limit exceeded - dropped variable '%s'", var);
+					if (!SUHOSIN_G(simulation)) {
+						return 0;
+					}
+				} 
+				break;
+		    case PARSE_POST:
+				if (SUHOSIN_G(max_post_array_index_length) && SUHOSIN_G(max_post_array_index_length) < index_length) {
+					suhosin_log(S_VARS, "configured POST variable array index length limit exceeded - dropped variable '%s'", var);
+					if (!SUHOSIN_G(simulation)) {
+						return 0;
+					}
+				} 
+				break;
 		}
 		
+		index = strchr(index, '[');
 	}
 	
 	/* Drop this variable if it exceeds the array depth limit */
-- 
cgit v1.3