From d5ea5d30d8e400b73d2a5abf2d1e2d8fc3485bd6 Mon Sep 17 00:00:00 2001
From: Stefan Esser
Date: Sun, 16 Feb 2014 13:05:36 +0100
Subject: Refactor array index handling in input filter, to make it work in all
 cases.

---
 ufilter.c | 41 ++++++++++++++++++++++++-----------------
 1 file changed, 24 insertions(+), 17 deletions(-)

(limited to 'ufilter.c')

diff --git a/ufilter.c b/ufilter.c
index efab2ce..67bb114 100644
--- a/ufilter.c
+++ b/ufilter.c
@@ -131,29 +131,36 @@ static int check_fileupload_varname(char *varname)
 	
 	/* Find out array depth */
 	while (index) {
+		char *index_end;
 		unsigned int index_length;
 		
+		/* overjump '[' */
+		index++;
+		
+		/* increase array depth */
 		depth++;
-		index = strchr(index+1, '[');
+				
+		index_end = strchr(index, ']');
+		if (index_end == NULL) {
+			index_end = index+strlen(index);
+		}
 		
-		if (prev_index) {
-			index_length = index ? index - 1 - prev_index - 1: strlen(prev_index);
+		index_length = index_end - index;
 			
-			if (SUHOSIN_G(max_array_index_length) && SUHOSIN_G(max_array_index_length) < index_length) {
-				suhosin_log(S_FILES, "configured request variable array index length limit exceeded - dropped variable '%s'", var);
-				if (!SUHOSIN_G(simulation)) {
-					goto return_failure;
-				}
-			} 
-			if (SUHOSIN_G(max_post_array_index_length) && SUHOSIN_G(max_post_array_index_length) < index_length) {
-				suhosin_log(S_FILES, "configured POST variable array index length limit exceeded - dropped variable '%s'", var);
-				if (!SUHOSIN_G(simulation)) {
-					goto return_failure;
-				}
-			} 
-			prev_index = index;
-		}
+		if (SUHOSIN_G(max_array_index_length) && SUHOSIN_G(max_array_index_length) < index_length) {
+			suhosin_log(S_FILES, "configured request variable array index length limit exceeded - dropped variable '%s'", var);
+			if (!SUHOSIN_G(simulation)) {
+				goto return_failure;
+			}
+		} 
+		if (SUHOSIN_G(max_post_array_index_length) && SUHOSIN_G(max_post_array_index_length) < index_length) {
+			suhosin_log(S_FILES, "configured POST variable array index length limit exceeded - dropped variable '%s'", var);
+			if (!SUHOSIN_G(simulation)) {
+				goto return_failure;
+			}
+		} 
 		
+		index = strchr(index, '[');		
 	}
 	
 	/* Drop this variable if it exceeds the array depth limit */
-- 
cgit v1.3