summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBen Fuhrmannek2016-05-21 13:39:07 +0200
committerBen Fuhrmannek2016-05-21 13:39:07 +0200
commit81550450b59193c36118e402b6003a9d40f3ae09 (patch)
treeaebf81af0a2b80bc239e2dc6cc170414eac5b4c7
parent31559eae6ca406b80cebf3b89279d6f7ffdbccf8 (diff)
post and file upload handling
Diffstat
-rw-r--r--config.m42
-rw-r--r--ifilter.c15
-rw-r--r--php_suhosin7.h21
-rw-r--r--post_handler.c145
-rw-r--r--rfc1867.c1370
-rw-r--r--suhosin7.c16
-rw-r--r--suhosin_rfc1867.h91
-rw-r--r--ufilter.c425
8 files changed, 2065 insertions, 20 deletions
diff --git a/config.m4 b/config.m4
index 63b7d18..23081dd 100644
--- a/config.m4
+++ b/config.m4
@@ -5,7 +5,7 @@ PHP_ARG_ENABLE(suhosin7, whether to enable suhosin support,
5[ --enable-suhosin7 Enable suhosin support]) 5[ --enable-suhosin7 Enable suhosin support])
6 6
7if test "$PHP_SUHOSIN7" != "no"; then 7if test "$PHP_SUHOSIN7" != "no"; then
8 PHP_NEW_EXTENSION(suhosin7, suhosin7.c ifilter.c memory_limit.c aes.c treat_data.c log.c execute.c execute_ih.c execute_rnd.c crypt.c cookiecrypt.c header.c session.c ex_imp.c, $ext_shared,, [-DZEND_ENABLE_STATIC_TSRMLS_CACHE=1]) 8 PHP_NEW_EXTENSION(suhosin7, suhosin7.c ifilter.c memory_limit.c aes.c treat_data.c log.c execute.c execute_ih.c execute_rnd.c crypt.c cookiecrypt.c header.c session.c ex_imp.c rfc1867.c ufilter.c post_handler.c, $ext_shared,, [-DZEND_ENABLE_STATIC_TSRMLS_CACHE=1])
9 PHP_ADD_EXTENSION_DEP(suhosin7, hash) 9 PHP_ADD_EXTENSION_DEP(suhosin7, hash)
10 echo "===== WARNING ============================================" 10 echo "===== WARNING ============================================"
11 echo " Suhosin7 for PHP 7 is in alpha stage at the moment and" 11 echo " Suhosin7 for PHP 7 is in alpha stage at the moment and"
diff --git a/ifilter.c b/ifilter.c
index 2d41048..a8fa8e2 100644
--- a/ifilter.c
+++ b/ifilter.c
@@ -41,7 +41,7 @@ static size_t strnlen(const char *s, size_t maxlen) {
41} 41}
42#endif 42#endif
43 43
44static size_t suhosin_strnspn(const char *input, size_t n, const char *accept) 44size_t suhosin_strnspn(const char *input, size_t n, const char *accept)
45{ 45{
46 size_t count = 0; 46 size_t count = 0;
47 for (; *input != '\0' && count < n; input++, count++) { 47 for (; *input != '\0' && count < n; input++, count++) {
@@ -51,7 +51,7 @@ static size_t suhosin_strnspn(const char *input, size_t n, const char *accept)
51 return count; 51 return count;
52} 52}
53 53
54static size_t suhosin_strncspn(const char *input, size_t n, const char *reject) 54size_t suhosin_strncspn(const char *input, size_t n, const char *reject)
55{ 55{
56 size_t count = 0; 56 size_t count = 0;
57 for (; *input != '\0' && count < n; input++, count++) { 57 for (; *input != '\0' && count < n; input++, count++) {
@@ -635,7 +635,7 @@ SAPI_INPUT_FILTER_FUNC(suhosin_input_filter_wrapper)
635 // } 635 // }
636 636
637 // if (!already_scanned) { 637 // if (!already_scanned) {
638 if (suhosin_input_filter(arg, var, val, val_len, new_val_len)==0) { 638 if (suhosin_input_filter(arg, var, val, val_len, new_val_len) == 0) {
639 SUHOSIN7_G(abort_request)=1; 639 SUHOSIN7_G(abort_request)=1;
640 return 0; 640 return 0;
641 } 641 }
@@ -644,7 +644,14 @@ SAPI_INPUT_FILTER_FUNC(suhosin_input_filter_wrapper)
644 } 644 }
645 // } 645 // }
646 if (orig_input_filter) { 646 if (orig_input_filter) {
647 return orig_input_filter(arg, var, val, val_len, new_val_len); 647
648 if (orig_input_filter(arg, var, val, val_len, new_val_len) == 0) {
649 SUHOSIN7_G(abort_request)=1;
650 return 0;
651 } else {
652 return 1;
653 }
654
648 } else { 655 } else {
649 return 1; 656 return 1;
650 } 657 }
diff --git a/php_suhosin7.h b/php_suhosin7.h
index 8a58ef6..6c515ba 100644
--- a/php_suhosin7.h
+++ b/php_suhosin7.h
@@ -205,16 +205,16 @@ ZEND_BEGIN_MODULE_GLOBALS(suhosin7)
205 zend_bool disallow_post_ws; 205 zend_bool disallow_post_ws;
206 206
207/* fileupload */ 207/* fileupload */
208 // zend_long upload_limit; 208 zend_long upload_max_newlines;
209 // zend_long upload_max_newlines; 209 zend_long upload_limit;
210 // zend_long num_uploads; 210 zend_long num_uploads;
211 // zend_bool upload_disallow_elf; 211 zend_bool upload_disallow_elf;
212 // zend_bool upload_disallow_binary; 212 zend_bool upload_disallow_binary;
213 // zend_bool upload_remove_binary; 213 zend_bool upload_remove_binary;
214#ifdef SUHOSIN7_EXPERIMENTAL 214#ifdef SUHOSIN7_EXPERIMENTAL
215 // zend_bool upload_allow_utf8; 215 zend_bool upload_allow_utf8;
216#endif 216#endif
217 // char *upload_verification_script; 217 char *upload_verification_script;
218 218
219 zend_bool no_more_variables; 219 zend_bool no_more_variables;
220 zend_bool no_more_get_variables; 220 zend_bool no_more_get_variables;
@@ -395,8 +395,12 @@ void suhosin_hook_ex_imp();
395void suhosin_hook_session(); 395void suhosin_hook_session();
396#endif 396#endif
397 397
398void suhosin_hook_post_handlers();
399
398// ifilter.c 400// ifilter.c
399void suhosin_normalize_varname(char *varname); 401void suhosin_normalize_varname(char *varname);
402size_t suhosin_strnspn(const char *input, size_t n, const char *accept);
403size_t suhosin_strncspn(const char *input, size_t n, const char *reject);
400 404
401// cookiecrypt.c 405// cookiecrypt.c
402char *suhosin_cookie_decryptor(char *raw_cookie); 406char *suhosin_cookie_decryptor(char *raw_cookie);
@@ -415,6 +419,7 @@ void suhosin_aes_gkey(int nb,int nk,char *key);
415void suhosin_aes_encrypt(char *buff); 419void suhosin_aes_encrypt(char *buff);
416void suhosin_aes_decrypt(char *buff); 420void suhosin_aes_decrypt(char *buff);
417 421
422
418// 423//
419 424
420static inline void suhosin_bailout() 425static inline void suhosin_bailout()
diff --git a/post_handler.c b/post_handler.c
new file mode 100644
index 0000000..1a2374c
--- /dev/null
+++ b/post_handler.c
@@ -0,0 +1,145 @@
1/*
2 +----------------------------------------------------------------------+
3 | Suhosin Version 1 |
4 +----------------------------------------------------------------------+
5 | Copyright (c) 2006-2007 The Hardened-PHP Project |
6 | Copyright (c) 2007-2016 SektionEins GmbH |
7 +----------------------------------------------------------------------+
8 | This source file is subject to version 3.01 of the PHP license, |
9 | that is bundled with this package in the file LICENSE, and is |
10 | available through the world-wide-web at the following url: |
11 | http://www.php.net/license/3_01.txt |
12 | If you did not receive a copy of the PHP license and are unable to |
13 | obtain it through the world-wide-web, please send a note to |
14 | license@php.net so we can mail you a copy immediately. |
15 +----------------------------------------------------------------------+
16 | Authors: Stefan Esser <sesser@sektioneins.de> |
17 | Ben Fuhrmannek <ben.fuhrmannek@sektioneins.de> |
18 +----------------------------------------------------------------------+
19*/
20/*
21 $Id: post_handler.c,v 1.1.1.1 2007-11-28 01:15:35 sesser Exp $
22*/
23
24#ifdef HAVE_CONFIG_H
25#include "config.h"
26#endif
27
28#include "php.h"
29#include "php_ini.h"
30#include "php_suhosin7.h"
31#include "SAPI.h"
32#include "php_variables.h"
33#include "php_content_types.h"
34#include "suhosin_rfc1867.h"
35#include "ext/standard/url.h"
36#include "ext/standard/php_smart_string.h"
37
38#if defined(PHP_WIN32)
39#include "win32/php_inttypes.h"
40#endif
41
42SAPI_POST_HANDLER_FUNC(suhosin_rfc1867_post_handler);
43
44static void suhosin_post_handler_modification(sapi_post_entry *spe)
45{
46 char *content_type = estrndup(spe->content_type, spe->content_type_len);
47 suhosin_log(S_VARS, "some extension replaces the POST handler for %s - Suhosin's protection might be incomplete", content_type);
48 efree(content_type);
49}
50
51// static PHP_INI_MH((*old_OnUpdate_mbstring_encoding_translation)) = NULL;
52//
53// /* {{{ static PHP_INI_MH(suhosin_OnUpdate_mbstring_encoding_translation) */
54// static PHP_INI_MH(suhosin_OnUpdate_mbstring_encoding_translation)
55// {
56// zend_bool *p;
57// #ifndef ZTS
58// char *base = (char *) mh_arg2;
59// #else
60// char *base;
61//
62// base = (char *) ts_resource(*((int *) mh_arg2));
63// #endif
64//
65// p = (zend_bool *) (base+(size_t) mh_arg1);
66//
67// if (new_value_length == 2 && strcasecmp("on", new_value) == 0) {
68// *p = (zend_bool) 1;
69// }
70// else if (new_value_length == 3 && strcasecmp("yes", new_value) == 0) {
71// *p = (zend_bool) 1;
72// }
73// else if (new_value_length == 4 && strcasecmp("true", new_value) == 0) {
74// *p = (zend_bool) 1;
75// }
76// else {
77// *p = (zend_bool) atoi(new_value);
78// }
79// if (*p) {
80// suhosin_log(S_VARS, "Dynamic configuration (maybe a .htaccess file) tried to activate mbstring.encoding_translation which is incompatible with suhosin");
81// }
82// return SUCCESS;
83// }
84/* }}} */
85
86/* {{{ php_post_entries[]
87 */
88static sapi_post_entry suhosin_post_entries[] = {
89 // { DEFAULT_POST_CONTENT_TYPE, sizeof(DEFAULT_POST_CONTENT_TYPE)-1, sapi_read_standard_form_data, suhosin_std_post_handler },
90 { ZEND_STRL(MULTIPART_CONTENT_TYPE), NULL, suhosin_rfc1867_post_handler },
91 { NULL, 0, NULL, NULL }
92};
93/* }}} */
94
95void suhosin_hook_post_handlers()
96{
97 HashTable tempht;
98 // zend_ini_entry *ini_entry;
99
100 sapi_unregister_post_entry(&suhosin_post_entries[0]);
101 // sapi_unregister_post_entry(&suhosin_post_entries[1]);
102 sapi_register_post_entries(suhosin_post_entries);
103
104 /* we want to get notified if another extension deregisters the suhosin post handlers */
105
106 /* we need to tell suhosin patch that there is a new valid destructor */
107 /* therefore we have create HashTable that has this destructor */
108 // zend_hash_init(&tempht, 0, NULL, (dtor_func_t)suhosin_post_handler_modification, 0);
109 // zend_hash_destroy(&tempht);
110 /* And now we can overwrite the destructor for post entries */
111 // SG(known_post_content_types).pDestructor = (dtor_func_t)suhosin_post_handler_modification;
112
113 /* we have to stop mbstring from replacing our post handler */
114 // if (zend_hash_find(EG(ini_directives), "mbstring.encoding_translation", sizeof("mbstring.encoding_translation"), (void **) &ini_entry) == FAILURE) {
115 // return;
116 // }
117 /* replace OnUpdate_mbstring_encoding_translation handler */
118 // old_OnUpdate_mbstring_encoding_translation = ini_entry->on_modify;
119 // ini_entry->on_modify = suhosin_OnUpdate_mbstring_encoding_translation;
120}
121
122// void suhosin_unhook_post_handlers()
123// {
124// zend_ini_entry *ini_entry;
125//
126// /* Restore to an empty destructor */
127// SG(known_post_content_types).pDestructor = NULL;
128//
129// /* Now restore the ini entry handler */
130// if (zend_hash_find(EG(ini_directives), "mbstring.encoding_translation", sizeof("mbstring.encoding_translation"), (void **) &ini_entry) == FAILURE) {
131// return;
132// }
133// /* replace OnUpdate_mbstring_encoding_translation handler */
134// ini_entry->on_modify = old_OnUpdate_mbstring_encoding_translation;
135// old_OnUpdate_mbstring_encoding_translation = NULL;
136// }
137
138/*
139 * Local variables:
140 * tab-width: 4
141 * c-basic-offset: 4
142 * End:
143 * vim600: noet sw=4 ts=4 fdm=marker
144 * vim<600: noet sw=4 ts=4
145 */
diff --git a/rfc1867.c b/rfc1867.c
new file mode 100644
index 0000000..8daa0e8
--- /dev/null
+++ b/rfc1867.c
@@ -0,0 +1,1370 @@
1/*
2 +----------------------------------------------------------------------+
3 | Suhosin Version 1 |
4 +----------------------------------------------------------------------+
5 | Copyright (c) 2006-2007 The Hardened-PHP Project |
6 | Copyright (c) 2007-2016 SektionEins GmbH |
7 +----------------------------------------------------------------------+
8 | This source file is subject to version 3.01 of the PHP license, |
9 | that is bundled with this package in the file LICENSE, and is |
10 | available through the world-wide-web at the following url: |
11 | http://www.php.net/license/3_01.txt |
12 | If you did not receive a copy of the PHP license and are unable to |
13 | obtain it through the world-wide-web, please send a note to |
14 | license@php.net so we can mail you a copy immediately. |
15 +----------------------------------------------------------------------+
16 | Authors: Stefan Esser <sesser@sektioneins.de> |
17 | Ben Fuhrmannek <ben.fuhrmannek@sektioneins.de> |
18 +----------------------------------------------------------------------+
19
20 Note: The following code is based on main/rfc1867.c from PHP 7.
21 | Copyright (c) 1997-2016 The PHP Group |
22 Original PHP Version 7 Authors:
23 | Authors: Rasmus Lerdorf <rasmus@php.net> |
24 | Jani Taskinen <jani@php.net> |
25
26 */
27
28/* $Id$ */
29
30/*
31 * This product includes software developed by the Apache Group
32 * for use in the Apache HTTP server project (http://www.apache.org/).
33 *
34 */
35
36#include <stdio.h>
37#include "php.h"
38#include "php_open_temporary_file.h"
39#include "zend_globals.h"
40#include "php_globals.h"
41#include "php_variables.h"
42// #include "rfc1867.h"
43#include "suhosin_rfc1867.h"
44#include "php_suhosin7.h"
45#include "ext/standard/php_string.h"
46#include "ext/standard/php_smart_string.h"
47
48#if defined(PHP_WIN32) && !defined(HAVE_ATOLL)
49# define atoll(s) _atoi64(s)
50# define HAVE_ATOLL 1
51#endif
52
53#define DEBUG_FILE_UPLOAD ZEND_DEBUG
54
55static int dummy_encoding_translation(void)
56{
57 return 0;
58}
59
60static char *php_ap_getword(const zend_encoding *encoding, char **line, char stop);
61static char *php_ap_getword_conf(const zend_encoding *encoding, char *str);
62
63static php_rfc1867_encoding_translation_t php_rfc1867_encoding_translation = dummy_encoding_translation;
64static php_rfc1867_get_detect_order_t php_rfc1867_get_detect_order = NULL;
65static php_rfc1867_set_input_encoding_t php_rfc1867_set_input_encoding = NULL;
66static php_rfc1867_getword_t php_rfc1867_getword = php_ap_getword;
67static php_rfc1867_getword_conf_t php_rfc1867_getword_conf = php_ap_getword_conf;
68static php_rfc1867_basename_t php_rfc1867_basename = NULL;
69
70#define php_rfc1867_callback suhosin_rfc1867_filter
71// PHPAPI int (*php_rfc1867_callback)(unsigned int event, void *event_data, void **extra) = NULL;
72
73static void safe_php_register_variable(char *var, char *strval, size_t val_len, zval *track_vars_array, zend_bool override_protection);
74
75/* The longest property name we use in an uploaded file array */
76#define MAX_SIZE_OF_INDEX sizeof("[tmp_name]")
77
78/* The longest anonymous name */
79#define MAX_SIZE_ANONNAME 33
80
81/* Errors */
82#define UPLOAD_ERROR_OK 0 /* File upload successful */
83#define UPLOAD_ERROR_A 1 /* Uploaded file exceeded upload_max_filesize */
84#define UPLOAD_ERROR_B 2 /* Uploaded file exceeded MAX_FILE_SIZE */
85#define UPLOAD_ERROR_C 3 /* Partially uploaded */
86#define UPLOAD_ERROR_D 4 /* No file uploaded */
87#define UPLOAD_ERROR_E 6 /* Missing /tmp or similar directory */
88#define UPLOAD_ERROR_F 7 /* Failed to write file to disk */
89#define UPLOAD_ERROR_X 8 /* File upload stopped by extension */
90
91// void php_rfc1867_register_constants(void) /* {{{ */
92// {
93// REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_OK", UPLOAD_ERROR_OK, CONST_CS | CONST_PERSISTENT);
94// REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_INI_SIZE", UPLOAD_ERROR_A, CONST_CS | CONST_PERSISTENT);
95// REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_FORM_SIZE", UPLOAD_ERROR_B, CONST_CS | CONST_PERSISTENT);
96// REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_PARTIAL", UPLOAD_ERROR_C, CONST_CS | CONST_PERSISTENT);
97// REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_NO_FILE", UPLOAD_ERROR_D, CONST_CS | CONST_PERSISTENT);
98// REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_NO_TMP_DIR", UPLOAD_ERROR_E, CONST_CS | CONST_PERSISTENT);
99// REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_CANT_WRITE", UPLOAD_ERROR_F, CONST_CS | CONST_PERSISTENT);
100// REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_EXTENSION", UPLOAD_ERROR_X, CONST_CS | CONST_PERSISTENT);
101// }
102/* }}} */
103
104static void normalize_protected_variable(char *varname) /* {{{ */
105{
106 char *s = varname, *index = NULL, *indexend = NULL, *p;
107
108 /* overjump leading space */
109 while (*s == ' ') {
110 s++;
111 }
112
113 /* and remove it */
114 if (s != varname) {
115 memmove(varname, s, strlen(s)+1);
116 }
117
118 for (p = varname; *p && *p != '['; p++) {
119 switch(*p) {
120 case ' ':
121 case '.':
122 *p = '_';
123 break;
124 }
125 }
126
127 /* find index */
128 index = strchr(varname, '[');
129 if (index) {
130 index++;
131 s = index;
132 } else {
133 return;
134 }
135
136 /* done? */
137 while (index) {
138 while (*index == ' ' || *index == '\r' || *index == '\n' || *index=='\t') {
139 index++;
140 }
141 indexend = strchr(index, ']');
142 indexend = indexend ? indexend + 1 : index + strlen(index);
143
144 if (s != index) {
145 memmove(s, index, strlen(index)+1);
146 s += indexend-index;
147 } else {
148 s = indexend;
149 }
150
151 if (*s == '[') {
152 s++;
153 index = s;
154 } else {
155 index = NULL;
156 }
157 }
158 *s = '\0';
159}
160/* }}} */
161
162static void add_protected_variable(char *varname) /* {{{ */
163{
164 normalize_protected_variable(varname);
165 zend_hash_str_add_empty_element(&PG(rfc1867_protected_variables), varname, strlen(varname));
166}
167/* }}} */
168
169static zend_bool is_protected_variable(char *varname) /* {{{ */
170{
171 normalize_protected_variable(varname);
172 return zend_hash_str_exists(&PG(rfc1867_protected_variables), varname, strlen(varname));
173}
174/* }}} */
175
176static void safe_php_register_variable(char *var, char *strval, size_t val_len, zval *track_vars_array, zend_bool override_protection) /* {{{ */
177{
178 if (override_protection || !is_protected_variable(var)) {
179 php_register_variable_safe(var, strval, val_len, track_vars_array);
180 }
181}
182/* }}} */
183
184static void safe_php_register_variable_ex(char *var, zval *val, zval *track_vars_array, zend_bool override_protection) /* {{{ */
185{
186 if (override_protection || !is_protected_variable(var)) {
187 php_register_variable_ex(var, val, track_vars_array);
188 }
189}
190/* }}} */
191
192static void register_http_post_files_variable(char *strvar, char *val, zval *http_post_files, zend_bool override_protection) /* {{{ */
193{
194 safe_php_register_variable(strvar, val, strlen(val), http_post_files, override_protection);
195}
196/* }}} */
197
198static void register_http_post_files_variable_ex(char *var, zval *val, zval *http_post_files, zend_bool override_protection) /* {{{ */
199{
200 safe_php_register_variable_ex(var, val, http_post_files, override_protection);
201}
202/* }}} */
203
204static int unlink_filename(zval *el) /* {{{ */
205{
206 zend_string *filename = Z_STR_P(el);
207 VCWD_UNLINK(ZSTR_VAL(filename));
208 return 0;
209}
210/* }}} */
211
212
213static void free_filename(zval *el) {
214 zend_string *filename = Z_STR_P(el);
215 zend_string_release(filename);
216}
217
218PHPAPI void destroy_uploaded_files_hash(void) /* {{{ */
219{
220 zend_hash_apply(SG(rfc1867_uploaded_files), unlink_filename);
221 zend_hash_destroy(SG(rfc1867_uploaded_files));
222 FREE_HASHTABLE(SG(rfc1867_uploaded_files));
223}
224/* }}} */
225
226/* {{{ Following code is based on apache_multipart_buffer.c from libapreq-0.33 package. */
227
228#define FILLUNIT (1024 * 5)
229
230typedef struct {
231
232 /* read buffer */
233 char *buffer;
234 char *buf_begin;
235 int bufsize;
236 int bytes_in_buffer;
237
238 /* boundary info */
239 char *boundary;
240 char *boundary_next;
241 int boundary_next_len;
242
243 const zend_encoding *input_encoding;
244 const zend_encoding **detect_order;
245 size_t detect_order_size;
246} multipart_buffer;
247
248typedef struct {
249 char *key;
250 char *value;
251} mime_header_entry;
252
253/*
254 * Fill up the buffer with client data.
255 * Returns number of bytes added to buffer.
256 */
257static int fill_buffer(multipart_buffer *self)
258{
259 int bytes_to_read, total_read = 0, actual_read = 0;
260
261 /* shift the existing data if necessary */
262 if (self->bytes_in_buffer > 0 && self->buf_begin != self->buffer) {
263 memmove(self->buffer, self->buf_begin, self->bytes_in_buffer);
264 }
265
266 self->buf_begin = self->buffer;
267
268 /* calculate the free space in the buffer */
269 bytes_to_read = self->bufsize - self->bytes_in_buffer;
270
271 /* read the required number of bytes */
272 while (bytes_to_read > 0) {
273
274 char *buf = self->buffer + self->bytes_in_buffer;
275
276 actual_read = (int)sapi_module.read_post(buf, bytes_to_read);
277
278 /* update the buffer length */
279 if (actual_read > 0) {
280 self->bytes_in_buffer += actual_read;
281 SG(read_post_bytes) += actual_read;
282 total_read += actual_read;
283 bytes_to_read -= actual_read;
284 } else {
285 break;
286 }
287 }
288
289 return total_read;
290}
291
292/* eof if we are out of bytes, or if we hit the final boundary */
293static int multipart_buffer_eof(multipart_buffer *self)
294{
295 if ( (self->bytes_in_buffer == 0 && fill_buffer(self) < 1) ) {
296 return 1;
297 } else {
298 return 0;
299 }
300}
301
302/* create new multipart_buffer structure */
303static multipart_buffer *multipart_buffer_new(char *boundary, int boundary_len)
304{
305 multipart_buffer *self = (multipart_buffer *) ecalloc(1, sizeof(multipart_buffer));
306
307 int minsize = boundary_len + 6;
308 if (minsize < FILLUNIT) minsize = FILLUNIT;
309
310 self->buffer = (char *) ecalloc(1, minsize + 1);
311 self->bufsize = minsize;
312
313 spprintf(&self->boundary, 0, "--%s", boundary);
314
315 self->boundary_next_len = (int)spprintf(&self->boundary_next, 0, "\n--%s", boundary);
316
317 self->buf_begin = self->buffer;
318 self->bytes_in_buffer = 0;
319
320 if (php_rfc1867_encoding_translation()) {
321 php_rfc1867_get_detect_order(&self->detect_order, &self->detect_order_size);
322 } else {
323 self->detect_order = NULL;
324 self->detect_order_size = 0;
325 }
326
327 self->input_encoding = NULL;
328
329 return self;
330}
331
332/*
333 * Gets the next CRLF terminated line from the input buffer.
334 * If it doesn't find a CRLF, and the buffer isn't completely full, returns
335 * NULL; otherwise, returns the beginning of the null-terminated line,
336 * minus the CRLF.
337 *
338 * Note that we really just look for LF terminated lines. This works
339 * around a bug in internet explorer for the macintosh which sends mime
340 * boundaries that are only LF terminated when you use an image submit
341 * button in a multipart/form-data form.
342 */
343static char *next_line(multipart_buffer *self)
344{
345 /* look for LF in the data */
346 char* line = self->buf_begin;
347 char* ptr = memchr(self->buf_begin, '\n', self->bytes_in_buffer);
348
349 if (ptr) { /* LF found */
350
351 /* terminate the string, remove CRLF */
352 if ((ptr - line) > 0 && *(ptr-1) == '\r') {
353 *(ptr-1) = 0;
354 } else {
355 *ptr = 0;
356 }
357
358 /* bump the pointer */
359 self->buf_begin = ptr + 1;
360 self->bytes_in_buffer -= (self->buf_begin - line);
361
362 } else { /* no LF found */
363
364 /* buffer isn't completely full, fail */
365 if (self->bytes_in_buffer < self->bufsize) {
366 return NULL;
367 }
368 /* return entire buffer as a partial line */
369 line[self->bufsize] = 0;
370 self->buf_begin = ptr;
371 self->bytes_in_buffer = 0;
372 }
373
374 return line;
375}
376
377/* Returns the next CRLF terminated line from the client */
378static char *get_line(multipart_buffer *self)
379{
380 char* ptr = next_line(self);
381
382 if (!ptr) {
383 fill_buffer(self);
384 ptr = next_line(self);
385 }
386
387 return ptr;
388}
389
390/* Free header entry */
391static void php_free_hdr_entry(mime_header_entry *h)
392{
393 if (h->key) {
394 efree(h->key);
395 }
396 if (h->value) {
397 efree(h->value);
398 }
399}
400
401/* finds a boundary */
402static int find_boundary(multipart_buffer *self, char *boundary)
403{
404 char *line;
405
406 /* loop thru lines */
407 while( (line = get_line(self)) )
408 {
409 /* finished if we found the boundary */
410 if (!strcmp(line, boundary)) {
411 return 1;
412 }
413 }
414
415 /* didn't find the boundary */
416 return 0;
417}
418
419/* parse headers */
420static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header)
421{
422 char *line;
423 mime_header_entry entry = {0};
424 smart_string buf_value = {0};
425 char *key = NULL;
426 size_t newlines = 0;
427
428 /* didn't find boundary, abort */
429 if (!find_boundary(self, self->boundary)) {
430 return 0;
431 }
432
433 /* get lines of text, or CRLF_CRLF */
434
435 while ((line = get_line(self)) && line[0] != '\0') {
436 /* add header to table */
437 char *value = NULL;
438
439 if (php_rfc1867_encoding_translation()) {
440 self->input_encoding = zend_multibyte_encoding_detector((const unsigned char *) line, strlen(line), self->detect_order, self->detect_order_size);
441 }
442
443 /* space in the beginning means same header */
444 if (!isspace(line[0])) {
445 value = strchr(line, ':');
446 }
447
448 if (value) {
449 if (buf_value.c && key) {
450 /* new entry, add the old one to the list */
451 smart_string_0(&buf_value);
452 entry.key = key;
453 entry.value = buf_value.c;
454 zend_llist_add_element(header, &entry);
455 buf_value.c = NULL;
456 key = NULL;
457 }
458
459 *value = '\0';
460 do { value++; } while (isspace(*value));
461
462 key = estrdup(line);
463 smart_string_appends(&buf_value, value);
464 newlines = 0;
465 } else if (buf_value.c) { /* If no ':' on the line, add to previous line */
466 newlines++;
467 if (newlines > SUHOSIN7_G(upload_max_newlines)) {
468 SUHOSIN7_G(abort_request) = 1;
469 suhosin_log(S_FILES, "configured maximum number of newlines in RFC1867 MIME headers limit exceeded - dropping rest of upload");
470 return 0;
471 }
472 smart_string_appends(&buf_value, line);
473
474 } else {
475 continue;
476 }
477 }
478
479 if (buf_value.c && key) {
480 /* add the last one to the list */
481 smart_string_0(&buf_value);
482 entry.key = key;
483 entry.value = buf_value.c;
484 zend_llist_add_element(header, &entry);
485 }
486
487 return 1;
488}
489
490static char *php_mime_get_hdr_value(zend_llist header, char *key)
491{
492 mime_header_entry *entry;
493
494 if (key == NULL) {
495 return NULL;
496 }
497
498 entry = zend_llist_get_first(&header);
499 while (entry) {
500 if (!strcasecmp(entry->key, key)) {
501 return entry->value;
502 }
503 entry = zend_llist_get_next(&header);
504 }
505
506 return NULL;
507}
508
509static char *php_ap_getword(const zend_encoding *encoding, char **line, char stop)
510{
511 char *pos = *line, quote;
512 char *res;
513
514 while (*pos && *pos != stop) {
515 if ((quote = *pos) == '"' || quote == '\'') {
516 ++pos;
517 while (*pos && *pos != quote) {
518 if (*pos == '\\' && pos[1] && pos[1] == quote) {
519 pos += 2;
520 } else {
521 ++pos;
522 }
523 }
524 if (*pos) {
525 ++pos;
526 }
527 } else ++pos;
528 }
529 if (*pos == '\0') {
530 res = estrdup(*line);
531 *line += strlen(*line);
532 return res;
533 }
534
535 res = estrndup(*line, pos - *line);
536
537 while (*pos == stop) {
538 ++pos;
539 }
540
541 *line = pos;
542 return res;
543}
544
545static char *substring_conf(char *start, int len, char quote)
546{
547 char *result = emalloc(len + 1);
548 char *resp = result;
549 int i;
550
551 for (i = 0; i < len && start[i] != quote; ++i) {
552 if (start[i] == '\\' && (start[i + 1] == '\\' || (quote && start[i + 1] == quote))) {
553 *resp++ = start[++i];
554 } else {
555 *resp++ = start[i];
556 }
557 }
558
559 *resp = '\0';
560 return result;
561}
562
563static char *php_ap_getword_conf(const zend_encoding *encoding, char *str)
564{
565 while (*str && isspace(*str)) {
566 ++str;
567 }
568
569 if (!*str) {
570 return estrdup("");
571 }
572
573 if (*str == '"' || *str == '\'') {
574 char quote = *str;
575
576 str++;
577 return substring_conf(str, (int)strlen(str), quote);
578 } else {
579 char *strend = str;
580
581 while (*strend && !isspace(*strend)) {
582 ++strend;
583 }
584 return substring_conf(str, strend - str, 0);
585 }
586}
587
588static char *php_ap_basename(const zend_encoding *encoding, char *path)
589{
590 char *s = strrchr(path, '\\');
591 char *s2 = strrchr(path, '/');
592
593 if (s && s2) {
594 if (s > s2) {
595 ++s;
596 } else {
597 s = ++s2;
598 }
599 return s;
600 } else if (s) {
601 return ++s;
602 } else if (s2) {
603 return ++s2;
604 }
605 return path;
606}
607
608/*
609 * Search for a string in a fixed-length byte string.
610 * If partial is true, partial matches are allowed at the end of the buffer.
611 * Returns NULL if not found, or a pointer to the start of the first match.
612 */
613static void *php_ap_memstr(char *haystack, int haystacklen, char *needle, int needlen, int partial)
614{
615 int len = haystacklen;
616 char *ptr = haystack;
617
618 /* iterate through first character matches */
619 while( (ptr = memchr(ptr, needle[0], len)) ) {
620
621 /* calculate length after match */
622 len = haystacklen - (ptr - (char *)haystack);
623
624 /* done if matches up to capacity of buffer */
625 if (memcmp(needle, ptr, needlen < len ? needlen : len) == 0 && (partial || len >= needlen)) {
626 break;
627 }
628
629 /* next character */
630 ptr++; len--;
631 }
632
633 return ptr;
634}
635
636/* read until a boundary condition */
637static int multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes, int *end)
638{
639 size_t len, max;
640 char *bound;
641
642 /* fill buffer if needed */
643 if (bytes > self->bytes_in_buffer) {
644 fill_buffer(self);
645 }
646
647 /* look for a potential boundary match, only read data up to that point */
648 if ((bound = php_ap_memstr(self->buf_begin, self->bytes_in_buffer, self->boundary_next, self->boundary_next_len, 1))) {
649 max = bound - self->buf_begin;
650 if (end && php_ap_memstr(self->buf_begin, self->bytes_in_buffer, self->boundary_next, self->boundary_next_len, 0)) {
651 *end = 1;
652 }
653 } else {
654 max = self->bytes_in_buffer;
655 }
656
657 /* maximum number of bytes we are reading */
658 len = max < bytes-1 ? max : bytes-1;
659
660 /* if we read any data... */
661 if (len > 0) {
662
663 /* copy the data */
664 memcpy(buf, self->buf_begin, len);
665 buf[len] = 0;
666
667 if (bound && len > 0 && buf[len-1] == '\r') {
668 buf[--len] = 0;
669 }
670
671 /* update the buffer */
672 self->bytes_in_buffer -= (int)len;
673 self->buf_begin += len;
674 }
675
676 return (int)len;
677}
678
679/*
680 XXX: this is horrible memory-usage-wise, but we only expect
681 to do this on small pieces of form data.
682*/
683static char *multipart_buffer_read_body(multipart_buffer *self, size_t *len)
684{
685 char buf[FILLUNIT], *out=NULL;
686 int total_bytes=0, read_bytes=0;
687
688 while((read_bytes = multipart_buffer_read(self, buf, sizeof(buf), NULL))) {
689 out = erealloc(out, total_bytes + read_bytes + 1);
690 memcpy(out + total_bytes, buf, read_bytes);
691 total_bytes += read_bytes;
692 }
693
694 if (out) {
695 out[total_bytes] = '\0';
696 }
697 *len = total_bytes;
698
699 return out;
700}
701/* }}} */
702
703/*
704 * The combined READER/HANDLER
705 *
706 */
707
708SAPI_API SAPI_POST_HANDLER_FUNC(suhosin_rfc1867_post_handler) /* {{{ */
709{
710 char *boundary, *s = NULL, *boundary_end = NULL, *start_arr = NULL, *array_index = NULL;
711 char *lbuf = NULL, *abuf = NULL;
712 zend_string *temp_filename = NULL;
713 int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0, array_len = 0;
714 int64_t total_bytes = 0, max_file_size = 0;
715 int skip_upload = 0, anonindex = 0, is_anonymous;
716 HashTable *uploaded_files = NULL;
717 multipart_buffer *mbuff;
718 zval *array_ptr = (zval *) arg;
719 int fd = -1;
720 zend_llist header;
721 void *event_extra_data = NULL;
722 unsigned int llen = 0;
723 int upload_cnt = INI_INT("max_file_uploads");
724 const zend_encoding *internal_encoding = zend_multibyte_get_internal_encoding();
725 php_rfc1867_getword_t getword;
726 php_rfc1867_getword_conf_t getword_conf;
727 php_rfc1867_basename_t _basename;
728 zend_long count = 0;
729
730 if (php_rfc1867_encoding_translation() && internal_encoding) {
731 getword = php_rfc1867_getword;
732 getword_conf = php_rfc1867_getword_conf;
733 _basename = php_rfc1867_basename;
734 } else {
735 getword = php_ap_getword;
736 getword_conf = php_ap_getword_conf;
737 _basename = php_ap_basename;
738 }
739
740 if (SG(post_max_size) > 0 && SG(request_info).content_length > SG(post_max_size)) {
741 sapi_module.sapi_error(E_WARNING, "POST Content-Length of " ZEND_LONG_FMT " bytes exceeds the limit of " ZEND_LONG_FMT " bytes", SG(request_info).content_length, SG(post_max_size));
742 return;
743 }
744
745 /* Get the boundary */
746 boundary = strstr(content_type_dup, "boundary");
747 if (!boundary) {
748 int content_type_len = (int)strlen(content_type_dup);
749 char *content_type_lcase = estrndup(content_type_dup, content_type_len);
750
751 php_strtolower(content_type_lcase, content_type_len);
752 boundary = strstr(content_type_lcase, "boundary");
753 if (boundary) {
754 boundary = content_type_dup + (boundary - content_type_lcase);
755 }
756 efree(content_type_lcase);
757 }
758
759 if (!boundary || !(boundary = strchr(boundary, '='))) {
760 sapi_module.sapi_error(E_WARNING, "Missing boundary in multipart/form-data POST data");
761 return;
762 }
763
764 boundary++;
765 boundary_len = (int)strlen(boundary);
766
767 if (boundary[0] == '"') {
768 boundary++;
769 boundary_end = strchr(boundary, '"');
770 if (!boundary_end) {
771 sapi_module.sapi_error(E_WARNING, "Invalid boundary in multipart/form-data POST data");
772 return;
773 }
774 } else {
775 /* search for the end of the boundary */
776 boundary_end = strpbrk(boundary, ",;");
777 }
778 if (boundary_end) {
779 boundary_end[0] = '\0';
780 boundary_len = boundary_end-boundary;
781 }
782
783 /* Initialize the buffer */
784 if (!(mbuff = multipart_buffer_new(boundary, boundary_len))) {
785 sapi_module.sapi_error(E_WARNING, "Unable to initialize the input buffer");
786 return;
787 }
788
789 /* Initialize $_FILES[] */
790 zend_hash_init(&PG(rfc1867_protected_variables), 8, NULL, NULL, 0);
791
792 ALLOC_HASHTABLE(uploaded_files);
793 zend_hash_init(uploaded_files, 8, NULL, free_filename, 0);
794 SG(rfc1867_uploaded_files) = uploaded_files;
795
796 if (Z_TYPE(PG(http_globals)[TRACK_VARS_FILES]) != IS_ARRAY) {
797 /* php_auto_globals_create_files() might have already done that */
798 array_init(&PG(http_globals)[TRACK_VARS_FILES]);
799 }
800
801 zend_llist_init(&header, sizeof(mime_header_entry), (llist_dtor_func_t) php_free_hdr_entry, 0);
802
803 if (php_rfc1867_callback != NULL) {
804 multipart_event_start event_start;
805
806 event_start.content_length = SG(request_info).content_length;
807 if (php_rfc1867_callback(MULTIPART_EVENT_START, &event_start, &event_extra_data) == FAILURE) {
808 goto fileupload_done;
809 }
810 }
811
812 while (!multipart_buffer_eof(mbuff))
813 {
814 char buff[FILLUNIT];
815 char *cd = NULL, *param = NULL, *filename = NULL, *tmp = NULL;
816 size_t blen = 0, wlen = 0;
817 zend_off_t offset;
818
819 zend_llist_clean(&header);
820
821 if (!multipart_buffer_headers(mbuff, &header)) {
822 goto fileupload_done;
823 }
824
825 if ((cd = php_mime_get_hdr_value(header, "Content-Disposition"))) {
826 char *pair = NULL;
827 int end = 0;
828
829 while (isspace(*cd)) {
830 ++cd;
831 }
832
833 while (*cd && (pair = getword(mbuff->input_encoding, &cd, ';')))
834 {
835 char *key = NULL, *word = pair;
836
837 while (isspace(*cd)) {
838 ++cd;
839 }
840
841 if (strchr(pair, '=')) {
842 key = getword(mbuff->input_encoding, &pair, '=');
843
844 if (!strcasecmp(key, "name")) {
845 if (param) {
846 efree(param);
847 }
848 param = getword_conf(mbuff->input_encoding, pair);
849 if (mbuff->input_encoding && internal_encoding) {
850 unsigned char *new_param;
851 size_t new_param_len;
852 if ((size_t)-1 != zend_multibyte_encoding_converter(&new_param, &new_param_len, (unsigned char *)param, strlen(param), internal_encoding, mbuff->input_encoding)) {
853 efree(param);
854 param = (char *)new_param;
855 }
856 }
857 } else if (!strcasecmp(key, "filename")) {
858 if (filename) {
859 efree(filename);
860 }
861 filename = getword_conf(mbuff->input_encoding, pair);
862 if (mbuff->input_encoding && internal_encoding) {
863 unsigned char *new_filename;
864 size_t new_filename_len;
865 if ((size_t)-1 != zend_multibyte_encoding_converter(&new_filename, &new_filename_len, (unsigned char *)filename, strlen(filename), internal_encoding, mbuff->input_encoding)) {
866 efree(filename);
867 filename = (char *)new_filename;
868 }
869 }
870 }
871 }
872 if (key) {
873 efree(key);
874 }
875 efree(word);
876 }
877
878 /* Normal form variable, safe to read all data into memory */
879 if (!filename && param) {
880 size_t value_len;
881 char *value = multipart_buffer_read_body(mbuff, &value_len);
882 size_t new_val_len; /* Dummy variable */
883
884 if (!value) {
885 value = estrdup("");
886 value_len = 0;
887 }
888
889 if (mbuff->input_encoding && internal_encoding) {
890 unsigned char *new_value;
891 size_t new_value_len;
892 if ((size_t)-1 != zend_multibyte_encoding_converter(&new_value, &new_value_len, (unsigned char *)value, value_len, internal_encoding, mbuff->input_encoding)) {
893 efree(value);
894 value = (char *)new_value;
895 value_len = new_value_len;
896 }
897 }
898
899 if (++count <= PG(max_input_vars) && sapi_module.input_filter(PARSE_POST, param, &value, value_len, &new_val_len)) {
900 if (php_rfc1867_callback != NULL) {
901 multipart_event_formdata event_formdata;
902 size_t newlength = new_val_len;
903
904 event_formdata.post_bytes_processed = SG(read_post_bytes);
905 event_formdata.name = param;
906 event_formdata.value = &value;
907 event_formdata.length = new_val_len;
908 event_formdata.newlength = &newlength;
909 if (php_rfc1867_callback(MULTIPART_EVENT_FORMDATA, &event_formdata, &event_extra_data) == FAILURE) {
910 efree(param);
911 efree(value);
912 continue;
913 }
914 new_val_len = newlength;
915 }
916 safe_php_register_variable(param, value, new_val_len, array_ptr, 0);
917 } else {
918 if (count == PG(max_input_vars) + 1) {
919 php_error_docref(NULL, E_WARNING, "Input variables exceeded " ZEND_LONG_FMT ". To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
920 }
921
922 if (php_rfc1867_callback != NULL) {
923 multipart_event_formdata event_formdata;
924
925 event_formdata.post_bytes_processed = SG(read_post_bytes);
926 event_formdata.name = param;
927 event_formdata.value = &value;
928 event_formdata.length = value_len;
929 event_formdata.newlength = NULL;
930 php_rfc1867_callback(MULTIPART_EVENT_FORMDATA, &event_formdata, &event_extra_data);
931 }
932 }
933
934 if (!strcasecmp(param, "MAX_FILE_SIZE")) {
935#ifdef HAVE_ATOLL
936 max_file_size = atoll(value);
937#else
938 max_file_size = strtoll(value, NULL, 10);
939#endif
940 }
941
942 efree(param);
943 efree(value);
944 continue;
945 }
946
947 /* If file_uploads=off, skip the file part */
948 if (!PG(file_uploads)) {
949 skip_upload = 1;
950 } else if (upload_cnt <= 0) {
951 skip_upload = 1;
952 sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded");
953 }
954
955 /* Return with an error if the posted data is garbled */
956 if (!param && !filename) {
957 sapi_module.sapi_error(E_WARNING, "File Upload Mime headers garbled");
958 goto fileupload_done;
959 }
960
961 if (!param) {
962 is_anonymous = 1;
963 param = emalloc(MAX_SIZE_ANONNAME);
964 snprintf(param, MAX_SIZE_ANONNAME, "%u", anonindex++);
965 } else {
966 is_anonymous = 0;
967 }
968
969 /* New Rule: never repair potential malicious user input */
970 if (!skip_upload) {
971 long c = 0;
972 tmp = param;
973
974 while (*tmp) {
975 if (*tmp == '[') {
976 c++;
977 } else if (*tmp == ']') {
978 c--;
979 if (tmp[1] && tmp[1] != '[') {
980 skip_upload = 1;
981 break;
982 }
983 }
984 if (c < 0) {
985 skip_upload = 1;
986 break;
987 }
988 tmp++;
989 }
990 /* Brackets should always be closed */
991 if(c != 0) {
992 skip_upload = 1;
993 }
994 }
995
996 total_bytes = cancel_upload = 0;
997 temp_filename = NULL;
998 fd = -1;
999
1000 if (!skip_upload && php_rfc1867_callback != NULL) {
1001 multipart_event_file_start event_file_start;
1002
1003 event_file_start.post_bytes_processed = SG(read_post_bytes);
1004 event_file_start.name = param;
1005 event_file_start.filename = &filename;
1006 if (php_rfc1867_callback(MULTIPART_EVENT_FILE_START, &event_file_start, &event_extra_data) == FAILURE) {
1007 temp_filename = NULL;
1008 efree(param);
1009 efree(filename);
1010 continue;
1011 }
1012 }
1013
1014 if (skip_upload) {
1015 efree(param);
1016 efree(filename);
1017 continue;
1018 }
1019
1020 if (filename[0] == '\0') {
1021#if DEBUG_FILE_UPLOAD
1022 sapi_module.sapi_error(E_NOTICE, "No file uploaded");
1023#endif
1024 cancel_upload = UPLOAD_ERROR_D;
1025 }
1026
1027 offset = 0;
1028 end = 0;
1029
1030 if (!cancel_upload) {
1031 /* only bother to open temp file if we have data */
1032 blen = multipart_buffer_read(mbuff, buff, sizeof(buff), &end);
1033#if DEBUG_FILE_UPLOAD
1034 if (blen > 0) {
1035#else
1036 /* in non-debug mode we have no problem with 0-length files */
1037 {
1038#endif
1039 fd = php_open_temporary_fd_ex(PG(upload_tmp_dir), "php", &temp_filename, 1);
1040 upload_cnt--;
1041 if (fd == -1) {
1042 sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file");
1043 cancel_upload = UPLOAD_ERROR_E;
1044 }
1045 }
1046 }
1047
1048 while (!cancel_upload && (blen > 0))
1049 {
1050 if (php_rfc1867_callback != NULL) {
1051 multipart_event_file_data event_file_data;
1052
1053 event_file_data.post_bytes_processed = SG(read_post_bytes);
1054 event_file_data.offset = offset;
1055 event_file_data.data = buff;
1056 event_file_data.length = blen;
1057 event_file_data.newlength = &blen;
1058 if (php_rfc1867_callback(MULTIPART_EVENT_FILE_DATA, &event_file_data, &event_extra_data) == FAILURE) {
1059 cancel_upload = UPLOAD_ERROR_X;
1060 continue;
1061 }
1062 }
1063
1064 if (PG(upload_max_filesize) > 0 && (zend_long)(total_bytes+blen) > PG(upload_max_filesize)) {
1065#if DEBUG_FILE_UPLOAD
1066 sapi_module.sapi_error(E_NOTICE, "upload_max_filesize of " ZEND_LONG_FMT " bytes exceeded - file [%s=%s] not saved", PG(upload_max_filesize), param, filename);
1067#endif
1068 cancel_upload = UPLOAD_ERROR_A;
1069 } else if (max_file_size && ((zend_long)(total_bytes+blen) > max_file_size)) {
1070#if DEBUG_FILE_UPLOAD
1071 sapi_module.sapi_error(E_NOTICE, "MAX_FILE_SIZE of " ZEND_LONG_FMT " bytes exceeded - file [%s=%s] not saved", max_file_size, param, filename);
1072#endif
1073 cancel_upload = UPLOAD_ERROR_B;
1074 } else if (blen > 0) {
1075#ifdef PHP_WIN32
1076 wlen = write(fd, buff, (unsigned int)blen);
1077#else
1078 wlen = write(fd, buff, blen);
1079#endif
1080
1081 if (wlen == -1) {
1082 /* write failed */
1083#if DEBUG_FILE_UPLOAD
1084 sapi_module.sapi_error(E_NOTICE, "write() failed - %s", strerror(errno));
1085#endif
1086 cancel_upload = UPLOAD_ERROR_F;
1087 } else if (wlen < blen) {
1088#if DEBUG_FILE_UPLOAD
1089 sapi_module.sapi_error(E_NOTICE, "Only %d bytes were written, expected to write %d", wlen, blen);
1090#endif
1091 cancel_upload = UPLOAD_ERROR_F;
1092 } else {
1093 total_bytes += wlen;
1094 }
1095 offset += wlen;
1096 }
1097
1098 /* read data for next iteration */
1099 blen = multipart_buffer_read(mbuff, buff, sizeof(buff), &end);
1100 }
1101
1102 if (fd != -1) { /* may not be initialized if file could not be created */
1103 close(fd);
1104 }
1105
1106 if (!cancel_upload && !end) {
1107#if DEBUG_FILE_UPLOAD
1108 sapi_module.sapi_error(E_NOTICE, "Missing mime boundary at the end of the data for file %s", filename[0] != '\0' ? filename : "");
1109#endif
1110 cancel_upload = UPLOAD_ERROR_C;
1111 }
1112#if DEBUG_FILE_UPLOAD
1113 if (filename[0] != '\0' && total_bytes == 0 && !cancel_upload) {
1114 sapi_module.sapi_error(E_WARNING, "Uploaded file size 0 - file [%s=%s] not saved", param, filename);
1115 cancel_upload = 5;
1116 }
1117#endif
1118 if (php_rfc1867_callback != NULL) {
1119 multipart_event_file_end event_file_end;
1120
1121 event_file_end.post_bytes_processed = SG(read_post_bytes);
1122 event_file_end.temp_filename = ZSTR_VAL(temp_filename);
1123 event_file_end.cancel_upload = cancel_upload;
1124 if (php_rfc1867_callback(MULTIPART_EVENT_FILE_END, &event_file_end, &event_extra_data) == FAILURE) {
1125 cancel_upload = UPLOAD_ERROR_X;
1126 }
1127 }
1128
1129 if (cancel_upload) {
1130 if (temp_filename) {
1131 if (cancel_upload != UPLOAD_ERROR_E) { /* file creation failed */
1132 unlink(ZSTR_VAL(temp_filename));
1133 }
1134 zend_string_release(temp_filename);
1135 }
1136 temp_filename = NULL;
1137 } else {
1138 zend_hash_add_ptr(SG(rfc1867_uploaded_files), temp_filename, temp_filename);
1139 }
1140
1141 /* is_arr_upload is true when name of file upload field
1142 * ends in [.*]
1143 * start_arr is set to point to 1st [ */
1144 is_arr_upload = (start_arr = strchr(param,'[')) && (param[strlen(param)-1] == ']');
1145
1146 if (is_arr_upload) {
1147 array_len = (int)strlen(start_arr);
1148 if (array_index) {
1149 efree(array_index);
1150 }
1151 array_index = estrndup(start_arr + 1, array_len - 2);
1152 }
1153
1154 /* Add $foo_name */
1155 if (llen < strlen(param) + MAX_SIZE_OF_INDEX + 1) {
1156 llen = (int)strlen(param);
1157 lbuf = (char *) safe_erealloc(lbuf, llen, 1, MAX_SIZE_OF_INDEX + 1);
1158 llen += MAX_SIZE_OF_INDEX + 1;
1159 }
1160
1161 if (is_arr_upload) {
1162 if (abuf) efree(abuf);
1163 abuf = estrndup(param, strlen(param)-array_len);
1164 snprintf(lbuf, llen, "%s_name[%s]", abuf, array_index);
1165 } else {
1166 snprintf(lbuf, llen, "%s_name", param);
1167 }
1168
1169 /* The \ check should technically be needed for win32 systems only where
1170 * it is a valid path separator. However, IE in all it's wisdom always sends
1171 * the full path of the file on the user's filesystem, which means that unless
1172 * the user does basename() they get a bogus file name. Until IE's user base drops
1173 * to nill or problem is fixed this code must remain enabled for all systems. */
1174 s = _basename(internal_encoding, filename);
1175 if (!s) {
1176 s = filename;
1177 }
1178
1179 if (!is_anonymous) {
1180 safe_php_register_variable(lbuf, s, strlen(s), NULL, 0);
1181 }
1182
1183 /* Add $foo[name] */
1184 if (is_arr_upload) {
1185 snprintf(lbuf, llen, "%s[name][%s]", abuf, array_index);
1186 } else {
1187 snprintf(lbuf, llen, "%s[name]", param);
1188 }
1189 register_http_post_files_variable(lbuf, s, &PG(http_globals)[TRACK_VARS_FILES], 0);
1190 efree(filename);
1191 s = NULL;
1192
1193 /* Possible Content-Type: */
1194 if (cancel_upload || !(cd = php_mime_get_hdr_value(header, "Content-Type"))) {
1195 cd = "";
1196 } else {
1197 /* fix for Opera 6.01 */
1198 s = strchr(cd, ';');
1199 if (s != NULL) {
1200 *s = '\0';
1201 }
1202 }
1203
1204 /* Add $foo_type */
1205 if (is_arr_upload) {
1206 snprintf(lbuf, llen, "%s_type[%s]", abuf, array_index);
1207 } else {
1208 snprintf(lbuf, llen, "%s_type", param);
1209 }
1210 if (!is_anonymous) {
1211 safe_php_register_variable(lbuf, cd, strlen(cd), NULL, 0);
1212 }
1213
1214 /* Add $foo[type] */
1215 if (is_arr_upload) {
1216 snprintf(lbuf, llen, "%s[type][%s]", abuf, array_index);
1217 } else {
1218 snprintf(lbuf, llen, "%s[type]", param);
1219 }
1220 register_http_post_files_variable(lbuf, cd, &PG(http_globals)[TRACK_VARS_FILES], 0);
1221
1222 /* Restore Content-Type Header */
1223 if (s != NULL) {
1224 *s = ';';
1225 }
1226 s = "";
1227
1228 {
1229 /* store temp_filename as-is (in case upload_tmp_dir
1230 * contains escapeable characters. escape only the variable name.) */
1231 zval zfilename;
1232
1233 /* Initialize variables */
1234 add_protected_variable(param);
1235
1236 /* if param is of form xxx[.*] this will cut it to xxx */
1237 if (!is_anonymous) {
1238 if (temp_filename) {
1239 ZVAL_STR_COPY(&zfilename, temp_filename);
1240 } else {
1241 ZVAL_EMPTY_STRING(&zfilename);
1242 }
1243 safe_php_register_variable_ex(param, &zfilename, NULL, 1);
1244 }
1245
1246 /* Add $foo[tmp_name] */
1247 if (is_arr_upload) {
1248 snprintf(lbuf, llen, "%s[tmp_name][%s]", abuf, array_index);
1249 } else {
1250 snprintf(lbuf, llen, "%s[tmp_name]", param);
1251 }
1252 add_protected_variable(lbuf);
1253 if (temp_filename) {
1254 ZVAL_STR_COPY(&zfilename, temp_filename);
1255 } else {
1256 ZVAL_EMPTY_STRING(&zfilename);
1257 }
1258 register_http_post_files_variable_ex(lbuf, &zfilename, &PG(http_globals)[TRACK_VARS_FILES], 1);
1259 }
1260
1261 {
1262 zval file_size, error_type;
1263 int size_overflow = 0;
1264 char file_size_buf[65];
1265
1266 ZVAL_LONG(&error_type, cancel_upload);
1267
1268 /* Add $foo[error] */
1269 if (cancel_upload) {
1270 ZVAL_LONG(&file_size, 0);
1271 } else {
1272 if (total_bytes > ZEND_LONG_MAX) {
1273#ifdef PHP_WIN32
1274 if (_i64toa_s(total_bytes, file_size_buf, 65, 10)) {
1275 file_size_buf[0] = '0';
1276 file_size_buf[1] = '\0';
1277 }
1278#else
1279 {
1280 int __len = snprintf(file_size_buf, 65, "%lld", total_bytes);
1281 file_size_buf[__len] = '\0';
1282 }
1283#endif
1284 size_overflow = 1;
1285
1286 } else {
1287 ZVAL_LONG(&file_size, total_bytes);
1288 }
1289 }
1290
1291 if (is_arr_upload) {
1292 snprintf(lbuf, llen, "%s[error][%s]", abuf, array_index);
1293 } else {
1294 snprintf(lbuf, llen, "%s[error]", param);
1295 }
1296 register_http_post_files_variable_ex(lbuf, &error_type, &PG(http_globals)[TRACK_VARS_FILES], 0);
1297
1298 /* Add $foo_size */
1299 if (is_arr_upload) {
1300 snprintf(lbuf, llen, "%s_size[%s]", abuf, array_index);
1301 } else {
1302 snprintf(lbuf, llen, "%s_size", param);
1303 }
1304 if (!is_anonymous) {
1305 if (size_overflow) {
1306 ZVAL_STRING(&file_size, file_size_buf);
1307 }
1308 safe_php_register_variable_ex(lbuf, &file_size, NULL, size_overflow);
1309 }
1310
1311 /* Add $foo[size] */
1312 if (is_arr_upload) {
1313 snprintf(lbuf, llen, "%s[size][%s]", abuf, array_index);
1314 } else {
1315 snprintf(lbuf, llen, "%s[size]", param);
1316 }
1317 if (size_overflow) {
1318 ZVAL_STRING(&file_size, file_size_buf);
1319 }
1320 register_http_post_files_variable_ex(lbuf, &file_size, &PG(http_globals)[TRACK_VARS_FILES], size_overflow);
1321 }
1322 efree(param);
1323 }
1324 }
1325
1326fileupload_done:
1327 if (php_rfc1867_callback != NULL) {
1328 multipart_event_end event_end;
1329
1330 event_end.post_bytes_processed = SG(read_post_bytes);
1331 php_rfc1867_callback(MULTIPART_EVENT_END, &event_end, &event_extra_data);
1332 }
1333
1334 if (lbuf) efree(lbuf);
1335 if (abuf) efree(abuf);
1336 if (array_index) efree(array_index);
1337 zend_hash_destroy(&PG(rfc1867_protected_variables));
1338 zend_llist_destroy(&header);
1339 if (mbuff->boundary_next) efree(mbuff->boundary_next);
1340 if (mbuff->boundary) efree(mbuff->boundary);
1341 if (mbuff->buffer) efree(mbuff->buffer);
1342 if (mbuff) efree(mbuff);
1343}
1344/* }}} */
1345
1346// SAPI_API void php_rfc1867_set_multibyte_callbacks(
1347// php_rfc1867_encoding_translation_t encoding_translation,
1348// php_rfc1867_get_detect_order_t get_detect_order,
1349// php_rfc1867_set_input_encoding_t set_input_encoding,
1350// php_rfc1867_getword_t getword,
1351// php_rfc1867_getword_conf_t getword_conf,
1352// php_rfc1867_basename_t basename) /* {{{ */
1353// {
1354// php_rfc1867_encoding_translation = encoding_translation;
1355// php_rfc1867_get_detect_order = get_detect_order;
1356// php_rfc1867_set_input_encoding = set_input_encoding;
1357// php_rfc1867_getword = getword;
1358// php_rfc1867_getword_conf = getword_conf;
1359// php_rfc1867_basename = basename;
1360// }
1361/* }}} */
1362
1363/*
1364 * Local variables:
1365 * tab-width: 4
1366 * c-basic-offset: 4
1367 * End:
1368 * vim600: sw=4 ts=4 fdm=marker
1369 * vim<600: sw=4 ts=4
1370 */
diff --git a/suhosin7.c b/suhosin7.c
index b91de37..2952629 100644
--- a/suhosin7.c
+++ b/suhosin7.c
@@ -356,15 +356,15 @@ PHP_INI_BEGIN()
356 STD_S7_INI_ENTRY("suhosin.post.disallow_nul", "1", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdatePostBool, disallow_post_nul) 356 STD_S7_INI_ENTRY("suhosin.post.disallow_nul", "1", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdatePostBool, disallow_post_nul)
357 STD_S7_INI_ENTRY("suhosin.post.disallow_ws", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdatePostBool, disallow_post_ws) 357 STD_S7_INI_ENTRY("suhosin.post.disallow_ws", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdatePostBool, disallow_post_ws)
358 // 358 //
359 // STD_S7_INI_ENTRY("suhosin.upload.max_uploads", "25", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadLong, upload_limit) 359 STD_S7_INI_ENTRY("suhosin.upload.max_uploads", "25", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadLong, upload_limit)
360 // STD_S7_INI_ENTRY("suhosin.upload.max_newlines", "100", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadLong, upload_max_newlines) 360 STD_S7_INI_ENTRY("suhosin.upload.max_newlines", "100", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadLong, upload_max_newlines)
361 // STD_S7_INI_ENTRY("suhosin.upload.disallow_elf", "1", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadBool, upload_disallow_elf) 361 STD_S7_INI_ENTRY("suhosin.upload.disallow_elf", "1", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadBool, upload_disallow_elf)
362 // STD_S7_INI_ENTRY("suhosin.upload.disallow_binary", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadBool, upload_disallow_binary) 362 STD_S7_INI_ENTRY("suhosin.upload.disallow_binary", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadBool, upload_disallow_binary)
363 // STD_S7_INI_ENTRY("suhosin.upload.remove_binary", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadBool, upload_remove_binary) 363 STD_S7_INI_ENTRY("suhosin.upload.remove_binary", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadBool, upload_remove_binary)
364#ifdef SUHOSIN7_EXPERIMENTAL 364#ifdef SUHOSIN7_EXPERIMENTAL
365 // STD_S7_INI_BOOLEAN("suhosin.upload.allow_utf8", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadBool, upload_allow_utf8) 365 STD_S7_INI_BOOLEAN("suhosin.upload.allow_utf8", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadBool, upload_allow_utf8)
366#endif 366#endif
367 // STD_S7_INI_ENTRY("suhosin.upload.verification_script", NULL, PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadString, upload_verification_script) 367 STD_S7_INI_ENTRY("suhosin.upload.verification_script", NULL, PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadString, upload_verification_script)
368 368
369 369
370 // STD_S7_INI_BOOLEAN("suhosin.sql.bailout_on_error", "0", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateSQLBool, sql_bailout_on_error) 370 // STD_S7_INI_BOOLEAN("suhosin.sql.bailout_on_error", "0", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateSQLBool, sql_bailout_on_error)
@@ -526,6 +526,8 @@ PHP_MINIT_FUNCTION(suhosin7)
526 suhosin_hook_session(); 526 suhosin_hook_session();
527#endif 527#endif
528 528
529 suhosin_hook_post_handlers();
530
529 return SUCCESS; 531 return SUCCESS;
530} 532}
531/* }}} */ 533/* }}} */
diff --git a/suhosin_rfc1867.h b/suhosin_rfc1867.h
new file mode 100644
index 0000000..5d946b0
--- /dev/null
+++ b/suhosin_rfc1867.h
@@ -0,0 +1,91 @@
1/*
2 +----------------------------------------------------------------------+
3 | Suhosin Version 1 |
4 +----------------------------------------------------------------------+
5 | Copyright (c) 2006-2007 The Hardened-PHP Project |
6 | Copyright (c) 2007-2015 SektionEins GmbH |
7 +----------------------------------------------------------------------+
8 | This source file is subject to version 3.01 of the PHP license, |
9 | that is bundled with this package in the file LICENSE, and is |
10 | available through the world-wide-web at the following url: |
11 | http://www.php.net/license/3_01.txt |
12 | If you did not receive a copy of the PHP license and are unable to |
13 | obtain it through the world-wide-web, please send a note to |
14 | license@php.net so we can mail you a copy immediately. |
15 +----------------------------------------------------------------------+
16 | Author: Stefan Esser <sesser@sektioneins.de> |
17 +----------------------------------------------------------------------+
18*/
19
20/* $Id: suhosin_rfc1867.h,v 1.1.1.1 2007-11-28 01:15:35 sesser Exp $ */
21
22#ifndef SUHOSIN_RFC1867_H
23#define SUHOSIN_RFC1867_H
24
25#include "rfc1867.h"
26#include "SAPI.h"
27
28// #define MULTIPART_CONTENT_TYPE "multipart/form-data"
29// #ifdef MULTIPART_EVENT_START
30// #define HAVE_RFC1867_CALLBACK 1
31// #else
32// #define HAVE_RFC1867_CALLBACK 0
33
34// #define MULTIPART_EVENT_START 0
35// #define MULTIPART_EVENT_FORMDATA 1
36// #define MULTIPART_EVENT_FILE_START 2
37// #define MULTIPART_EVENT_FILE_DATA 3
38// #define MULTIPART_EVENT_FILE_END 4
39// #define MULTIPART_EVENT_END 5
40//
41// typedef struct _multipart_event_start {
42// size_t content_length;
43// } multipart_event_start;
44//
45// typedef struct _multipart_event_formdata {
46// size_t post_bytes_processed;
47// char *name;
48// char **value;
49// size_t length;
50// size_t *newlength;
51// } multipart_event_formdata;
52//
53// typedef struct _multipart_event_file_start {
54// size_t post_bytes_processed;
55// char *name;
56// char **filename;
57// } multipart_event_file_start;
58//
59// typedef struct _multipart_event_file_data {
60// size_t post_bytes_processed;
61// zend_off_t offset;
62// char *data;
63// size_t length;
64// size_t *newlength;
65// } multipart_event_file_data;
66//
67// typedef struct _multipart_event_file_end {
68// size_t post_bytes_processed;
69// char *temp_filename;
70// int cancel_upload;
71// } multipart_event_file_end;
72//
73// typedef struct _multipart_event_end {
74// size_t post_bytes_processed;
75// } multipart_event_end;
76//
77//
78// #endif
79//
80int suhosin_rfc1867_filter(unsigned int event, void *event_data, void **extra);
81
82SAPI_POST_HANDLER_FUNC(suhosin_rfc1867_post_handler);
83
84// void destroy_uploaded_files_hash(TSRMLS_D);
85// #if !HAVE_RFC1867_CALLBACK
86// extern PHP_SUHOSIN_API int (*php_rfc1867_callback)(unsigned int event, void *event_data, void **extra);
87// #else
88extern PHPAPI int (*php_rfc1867_callback)(unsigned int event, void *event_data, void **extra);
89// #endif
90
91#endif /* SUHOSIN_RFC1867_H */
diff --git a/ufilter.c b/ufilter.c
new file mode 100644
index 0000000..cb36a67
--- /dev/null
+++ b/ufilter.c
@@ -0,0 +1,425 @@
1/*
2 +----------------------------------------------------------------------+
3 | Suhosin Version 1 |
4 +----------------------------------------------------------------------+
5 | Copyright (c) 2006-2007 The Hardened-PHP Project |
6 | Copyright (c) 2007-2016 SektionEins GmbH |
7 +----------------------------------------------------------------------+
8 | This source file is subject to version 3.01 of the PHP license, |
9 | that is bundled with this package in the file LICENSE, and is |
10 | available through the world-wide-web at the following url: |
11 | http://www.php.net/license/3_01.txt |
12 | If you did not receive a copy of the PHP license and are unable to |
13 | obtain it through the world-wide-web, please send a note to |
14 | license@php.net so we can mail you a copy immediately. |
15 +----------------------------------------------------------------------+
16 | Authors: Stefan Esser <sesser@sektioneins.de> |
17 | Ben Fuhrmannek <ben.fuhrmannek@sektioneins.de> |
18 +----------------------------------------------------------------------+
19*/
20/*
21 $Id: ufilter.c,v 1.1.1.1 2007-11-28 01:15:35 sesser Exp $
22*/
23
24#ifdef HAVE_CONFIG_H
25#include "config.h"
26#endif
27
28#include "php.h"
29#include "php_ini.h"
30#include "ext/standard/info.h"
31#include "php_suhosin7.h"
32#include "php_variables.h"
33#include "suhosin_rfc1867.h"
34#include "ext/standard/php_var.h"
35
36// #if !HAVE_RFC1867_CALLBACK
37// PHP_SUHOSIN_API int (*php_rfc1867_callback)(unsigned int event, void *event_data, void **extra) = NULL;
38// #endif
39//
40
41/* {{{ SAPI_UPLOAD_VARNAME_FILTER_FUNC
42 */
43static int check_fileupload_varname(char *varname)
44{
45 char *index, *prev_index = NULL, *var;
46 unsigned int var_len, total_len, depth = 0;
47
48 var = estrdup(varname);
49
50 /* Normalize the variable name */
51 suhosin_normalize_varname(var);
52
53 /* Find length of variable name */
54 index = strchr(var, '[');
55 total_len = strlen(var);
56 var_len = index ? index-var : total_len;
57
58 /* Drop this variable if it exceeds the varname/total length limit */
59 if (SUHOSIN7_G(max_varname_length) && SUHOSIN7_G(max_varname_length) < var_len) {
60 suhosin_log(S_FILES, "configured request variable name length limit exceeded - dropped variable '%s'", var);
61 if (!SUHOSIN7_G(simulation)) {
62 goto return_failure;
63 }
64 }
65 if (SUHOSIN7_G(max_totalname_length) && SUHOSIN7_G(max_totalname_length) < total_len) {
66 suhosin_log(S_FILES, "configured request variable total name length limit exceeded - dropped variable '%s'", var);
67 if (!SUHOSIN7_G(simulation)) {
68 goto return_failure;
69 }
70 }
71 if (SUHOSIN7_G(max_post_name_length) && SUHOSIN7_G(max_post_name_length) < var_len) {
72 suhosin_log(S_FILES, "configured POST variable name length limit exceeded - dropped variable '%s'", var);
73 if (!SUHOSIN7_G(simulation)) {
74 goto return_failure;
75 }
76 }
77 if (SUHOSIN7_G(max_post_totalname_length) && SUHOSIN7_G(max_post_totalname_length) < var_len) {
78 suhosin_log(S_FILES, "configured POST variable total name length limit exceeded - dropped variable '%s'", var);
79 if (!SUHOSIN7_G(simulation)) {
80 goto return_failure;
81 }
82 }
83
84 /* Find out array depth */
85 while (index) {
86 char *index_end;
87 unsigned int index_length;
88
89 /* overjump '[' */
90 index++;
91
92 /* increase array depth */
93 depth++;
94
95 index_end = strchr(index, ']');
96 if (index_end == NULL) {
97 index_end = index+strlen(index);
98 }
99
100 index_length = index_end - index;
101
102 if (SUHOSIN7_G(max_array_index_length) && SUHOSIN7_G(max_array_index_length) < index_length) {
103 suhosin_log(S_FILES, "configured request variable array index length limit exceeded - dropped variable '%s'", var);
104 if (!SUHOSIN7_G(simulation)) {
105 goto return_failure;
106 }
107 }
108 if (SUHOSIN7_G(max_post_array_index_length) && SUHOSIN7_G(max_post_array_index_length) < index_length) {
109 suhosin_log(S_FILES, "configured POST variable array index length limit exceeded - dropped variable '%s'", var);
110 if (!SUHOSIN7_G(simulation)) {
111 goto return_failure;
112 }
113 }
114
115 /* index whitelist/blacklist */
116 if (SUHOSIN7_G(array_index_whitelist) && *(SUHOSIN7_G(array_index_whitelist))) {
117 if (suhosin_strnspn(index, index_length, SUHOSIN7_G(array_index_whitelist)) != index_length) {
118 suhosin_log(S_VARS, "array index contains not whitelisted characters - dropped variable '%s'", var);
119 if (!SUHOSIN7_G(simulation)) {
120 goto return_failure;
121 }
122 }
123 } else if (SUHOSIN7_G(array_index_blacklist) && *(SUHOSIN7_G(array_index_blacklist))) {
124 if (suhosin_strncspn(index, index_length, SUHOSIN7_G(array_index_blacklist)) != index_length) {
125 suhosin_log(S_VARS, "array index contains blacklisted characters - dropped variable '%s'", var);
126 if (!SUHOSIN7_G(simulation)) {
127 goto return_failure;
128 }
129 }
130 }
131
132
133 index = strchr(index, '[');
134 }
135
136 /* Drop this variable if it exceeds the array depth limit */
137 if (SUHOSIN7_G(max_array_depth) && SUHOSIN7_G(max_array_depth) < depth) {
138 suhosin_log(S_FILES, "configured request variable array depth limit exceeded - dropped variable '%s'", var);
139 if (!SUHOSIN7_G(simulation)) {
140 goto return_failure;
141 }
142 }
143 if (SUHOSIN7_G(max_post_array_depth) && SUHOSIN7_G(max_post_array_depth) < depth) {
144 suhosin_log(S_FILES, "configured POST variable array depth limit exceeded - dropped variable '%s'", var);
145 if (!SUHOSIN7_G(simulation)) {
146 goto return_failure;
147 }
148 }
149
150
151 /* Drop this variable if it is one of GLOBALS, _GET, _POST, ... */
152 /* This is to protect several silly scripts that do globalizing themself */
153 if (suhosin_is_protected_varname(var, var_len)) {
154 suhosin_log(S_FILES, "tried to register forbidden variable '%s' through FILE variables", var);
155 if (!SUHOSIN7_G(simulation)) {
156 goto return_failure;
157 }
158 }
159
160 efree(var);
161 return SUCCESS;
162
163return_failure:
164 efree(var);
165 return FAILURE;
166}
167/* }}} */
168
169#ifdef SUHOSIN7_EXPERIMENTAL
170static inline int suhosin_validate_utf8_multibyte(const char* cp, size_t maxlen)
171{
172 if (maxlen < 2 || !(*cp & 0x80)) { return 0; }
173 if ((*cp & 0xe0) == 0xc0 && // 1st byte is 110xxxxx
174 (*(cp+1) & 0xc0) == 0x80 && // 2nd byte is 10xxxxxx
175 (*cp & 0x1e)) { // overlong check 110[xxxx]x 10xxxxxx
176 return 2;
177 }
178 if (maxlen < 3) { return 0; }
179 if ((*cp & 0xf0) == 0xe0 && // 1st byte is 1110xxxx
180 (*(cp+1) & 0xc0) == 0x80 && // 2nd byte is 10xxxxxx
181 (*(cp+2) & 0xc0) == 0x80 && // 3rd byte is 10xxxxxx
182 ((*cp & 0x0f) | (*(cp+1) & 0x20))) { // 1110[xxxx] 10[x]xxxxx 10xxxxxx
183 return 3;
184 }
185 if (maxlen < 4) { return 0; }
186 if ((*cp & 0xf8) == 0xf0 && // 1st byte is 11110xxx
187 (*(cp+1) & 0xc0) == 0x80 && // 2nd byte is 10xxxxxx
188 (*(cp+2) & 0xc0) == 0x80 && // 3rd byte is 10xxxxxx
189 (*(cp+3) & 0xc0) == 0x80 && // 4th byte is 10xxxxxx
190 ((*cp & 0x07) | (*(cp+1) & 0x30))) { // 11110[xxx] 10[xx]xxxx 10xxxxxx 10xxxxxx
191 return 4;
192 }
193 return 0;
194}
195#endif
196
197int suhosin_rfc1867_filter(unsigned int event, void *event_data, void **extra)
198{
199 int retval = SUCCESS;
200
201 SDEBUG("rfc1867_filter %u", event);
202
203 switch (event) {
204 case MULTIPART_EVENT_START:
205 case MULTIPART_EVENT_FORMDATA:
206 /* nothing todo */
207 break;
208
209 case MULTIPART_EVENT_FILE_START:
210 {
211 multipart_event_file_start *mefs = (multipart_event_file_start *) event_data;
212
213 /* Drop if no more variables flag is set */
214 if (SUHOSIN7_G(no_more_uploads)) {
215 goto continue_with_failure;
216 }
217
218 /* Drop this fileupload if the limit is reached */
219 if (SUHOSIN7_G(upload_limit) && SUHOSIN7_G(upload_limit) <= SUHOSIN7_G(num_uploads)) {
220 suhosin_log(S_FILES, "configured fileupload limit exceeded - file dropped");
221 if (!SUHOSIN7_G(simulation)) {
222 SUHOSIN7_G(no_more_uploads) = 1;
223 goto continue_with_failure;
224 }
225 }
226
227 if (check_fileupload_varname(mefs->name) == FAILURE) {
228 goto continue_with_failure;
229 }
230 }
231
232 break;
233
234 case MULTIPART_EVENT_FILE_DATA:
235
236 if (SUHOSIN7_G(upload_disallow_elf)) {
237 multipart_event_file_data *mefd = (multipart_event_file_data *) event_data;
238
239 if (mefd->offset == 0 && mefd->length > 10) {
240 if (mefd->data[0] == 0x7F && mefd->data[1] == 'E' && mefd->data[2] == 'L' && mefd->data[3] == 'F') {
241 suhosin_log(S_FILES, "uploaded file is an ELF executable - file dropped");
242 if (!SUHOSIN7_G(simulation)) {
243 goto continue_with_failure;
244 }
245 }
246 }
247 }
248
249 if (SUHOSIN7_G(upload_disallow_binary)) {
250
251 multipart_event_file_data *mefd = (multipart_event_file_data *) event_data;
252
253 char *cp, *cpend;
254 int n;
255 cpend = mefd->data + mefd->length;
256 for (cp = mefd->data; cp < cpend; cp++) {
257 if (*cp >= 32 || isspace(*cp)) {
258 continue;
259 }
260#ifdef SUHOSIN7_EXPERIMENTAL
261 if ((*cp & 0x80) && SUHOSIN7_G(upload_allow_utf8)) {
262 SDEBUG("checking char %x", *cp);
263 if ((n = suhosin_validate_utf8_multibyte(cp, cpend-cp))) { // valid UTF8 multibyte character
264 cp += n - 1;
265 continue;
266 }
267 }
268#endif
269 suhosin_log(S_FILES, "uploaded file contains binary data - file dropped");
270 if (!SUHOSIN7_G(simulation)) {
271 goto continue_with_failure;
272 }
273 break;
274 }
275 }
276
277 if (SUHOSIN7_G(upload_remove_binary)) {
278
279 multipart_event_file_data *mefd = (multipart_event_file_data *) event_data;
280 size_t i, j;
281 int n;
282
283 for (i=0, j=0; i<mefd->length; i++) {
284 if (mefd->data[i] >= 32 || isspace(mefd->data[i])) {
285 mefd->data[j++] = mefd->data[i];
286 }
287#ifdef SUHOSIN7_EXPERIMENTAL
288 else if (SUHOSIN7_G(upload_allow_utf8) && mefd->data[i] & 0x80) {
289 n = suhosin_validate_utf8_multibyte(mefd->data + i, mefd->length - i);
290 if (!n) { continue; }
291 while (n--) {
292 mefd->data[j++] = mefd->data[i++];
293 }
294 i--;
295 }
296#endif
297 }
298 mefd->data[j] = '\0';
299
300 SDEBUG("removing binary %zu %zu",i,j);
301 /* IMPORTANT FOR DAISY CHAINING */
302 mefd->length = j;
303 if (mefd->newlength) {
304 *mefd->newlength = j;
305 }
306 }
307
308 break;
309
310 case MULTIPART_EVENT_FILE_END:
311
312 if (SUHOSIN7_G(upload_verification_script)) {
313 multipart_event_file_end *mefe = (multipart_event_file_end *) event_data;
314 char cmd[8192];
315 FILE *in;
316 int first=1;
317 struct stat st;
318 char *sname = SUHOSIN7_G(upload_verification_script);
319
320 /* ignore files that will get deleted anyway */
321 if (mefe->cancel_upload) {
322 break;
323 }
324
325 /* ignore empty scriptnames */
326 while (isspace(*sname)) ++sname;
327 if (*sname == 0) {
328 SUHOSIN7_G(num_uploads)++;
329 break;
330 }
331
332 if (VCWD_STAT(sname, &st) < 0) {
333 suhosin_log(S_FILES, "unable to find fileupload verification script %s - file dropped", sname);
334 if (!SUHOSIN7_G(simulation)) {
335 goto continue_with_failure;
336 } else {
337 goto continue_with_next;
338 }
339 }
340 if (access(sname, X_OK|R_OK) < 0) {
341 suhosin_log(S_FILES, "fileupload verification script %s is not executable - file dropped", sname);
342 if (!SUHOSIN7_G(simulation)) {
343 goto continue_with_failure;
344 } else {
345 goto continue_with_next;
346 }
347 }
348
349 ap_php_snprintf(cmd, sizeof(cmd), "%s %s 2>&1", sname, mefe->temp_filename);
350
351 if ((in = VCWD_POPEN(cmd, "r")) == NULL) {
352 suhosin_log(S_FILES, "unable to execute fileupload verification script %s - file dropped", sname);
353 if (!SUHOSIN7_G(simulation)) {
354 goto continue_with_failure;
355 } else {
356 goto continue_with_next;
357 }
358 }
359
360 retval = FAILURE;
361
362 /* read and forget the result */
363 while (1) {
364 int readbytes = fread(cmd, 1, sizeof(cmd), in);
365 if (readbytes<=0) {
366 break;
367 }
368 if (first) {
369 if (strncmp(cmd, "sh: ", 4) == 0) {
370 /* assume this is an error */
371 suhosin_log(S_FILES, "error while executing fileupload verification script %s - file dropped", sname);
372 if (!SUHOSIN7_G(simulation)) {
373 goto continue_with_failure;
374 } else {
375 goto continue_with_next;
376 }
377 } else {
378 retval = atoi(cmd) == 1 ? SUCCESS : FAILURE;
379 first = 0;
380 }
381 }
382 }
383 pclose(in);
384 }
385
386 if (retval != SUCCESS) {
387 suhosin_log(S_FILES, "fileupload verification script disallows file - file dropped");
388 if (!SUHOSIN7_G(simulation)) {
389 goto continue_with_failure;
390 }
391 }
392
393 SUHOSIN7_G(num_uploads)++;
394 break;
395
396 case MULTIPART_EVENT_END:
397 /* nothing todo */
398 break;
399
400 default:
401 /* unknown: return failure */
402 goto continue_with_failure;
403 }
404continue_with_next:
405// #if HAVE_RFC1867_CALLBACK
406 if (php_rfc1867_callback != NULL) {
407 return php_rfc1867_callback(event, event_data, extra);
408 }
409// #endif
410 return SUCCESS;
411continue_with_failure:
412 SUHOSIN7_G(abort_request) = 1;
413 return FAILURE;
414}
415
416
417
418/*
419 * Local variables:
420 * tab-width: 4
421 * c-basic-offset: 4
422 * End:
423 * vim600: sw=4 ts=4 fdm=marker
424 * vim<600: sw=4 ts=4
425 */