summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--config.m42
-rw-r--r--ifilter.c156
-rw-r--r--php_suhosin7.h35
-rw-r--r--suhosin7.c114
-rw-r--r--treat_data.c2
5 files changed, 143 insertions, 166 deletions
diff --git a/config.m4 b/config.m4
index 6cb35cf..8f6d645 100644
--- a/config.m4
+++ b/config.m4
@@ -5,7 +5,7 @@ PHP_ARG_ENABLE(suhosin, whether to enable suhosin support,
5[ --enable-suhosin Enable suhosin support]) 5[ --enable-suhosin Enable suhosin support])
6 6
7if test "$PHP_SUHOSIN" != "no"; then 7if test "$PHP_SUHOSIN" != "no"; then
8 PHP_NEW_EXTENSION(suhosin7, suhosin7.c aes.c ifilter.c memory_limit.c sha256.c treat_data.c log.c, $ext_shared,, -DZEND_ENABLE_STATIC_TSRMLS_CACHE=1) 8 PHP_NEW_EXTENSION(suhosin7, suhosin7.c aes.c ifilter.c memory_limit.c sha256.c treat_data.c log.c execute.c, $ext_shared,, -DZEND_ENABLE_STATIC_TSRMLS_CACHE=1)
9fi 9fi
10 10
11PHP_ARG_ENABLE(suhosin7-experimental, whether to enable experimental suhosin7 features, 11PHP_ARG_ENABLE(suhosin7-experimental, whether to enable experimental suhosin7 features,
diff --git a/ifilter.c b/ifilter.c
index 627fdbd..c75abe8 100644
--- a/ifilter.c
+++ b/ifilter.c
@@ -3,7 +3,7 @@
3 | Suhosin Version 1 | 3 | Suhosin Version 1 |
4 +----------------------------------------------------------------------+ 4 +----------------------------------------------------------------------+
5 | Copyright (c) 2006-2007 The Hardened-PHP Project | 5 | Copyright (c) 2006-2007 The Hardened-PHP Project |
6 | Copyright (c) 2007-2015 SektionEins GmbH | 6 | Copyright (c) 2007-2016 SektionEins GmbH |
7 +----------------------------------------------------------------------+ 7 +----------------------------------------------------------------------+
8 | This source file is subject to version 3.01 of the PHP license, | 8 | This source file is subject to version 3.01 of the PHP license, |
9 | that is bundled with this package in the file LICENSE, and is | 9 | that is bundled with this package in the file LICENSE, and is |
@@ -13,7 +13,8 @@
13 | obtain it through the world-wide-web, please send a note to | 13 | obtain it through the world-wide-web, please send a note to |
14 | license@php.net so we can mail you a copy immediately. | 14 | license@php.net so we can mail you a copy immediately. |
15 +----------------------------------------------------------------------+ 15 +----------------------------------------------------------------------+
16 | Author: Stefan Esser <sesser@sektioneins.de> | 16 | Authors: Stefan Esser <sesser@sektioneins.de> |
17 | Ben Fuhrmannek <ben.fuhrmannek@sektioneins.de> |
17 +----------------------------------------------------------------------+ 18 +----------------------------------------------------------------------+
18*/ 19*/
19/* 20/*
@@ -156,6 +157,7 @@ static void suhosin_server_strip(HashTable *arr, char *key, int klen)
156 } 157 }
157 158
158 t = (unsigned char *)Z_STRVAL_P(zv); 159 t = (unsigned char *)Z_STRVAL_P(zv);
160 // SDEBUG()
159 for (; *t; t++) { 161 for (; *t; t++) {
160 if (suhosin_is_dangerous_char[*t]) { 162 if (suhosin_is_dangerous_char[*t]) {
161 *t = '?'; 163 *t = '?';
@@ -205,7 +207,10 @@ static void suhosin_server_encode(HashTable *arr, char *key, int klen)
205 *n = 0; 207 *n = 0;
206 208
207 zend_string *zs = zend_string_extend(Z_STR_P(zv), dest_len, 0); 209 zend_string *zs = zend_string_extend(Z_STR_P(zv), dest_len, 0);
208 memcpy(Z_STR_P(zv), dest, dest_len); 210 memcpy(ZSTR_VAL(zs), dest, dest_len);
211 ZSTR_LEN(zs) = dest_len-1;
212 zend_string_forget_hash_val(zs);
213 Z_STR_P(zv) = zs;
209} 214}
210/* }}} */ 215/* }}} */
211 216
@@ -287,17 +292,20 @@ unsigned int (*old_input_filter)(int arg, char *var, char **val, size_t val_len,
287 */ 292 */
288unsigned int suhosin_input_filter_wrapper(int arg, char *var, char **val, size_t val_len, size_t *new_val_len) 293unsigned int suhosin_input_filter_wrapper(int arg, char *var, char **val, size_t val_len, size_t *new_val_len)
289{ 294{
290 zend_bool already_scanned = SUHOSIN7_G(already_scanned); 295 // zend_bool already_scanned = SUHOSIN7_G(already_scanned);
291 SUHOSIN7_G(already_scanned) = 0; 296 // SUHOSIN7_G(already_scanned) = 0;
297 // SDEBUG("ifilter arg=%d var=%s do_not_scan=%d already_scanned=%d", arg, var, SUHOSIN7_G(do_not_scan), already_scanned);
298 SDEBUG("ifilter arg=%d var=%s do_not_scan=%d", arg, var, SUHOSIN7_G(do_not_scan));
292 299
293 if (SUHOSIN7_G(do_not_scan)) { 300 if (SUHOSIN7_G(do_not_scan)) {
301 SDEBUG("do_not_scan");
294 if (new_val_len) { 302 if (new_val_len) {
295 *new_val_len = val_len; 303 *new_val_len = val_len;
296 } 304 }
297 return 1; 305 return 1;
298 } 306 }
299 307
300 if (!already_scanned) { 308 // if (!already_scanned) {
301 if (suhosin_input_filter(arg, var, val, val_len, new_val_len)==0) { 309 if (suhosin_input_filter(arg, var, val, val_len, new_val_len)==0) {
302 SUHOSIN7_G(abort_request)=1; 310 SUHOSIN7_G(abort_request)=1;
303 return 0; 311 return 0;
@@ -305,7 +313,7 @@ unsigned int suhosin_input_filter_wrapper(int arg, char *var, char **val, size_t
305 if (new_val_len) { 313 if (new_val_len) {
306 val_len = *new_val_len; 314 val_len = *new_val_len;
307 } 315 }
308 } 316 // }
309 if (old_input_filter) { 317 if (old_input_filter) {
310 return old_input_filter(arg, var, val, val_len, new_val_len); 318 return old_input_filter(arg, var, val, val_len, new_val_len);
311 } else { 319 } else {
@@ -317,11 +325,12 @@ unsigned int suhosin_input_filter_wrapper(int arg, char *var, char **val, size_t
317 */ 325 */
318unsigned int suhosin_input_filter(int arg, char *var, char **val, size_t val_len, size_t *new_val_len) 326unsigned int suhosin_input_filter(int arg, char *var, char **val, size_t val_len, size_t *new_val_len)
319{ 327{
328 SDEBUG("%s=%s arg=%d", var, *val, arg);
320 char *index, *prev_index = NULL; 329 char *index, *prev_index = NULL;
321 unsigned int var_len, total_len, depth = 0; 330 unsigned int var_len, total_len, depth = 0;
322 331
323 /* Mark that we were called */ 332 /* Mark that we were called */
324 SUHOSIN7_G(already_scanned) = 1; 333 // SUHOSIN7_G(already_scanned) = 1;
325 334
326 if (new_val_len) { 335 if (new_val_len) {
327 *new_val_len = 0; 336 *new_val_len = 0;
@@ -363,7 +372,7 @@ unsigned int suhosin_input_filter(int arg, char *var, char **val, size_t val_len
363 if (SUHOSIN7_G(max_get_vars) && SUHOSIN7_G(max_get_vars) <= SUHOSIN7_G(cur_get_vars)) { 372 if (SUHOSIN7_G(max_get_vars) && SUHOSIN7_G(max_get_vars) <= SUHOSIN7_G(cur_get_vars)) {
364 suhosin_log(S_VARS, "configured GET variable limit exceeded - dropped variable '%s' - all further GET variables are dropped", var); 373 suhosin_log(S_VARS, "configured GET variable limit exceeded - dropped variable '%s' - all further GET variables are dropped", var);
365 if (!SUHOSIN7_G(simulation)) { 374 if (!SUHOSIN7_G(simulation)) {
366 SUHOSIN7_G(no_more_get_variables) = 1; 375 SUHOSIN7_G(no_more_get_variables) = 1;
367 return 0; 376 return 0;
368 } 377 }
369 } 378 }
@@ -372,7 +381,7 @@ unsigned int suhosin_input_filter(int arg, char *var, char **val, size_t val_len
372 if (SUHOSIN7_G(max_cookie_vars) && SUHOSIN7_G(max_cookie_vars) <= SUHOSIN7_G(cur_cookie_vars)) { 381 if (SUHOSIN7_G(max_cookie_vars) && SUHOSIN7_G(max_cookie_vars) <= SUHOSIN7_G(cur_cookie_vars)) {
373 suhosin_log(S_VARS, "configured COOKIE variable limit exceeded - dropped variable '%s' - all further COOKIE variables are dropped", var); 382 suhosin_log(S_VARS, "configured COOKIE variable limit exceeded - dropped variable '%s' - all further COOKIE variables are dropped", var);
374 if (!SUHOSIN7_G(simulation)) { 383 if (!SUHOSIN7_G(simulation)) {
375 SUHOSIN7_G(no_more_cookie_variables) = 1; 384 SUHOSIN7_G(no_more_cookie_variables) = 1;
376 return 0; 385 return 0;
377 } 386 }
378 } 387 }
@@ -389,71 +398,58 @@ unsigned int suhosin_input_filter(int arg, char *var, char **val, size_t val_len
389 } 398 }
390 399
391 /* Drop this variable if it begins with whitespace which is disallowed */ 400 /* Drop this variable if it begins with whitespace which is disallowed */
401 // SDEBUG("checking '%c'", *var);
392 if (isspace(*var)) { 402 if (isspace(*var)) {
403 SDEBUG("is WS");
393 if (SUHOSIN7_G(disallow_ws)) { 404 if (SUHOSIN7_G(disallow_ws)) {
394 suhosin_log(S_VARS, "request variable name begins with disallowed whitespace - dropped variable '%s'", var); 405 suhosin_log(S_VARS, "request variable name begins with disallowed whitespace - dropped variable '%s'", var);
395 if (!SUHOSIN7_G(simulation)) { 406 if (!SUHOSIN7_G(simulation)) { return 0; }
396 return 0;
397 }
398 } 407 }
399 switch (arg) { 408 switch (arg) {
400 case PARSE_GET: 409 case PARSE_GET:
401 if (SUHOSIN7_G(disallow_get_ws)) { 410 if (SUHOSIN7_G(disallow_get_ws)) {
402 suhosin_log(S_VARS, "GET variable name begins with disallowed whitespace - dropped variable '%s'", var); 411 suhosin_log(S_VARS, "GET variable name begins with disallowed whitespace - dropped variable '%s'", var);
403 if (!SUHOSIN7_G(simulation)) { 412 if (!SUHOSIN7_G(simulation)) { return 0; }
404 return 0;
405 }
406 } 413 }
407 break; 414 break;
408 case PARSE_POST: 415 case PARSE_POST:
409 if (SUHOSIN7_G(disallow_post_ws)) { 416 if (SUHOSIN7_G(disallow_post_ws)) {
410 suhosin_log(S_VARS, "POST variable name begins with disallowed whitespace - dropped variable '%s'", var); 417 suhosin_log(S_VARS, "POST variable name begins with disallowed whitespace - dropped variable '%s'", var);
411 if (!SUHOSIN7_G(simulation)) { 418 if (!SUHOSIN7_G(simulation)) { return 0; }
412 return 0;
413 }
414 } 419 }
415 break; 420 break;
416 case PARSE_COOKIE: 421 case PARSE_COOKIE:
417 if (SUHOSIN7_G(disallow_cookie_ws)) { 422 if (SUHOSIN7_G(disallow_cookie_ws)) {
418 suhosin_log(S_VARS, "COOKIE variable name begins with disallowed whitespace - dropped variable '%s'", var); 423 suhosin_log(S_VARS, "COOKIE variable name begins with disallowed whitespace - dropped variable '%s'", var);
419 if (!SUHOSIN7_G(simulation)) { 424 if (!SUHOSIN7_G(simulation)) { return 0; }
420 return 0;
421 }
422 } 425 }
423 break; 426 break;
424 } 427 }
425 } 428 }
429 // else { SDEBUG("not WS");}
426 430
427 /* Drop this variable if it exceeds the value length limit */ 431 /* Drop this variable if it exceeds the value length limit */
428 if (SUHOSIN7_G(max_value_length) && SUHOSIN7_G(max_value_length) < val_len) { 432 if (SUHOSIN7_G(max_value_length) && SUHOSIN7_G(max_value_length) < val_len) {
429 suhosin_log(S_VARS, "configured request variable value length limit exceeded - dropped variable '%s'", var); 433 suhosin_log(S_VARS, "configured request variable value length limit exceeded - dropped variable '%s'", var);
430 if (!SUHOSIN7_G(simulation)) { 434 if (!SUHOSIN7_G(simulation)) { return 0; }
431 return 0;
432 }
433 } 435 }
434 switch (arg) { 436 switch (arg) {
435 case PARSE_GET: 437 case PARSE_GET:
436 if (SUHOSIN7_G(max_get_value_length) && SUHOSIN7_G(max_get_value_length) < val_len) { 438 if (SUHOSIN7_G(max_get_value_length) && SUHOSIN7_G(max_get_value_length) < val_len) {
437 suhosin_log(S_VARS, "configured GET variable value length limit exceeded - dropped variable '%s'", var); 439 suhosin_log(S_VARS, "configured GET variable value length limit exceeded - dropped variable '%s'", var);
438 if (!SUHOSIN7_G(simulation)) { 440 if (!SUHOSIN7_G(simulation)) { return 0; }
439 return 0;
440 }
441 } 441 }
442 break; 442 break;
443 case PARSE_COOKIE: 443 case PARSE_COOKIE:
444 if (SUHOSIN7_G(max_cookie_value_length) && SUHOSIN7_G(max_cookie_value_length) < val_len) { 444 if (SUHOSIN7_G(max_cookie_value_length) && SUHOSIN7_G(max_cookie_value_length) < val_len) {
445 suhosin_log(S_VARS, "configured COOKIE variable value length limit exceeded - dropped variable '%s'", var); 445 suhosin_log(S_VARS, "configured COOKIE variable value length limit exceeded - dropped variable '%s'", var);
446 if (!SUHOSIN7_G(simulation)) { 446 if (!SUHOSIN7_G(simulation)) { return 0; }
447 return 0;
448 }
449 } 447 }
450 break; 448 break;
451 case PARSE_POST: 449 case PARSE_POST:
452 if (SUHOSIN7_G(max_post_value_length) && SUHOSIN7_G(max_post_value_length) < val_len) { 450 if (SUHOSIN7_G(max_post_value_length) && SUHOSIN7_G(max_post_value_length) < val_len) {
453 suhosin_log(S_VARS, "configured POST variable value length limit exceeded - dropped variable '%s'", var); 451 suhosin_log(S_VARS, "configured POST variable value length limit exceeded - dropped variable '%s'", var);
454 if (!SUHOSIN7_G(simulation)) { 452 if (!SUHOSIN7_G(simulation)) { return 0; }
455 return 0;
456 }
457 } 453 }
458 break; 454 break;
459 } 455 }
@@ -469,57 +465,41 @@ unsigned int suhosin_input_filter(int arg, char *var, char **val, size_t val_len
469 /* Drop this variable if it exceeds the varname/total length limit */ 465 /* Drop this variable if it exceeds the varname/total length limit */
470 if (SUHOSIN7_G(max_varname_length) && SUHOSIN7_G(max_varname_length) < var_len) { 466 if (SUHOSIN7_G(max_varname_length) && SUHOSIN7_G(max_varname_length) < var_len) {
471 suhosin_log(S_VARS, "configured request variable name length limit exceeded - dropped variable '%s'", var); 467 suhosin_log(S_VARS, "configured request variable name length limit exceeded - dropped variable '%s'", var);
472 if (!SUHOSIN7_G(simulation)) { 468 if (!SUHOSIN7_G(simulation)) { return 0; }
473 return 0;
474 }
475 } 469 }
476 if (SUHOSIN7_G(max_totalname_length) && SUHOSIN7_G(max_totalname_length) < total_len) { 470 if (SUHOSIN7_G(max_totalname_length) && SUHOSIN7_G(max_totalname_length) < total_len) {
477 suhosin_log(S_VARS, "configured request variable total name length limit exceeded - dropped variable '%s'", var); 471 suhosin_log(S_VARS, "configured request variable total name length limit exceeded - dropped variable '%s'", var);
478 if (!SUHOSIN7_G(simulation)) { 472 if (!SUHOSIN7_G(simulation)) { return 0; }
479 return 0;
480 }
481 } 473 }
482 switch (arg) { 474 switch (arg) {
483 case PARSE_GET: 475 case PARSE_GET:
484 if (SUHOSIN7_G(max_get_name_length) && SUHOSIN7_G(max_get_name_length) < var_len) { 476 if (SUHOSIN7_G(max_get_name_length) && SUHOSIN7_G(max_get_name_length) < var_len) {
485 suhosin_log(S_VARS, "configured GET variable name length limit exceeded - dropped variable '%s'", var); 477 suhosin_log(S_VARS, "configured GET variable name length limit exceeded - dropped variable '%s'", var);
486 if (!SUHOSIN7_G(simulation)) { 478 if (!SUHOSIN7_G(simulation)) { return 0; }
487 return 0;
488 }
489 } 479 }
490 if (SUHOSIN7_G(max_get_totalname_length) && SUHOSIN7_G(max_get_totalname_length) < total_len) { 480 if (SUHOSIN7_G(max_get_totalname_length) && SUHOSIN7_G(max_get_totalname_length) < total_len) {
491 suhosin_log(S_VARS, "configured GET variable total name length limit exceeded - dropped variable '%s'", var); 481 suhosin_log(S_VARS, "configured GET variable total name length limit exceeded - dropped variable '%s'", var);
492 if (!SUHOSIN7_G(simulation)) { 482 if (!SUHOSIN7_G(simulation)) { return 0; }
493 return 0;
494 }
495 } 483 }
496 break; 484 break;
497 case PARSE_COOKIE: 485 case PARSE_COOKIE:
498 if (SUHOSIN7_G(max_cookie_name_length) && SUHOSIN7_G(max_cookie_name_length) < var_len) { 486 if (SUHOSIN7_G(max_cookie_name_length) && SUHOSIN7_G(max_cookie_name_length) < var_len) {
499 suhosin_log(S_VARS, "configured COOKIE variable name length limit exceeded - dropped variable '%s'", var); 487 suhosin_log(S_VARS, "configured COOKIE variable name length limit exceeded - dropped variable '%s'", var);
500 if (!SUHOSIN7_G(simulation)) { 488 if (!SUHOSIN7_G(simulation)) { return 0; }
501 return 0;
502 }
503 } 489 }
504 if (SUHOSIN7_G(max_cookie_totalname_length) && SUHOSIN7_G(max_cookie_totalname_length) < total_len) { 490 if (SUHOSIN7_G(max_cookie_totalname_length) && SUHOSIN7_G(max_cookie_totalname_length) < total_len) {
505 suhosin_log(S_VARS, "configured COOKIE variable total name length limit exceeded - dropped variable '%s'", var); 491 suhosin_log(S_VARS, "configured COOKIE variable total name length limit exceeded - dropped variable '%s'", var);
506 if (!SUHOSIN7_G(simulation)) { 492 if (!SUHOSIN7_G(simulation)) { return 0; }
507 return 0;
508 }
509 } 493 }
510 break; 494 break;
511 case PARSE_POST: 495 case PARSE_POST:
512 if (SUHOSIN7_G(max_post_name_length) && SUHOSIN7_G(max_post_name_length) < var_len) { 496 if (SUHOSIN7_G(max_post_name_length) && SUHOSIN7_G(max_post_name_length) < var_len) {
513 suhosin_log(S_VARS, "configured POST variable name length limit exceeded - dropped variable '%s'", var); 497 suhosin_log(S_VARS, "configured POST variable name length limit exceeded - dropped variable '%s'", var);
514 if (!SUHOSIN7_G(simulation)) { 498 if (!SUHOSIN7_G(simulation)) { return 0; }
515 return 0;
516 }
517 } 499 }
518 if (SUHOSIN7_G(max_post_totalname_length) && SUHOSIN7_G(max_post_totalname_length) < total_len) { 500 if (SUHOSIN7_G(max_post_totalname_length) && SUHOSIN7_G(max_post_totalname_length) < total_len) {
519 suhosin_log(S_VARS, "configured POST variable total name length limit exceeded - dropped variable '%s'", var); 501 suhosin_log(S_VARS, "configured POST variable total name length limit exceeded - dropped variable '%s'", var);
520 if (!SUHOSIN7_G(simulation)) { 502 if (!SUHOSIN7_G(simulation)) { return 0; }
521 return 0;
522 }
523 } 503 }
524 break; 504 break;
525 } 505 }
@@ -545,33 +525,25 @@ unsigned int suhosin_input_filter(int arg, char *var, char **val, size_t val_len
545 /* max. array index length */ 525 /* max. array index length */
546 if (SUHOSIN7_G(max_array_index_length) && SUHOSIN7_G(max_array_index_length) < index_length) { 526 if (SUHOSIN7_G(max_array_index_length) && SUHOSIN7_G(max_array_index_length) < index_length) {
547 suhosin_log(S_VARS, "configured request variable array index length limit exceeded - dropped variable '%s'", var); 527 suhosin_log(S_VARS, "configured request variable array index length limit exceeded - dropped variable '%s'", var);
548 if (!SUHOSIN7_G(simulation)) { 528 if (!SUHOSIN7_G(simulation)) { return 0; }
549 return 0;
550 }
551 } 529 }
552 switch (arg) { 530 switch (arg) {
553 case PARSE_GET: 531 case PARSE_GET:
554 if (SUHOSIN7_G(max_get_array_index_length) && SUHOSIN7_G(max_get_array_index_length) < index_length) { 532 if (SUHOSIN7_G(max_get_array_index_length) && SUHOSIN7_G(max_get_array_index_length) < index_length) {
555 suhosin_log(S_VARS, "configured GET variable array index length limit exceeded - dropped variable '%s'", var); 533 suhosin_log(S_VARS, "configured GET variable array index length limit exceeded - dropped variable '%s'", var);
556 if (!SUHOSIN7_G(simulation)) { 534 if (!SUHOSIN7_G(simulation)) { return 0; }
557 return 0;
558 }
559 } 535 }
560 break; 536 break;
561 case PARSE_COOKIE: 537 case PARSE_COOKIE:
562 if (SUHOSIN7_G(max_cookie_array_index_length) && SUHOSIN7_G(max_cookie_array_index_length) < index_length) { 538 if (SUHOSIN7_G(max_cookie_array_index_length) && SUHOSIN7_G(max_cookie_array_index_length) < index_length) {
563 suhosin_log(S_VARS, "configured COOKIE variable array index length limit exceeded - dropped variable '%s'", var); 539 suhosin_log(S_VARS, "configured COOKIE variable array index length limit exceeded - dropped variable '%s'", var);
564 if (!SUHOSIN7_G(simulation)) { 540 if (!SUHOSIN7_G(simulation)) { return 0; }
565 return 0;
566 }
567 } 541 }
568 break; 542 break;
569 case PARSE_POST: 543 case PARSE_POST:
570 if (SUHOSIN7_G(max_post_array_index_length) && SUHOSIN7_G(max_post_array_index_length) < index_length) { 544 if (SUHOSIN7_G(max_post_array_index_length) && SUHOSIN7_G(max_post_array_index_length) < index_length) {
571 suhosin_log(S_VARS, "configured POST variable array index length limit exceeded - dropped variable '%s'", var); 545 suhosin_log(S_VARS, "configured POST variable array index length limit exceeded - dropped variable '%s'", var);
572 if (!SUHOSIN7_G(simulation)) { 546 if (!SUHOSIN7_G(simulation)) { return 0; }
573 return 0;
574 }
575 } 547 }
576 break; 548 break;
577 } 549 }
@@ -580,16 +552,12 @@ unsigned int suhosin_input_filter(int arg, char *var, char **val, size_t val_len
580 if (SUHOSIN7_G(array_index_whitelist) && *(SUHOSIN7_G(array_index_whitelist))) { 552 if (SUHOSIN7_G(array_index_whitelist) && *(SUHOSIN7_G(array_index_whitelist))) {
581 if (suhosin_strnspn(index, index_length, SUHOSIN7_G(array_index_whitelist)) != index_length) { 553 if (suhosin_strnspn(index, index_length, SUHOSIN7_G(array_index_whitelist)) != index_length) {
582 suhosin_log(S_VARS, "array index contains not whitelisted characters - dropped variable '%s'", var); 554 suhosin_log(S_VARS, "array index contains not whitelisted characters - dropped variable '%s'", var);
583 if (!SUHOSIN7_G(simulation)) { 555 if (!SUHOSIN7_G(simulation)) { return 0; }
584 return 0;
585 }
586 } 556 }
587 } else if (SUHOSIN7_G(array_index_blacklist) && *(SUHOSIN7_G(array_index_blacklist))) { 557 } else if (SUHOSIN7_G(array_index_blacklist) && *(SUHOSIN7_G(array_index_blacklist))) {
588 if (suhosin_strncspn(index, index_length, SUHOSIN7_G(array_index_blacklist)) != index_length) { 558 if (suhosin_strncspn(index, index_length, SUHOSIN7_G(array_index_blacklist)) != index_length) {
589 suhosin_log(S_VARS, "array index contains blacklisted characters - dropped variable '%s'", var); 559 suhosin_log(S_VARS, "array index contains blacklisted characters - dropped variable '%s'", var);
590 if (!SUHOSIN7_G(simulation)) { 560 if (!SUHOSIN7_G(simulation)) { return 0; }
591 return 0;
592 }
593 } 561 }
594 } 562 }
595 563
@@ -599,33 +567,25 @@ unsigned int suhosin_input_filter(int arg, char *var, char **val, size_t val_len
599 /* Drop this variable if it exceeds the array depth limit */ 567 /* Drop this variable if it exceeds the array depth limit */
600 if (SUHOSIN7_G(max_array_depth) && SUHOSIN7_G(max_array_depth) < depth) { 568 if (SUHOSIN7_G(max_array_depth) && SUHOSIN7_G(max_array_depth) < depth) {
601 suhosin_log(S_VARS, "configured request variable array depth limit exceeded - dropped variable '%s'", var); 569 suhosin_log(S_VARS, "configured request variable array depth limit exceeded - dropped variable '%s'", var);
602 if (!SUHOSIN7_G(simulation)) { 570 if (!SUHOSIN7_G(simulation)) { return 0; }
603 return 0;
604 }
605 } 571 }
606 switch (arg) { 572 switch (arg) {
607 case PARSE_GET: 573 case PARSE_GET:
608 if (SUHOSIN7_G(max_get_array_depth) && SUHOSIN7_G(max_get_array_depth) < depth) { 574 if (SUHOSIN7_G(max_get_array_depth) && SUHOSIN7_G(max_get_array_depth) < depth) {
609 suhosin_log(S_VARS, "configured GET variable array depth limit exceeded - dropped variable '%s'", var); 575 suhosin_log(S_VARS, "configured GET variable array depth limit exceeded - dropped variable '%s'", var);
610 if (!SUHOSIN7_G(simulation)) { 576 if (!SUHOSIN7_G(simulation)) { return 0; }
611 return 0;
612 }
613 } 577 }
614 break; 578 break;
615 case PARSE_COOKIE: 579 case PARSE_COOKIE:
616 if (SUHOSIN7_G(max_cookie_array_depth) && SUHOSIN7_G(max_cookie_array_depth) < depth) { 580 if (SUHOSIN7_G(max_cookie_array_depth) && SUHOSIN7_G(max_cookie_array_depth) < depth) {
617 suhosin_log(S_VARS, "configured COOKIE variable array depth limit exceeded - dropped variable '%s'", var); 581 suhosin_log(S_VARS, "configured COOKIE variable array depth limit exceeded - dropped variable '%s'", var);
618 if (!SUHOSIN7_G(simulation)) { 582 if (!SUHOSIN7_G(simulation)) { return 0; }
619 return 0;
620 }
621 } 583 }
622 break; 584 break;
623 case PARSE_POST: 585 case PARSE_POST:
624 if (SUHOSIN7_G(max_post_array_depth) && SUHOSIN7_G(max_post_array_depth) < depth) { 586 if (SUHOSIN7_G(max_post_array_depth) && SUHOSIN7_G(max_post_array_depth) < depth) {
625 suhosin_log(S_VARS, "configured POST variable array depth limit exceeded - dropped variable '%s'", var); 587 suhosin_log(S_VARS, "configured POST variable array depth limit exceeded - dropped variable '%s'", var);
626 if (!SUHOSIN7_G(simulation)) { 588 if (!SUHOSIN7_G(simulation)) { return 0; }
627 return 0;
628 }
629 } 589 }
630 break; 590 break;
631 } 591 }
@@ -636,33 +596,25 @@ unsigned int suhosin_input_filter(int arg, char *var, char **val, size_t val_len
636 596
637 if (SUHOSIN7_G(disallow_nul)) { 597 if (SUHOSIN7_G(disallow_nul)) {
638 suhosin_log(S_VARS, "ASCII-NUL chars not allowed within request variables - dropped variable '%s'", var); 598 suhosin_log(S_VARS, "ASCII-NUL chars not allowed within request variables - dropped variable '%s'", var);
639 if (!SUHOSIN7_G(simulation)) { 599 if (!SUHOSIN7_G(simulation)) { return 0; }
640 return 0;
641 }
642 } 600 }
643 switch (arg) { 601 switch (arg) {
644 case PARSE_GET: 602 case PARSE_GET:
645 if (SUHOSIN7_G(disallow_get_nul)) { 603 if (SUHOSIN7_G(disallow_get_nul)) {
646 suhosin_log(S_VARS, "ASCII-NUL chars not allowed within GET variables - dropped variable '%s'", var); 604 suhosin_log(S_VARS, "ASCII-NUL chars not allowed within GET variables - dropped variable '%s'", var);
647 if (!SUHOSIN7_G(simulation)) { 605 if (!SUHOSIN7_G(simulation)) { return 0; }
648 return 0;
649 }
650 } 606 }
651 break; 607 break;
652 case PARSE_COOKIE: 608 case PARSE_COOKIE:
653 if (SUHOSIN7_G(disallow_cookie_nul)) { 609 if (SUHOSIN7_G(disallow_cookie_nul)) {
654 suhosin_log(S_VARS, "ASCII-NUL chars not allowed within COOKIE variables - dropped variable '%s'", var); 610 suhosin_log(S_VARS, "ASCII-NUL chars not allowed within COOKIE variables - dropped variable '%s'", var);
655 if (!SUHOSIN7_G(simulation)) { 611 if (!SUHOSIN7_G(simulation)) { return 0; }
656 return 0;
657 }
658 } 612 }
659 break; 613 break;
660 case PARSE_POST: 614 case PARSE_POST:
661 if (SUHOSIN7_G(disallow_post_nul)) { 615 if (SUHOSIN7_G(disallow_post_nul)) {
662 suhosin_log(S_VARS, "ASCII-NUL chars not allowed within POST variables - dropped variable '%s'", var); 616 suhosin_log(S_VARS, "ASCII-NUL chars not allowed within POST variables - dropped variable '%s'", var);
663 if (!SUHOSIN7_G(simulation)) { 617 if (!SUHOSIN7_G(simulation)) { return 0; }
664 return 0;
665 }
666 } 618 }
667 break; 619 break;
668 } 620 }
@@ -672,9 +624,7 @@ unsigned int suhosin_input_filter(int arg, char *var, char **val, size_t val_len
672 /* This is to protect several silly scripts that do globalizing themself */ 624 /* This is to protect several silly scripts that do globalizing themself */
673 if (suhosin_is_protected_varname(var, var_len)) { 625 if (suhosin_is_protected_varname(var, var_len)) {
674 suhosin_log(S_VARS, "tried to register forbidden variable '%s' through %s variables", var, arg == PARSE_GET ? "GET" : arg == PARSE_POST ? "POST" : "COOKIE"); 626 suhosin_log(S_VARS, "tried to register forbidden variable '%s' through %s variables", var, arg == PARSE_GET ? "GET" : arg == PARSE_POST ? "POST" : "COOKIE");
675 if (!SUHOSIN7_G(simulation)) { 627 if (!SUHOSIN7_G(simulation)) { return 0; }
676 return 0;
677 }
678 } 628 }
679 629
680 /* Okay let PHP register this variable */ 630 /* Okay let PHP register this variable */
diff --git a/php_suhosin7.h b/php_suhosin7.h
index 9867759..8c10df9 100644
--- a/php_suhosin7.h
+++ b/php_suhosin7.h
@@ -51,8 +51,10 @@ extern zend_module_entry suhosin7_module_entry;
51#else 51#else
52 52
53#ifdef SUHOSIN7_DEBUG 53#ifdef SUHOSIN7_DEBUG
54// #define SDEBUG(msg...) \
55 // {FILE *f;f=fopen(SUHOSIN_LOG, "a+");if(f){fprintf(f,"[%u] ",getpid());fprintf(f, msg);fprintf(f,"\n");fclose(f);}}
54#define SDEBUG(msg...) \ 56#define SDEBUG(msg...) \
55 {FILE *f;f=fopen(SUHOSIN_LOG, "a+");if(f){fprintf(f,"[%u] ",getpid());fprintf(f, msg);fprintf(f,"\n");fclose(f);}} 57 {FILE *f;f=fopen(SUHOSIN_LOG, "a+");if(f){fprintf(f,"[%u] %s:%u %s #> ",getpid(), __FILE__, __LINE__, __func__);fprintf(f, msg);fprintf(f,"\n");fclose(f);}}
56#else 58#else
57#define SDEBUG(msg...) 59#define SDEBUG(msg...)
58#endif 60#endif
@@ -131,13 +133,16 @@ ZEND_BEGIN_MODULE_GLOBALS(suhosin7)
131 // zend_bool stealth; 133 // zend_bool stealth;
132 zend_bool already_scanned; 134 zend_bool already_scanned;
133 zend_bool abort_request; 135 zend_bool abort_request;
134 // char *filter_action;
135 //
136 // 136 //
137
138 /* executor */
139 zend_ulong in_code_type;
137 // zend_bool executor_allow_symlink; 140 // zend_bool executor_allow_symlink;
138 // long max_execution_depth; 141 long execution_depth;
139 // long executor_include_max_traversal; 142 long max_execution_depth;
140 // zend_bool executor_include_allow_writable_files; 143 long executor_include_max_traversal;
144 zend_bool executor_include_allow_writable_files;
145 // char *filter_action;
141 146
142 147
143 HashTable *include_whitelist; 148 HashTable *include_whitelist;
@@ -148,8 +153,8 @@ ZEND_BEGIN_MODULE_GLOBALS(suhosin7)
148 HashTable *eval_whitelist; 153 HashTable *eval_whitelist;
149 HashTable *eval_blacklist; 154 HashTable *eval_blacklist;
150 155
151 // zend_bool executor_disable_eval; 156 zend_bool executor_disable_eval;
152 // zend_bool executor_disable_emod; 157 zend_bool executor_disable_emod;
153 158
154 159
155/* request variables */ 160/* request variables */
@@ -365,10 +370,22 @@ ZEND_EXTERN_MODULE_GLOBALS(suhosin7)
365 370
366unsigned int suhosin_input_filter(int arg, char *var, char **val, size_t val_len, size_t *new_val_len); 371unsigned int suhosin_input_filter(int arg, char *var, char **val, size_t val_len, size_t *new_val_len);
367unsigned int suhosin_input_filter_wrapper(int arg, char *var, char **val, size_t val_len, size_t *new_val_len); 372unsigned int suhosin_input_filter_wrapper(int arg, char *var, char **val, size_t val_len, size_t *new_val_len);
368void suhosin_log(int loglevel, char *fmt, ...); 373PHP_SUHOSIN7_API void suhosin_log(int loglevel, char *fmt, ...);
369extern unsigned int (*old_input_filter)(int arg, char *var, char **val, size_t val_len, size_t *new_val_len); 374extern unsigned int (*old_input_filter)(int arg, char *var, char **val, size_t val_len, size_t *new_val_len);
370char *suhosin_getenv(char *name, size_t name_len); 375char *suhosin_getenv(char *name, size_t name_len);
371 376
377void suhosin_hook_memory_limit();
378void suhosin_hook_treat_data();
379void suhosin_hook_execute();
380void suhosin_hook_register_server_variables();
381
382static inline void suhosin_bailout(TSRMLS_D)
383{
384 if (!SUHOSIN7_G(simulation)) {
385 zend_bailout();
386 }
387}
388
372 389
373#endif /* PHP_SUHOSIN7_H */ 390#endif /* PHP_SUHOSIN7_H */
374 391
diff --git a/suhosin7.c b/suhosin7.c
index 872e431..b2484a3 100644
--- a/suhosin7.c
+++ b/suhosin7.c
@@ -273,7 +273,7 @@ PHP_INI_BEGIN()
273 STD_S7_INI_BOOLEAN("suhosin.log.file.time", "1", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateLogBool, log_file_time) 273 STD_S7_INI_BOOLEAN("suhosin.log.file.time", "1", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateLogBool, log_file_time)
274 // STD_S7_INI_BOOLEAN("suhosin.log.phpscript.is_safe", "0", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateLogBool, log_phpscript_is_safe) 274 // STD_S7_INI_BOOLEAN("suhosin.log.phpscript.is_safe", "0", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateLogBool, log_phpscript_is_safe)
275 275
276 // STD_S7_INI_ENTRY("suhosin.executor.include.max_traversal", "0", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateExecLong, executor_include_max_traversal) 276 STD_S7_INI_ENTRY("suhosin.executor.include.max_traversal", "0", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateExecLong, executor_include_max_traversal)
277 PHP_INI_ENTRY("suhosin.executor.include.whitelist", NULL, PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateSuhosin_include_whitelist) 277 PHP_INI_ENTRY("suhosin.executor.include.whitelist", NULL, PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateSuhosin_include_whitelist)
278 PHP_INI_ENTRY("suhosin.executor.include.blacklist", NULL, PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateSuhosin_include_blacklist) 278 PHP_INI_ENTRY("suhosin.executor.include.blacklist", NULL, PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateSuhosin_include_blacklist)
279 // STD_S7_INI_BOOLEAN("suhosin.executor.include.allow_writable_files", "1", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateExecBool, executor_include_allow_writable_files) 279 // STD_S7_INI_BOOLEAN("suhosin.executor.include.allow_writable_files", "1", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateExecBool, executor_include_allow_writable_files)
@@ -285,7 +285,7 @@ PHP_INI_BEGIN()
285 // STD_S7_INI_BOOLEAN("suhosin.executor.disable_emodifier", "0", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateExecBool, executor_disable_emod) 285 // STD_S7_INI_BOOLEAN("suhosin.executor.disable_emodifier", "0", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateExecBool, executor_disable_emod)
286 // 286 //
287 // STD_S7_INI_BOOLEAN("suhosin.executor.allow_symlink", "0", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateExecBool, executor_allow_symlink) 287 // STD_S7_INI_BOOLEAN("suhosin.executor.allow_symlink", "0", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateExecBool, executor_allow_symlink)
288 // STD_S7_INI_ENTRY("suhosin.executor.max_depth", "750", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateExecLong, max_execution_depth) 288 STD_S7_INI_ENTRY("suhosin.executor.max_depth", "750", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateExecLong, max_execution_depth)
289 // 289 //
290 // 290 //
291 // STD_S7_INI_BOOLEAN("suhosin.multiheader", "0", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateMiscBool, allow_multiheader) 291 // STD_S7_INI_BOOLEAN("suhosin.multiheader", "0", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateMiscBool, allow_multiheader)
@@ -302,43 +302,43 @@ PHP_INI_BEGIN()
302 302
303 303
304 // 304 //
305 // STD_S7_INI_ENTRY("suhosin.request.max_vars", "1000", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestLong, max_request_variables) 305 STD_S7_INI_ENTRY("suhosin.request.max_vars", "1000", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestLong, max_request_variables)
306 // STD_S7_INI_ENTRY("suhosin.request.max_varname_length", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestLong, max_varname_length) 306 STD_S7_INI_ENTRY("suhosin.request.max_varname_length", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestLong, max_varname_length)
307 // STD_S7_INI_ENTRY("suhosin.request.max_value_length", "1000000", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestLong, max_value_length) 307 STD_S7_INI_ENTRY("suhosin.request.max_value_length", "1000000", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestLong, max_value_length)
308 // STD_S7_INI_ENTRY("suhosin.request.max_array_depth", "50", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestLong, max_array_depth) 308 STD_S7_INI_ENTRY("suhosin.request.max_array_depth", "50", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestLong, max_array_depth)
309 // STD_S7_INI_ENTRY("suhosin.request.max_totalname_length", "256", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestLong, max_totalname_length) 309 STD_S7_INI_ENTRY("suhosin.request.max_totalname_length", "256", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestLong, max_totalname_length)
310 // STD_S7_INI_ENTRY("suhosin.request.max_array_index_length", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestLong, max_array_index_length) 310 STD_S7_INI_ENTRY("suhosin.request.max_array_index_length", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestLong, max_array_index_length)
311 // STD_S7_INI_ENTRY("suhosin.request.array_index_whitelist", "", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestString, array_index_whitelist) 311 STD_S7_INI_ENTRY("suhosin.request.array_index_char_whitelist", "", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestString, array_index_whitelist)
312 // STD_S7_INI_ENTRY("suhosin.request.array_index_blacklist", "'\"+<>;()", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestString, array_index_blacklist) 312 STD_S7_INI_ENTRY("suhosin.request.array_index_char_blacklist", "'\"+<>;()", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestString, array_index_blacklist)
313 // STD_S7_INI_ENTRY("suhosin.request.disallow_nul", "1", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestBool, disallow_nul) 313 STD_S7_INI_ENTRY("suhosin.request.disallow_nul", "1", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestBool, disallow_nul)
314 // STD_S7_INI_ENTRY("suhosin.request.disallow_ws", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestBool, disallow_ws) 314 STD_S7_INI_ENTRY("suhosin.request.disallow_ws", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestBool, disallow_ws)
315 // 315 //
316 // STD_S7_INI_ENTRY("suhosin.cookie.max_vars", "100", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateCookieLong, max_cookie_vars) 316 STD_S7_INI_ENTRY("suhosin.cookie.max_vars", "100", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateCookieLong, max_cookie_vars)
317 // STD_S7_INI_ENTRY("suhosin.cookie.max_name_length", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateCookieLong, max_cookie_name_length) 317 STD_S7_INI_ENTRY("suhosin.cookie.max_name_length", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateCookieLong, max_cookie_name_length)
318 // STD_S7_INI_ENTRY("suhosin.cookie.max_totalname_length", "256", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateCookieLong, max_cookie_totalname_length) 318 STD_S7_INI_ENTRY("suhosin.cookie.max_totalname_length", "256", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateCookieLong, max_cookie_totalname_length)
319 // STD_S7_INI_ENTRY("suhosin.cookie.max_value_length", "10000", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateCookieLong, max_cookie_value_length) 319 STD_S7_INI_ENTRY("suhosin.cookie.max_value_length", "10000", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateCookieLong, max_cookie_value_length)
320 // STD_S7_INI_ENTRY("suhosin.cookie.max_array_depth", "50", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateCookieLong, max_cookie_array_depth) 320 STD_S7_INI_ENTRY("suhosin.cookie.max_array_depth", "50", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateCookieLong, max_cookie_array_depth)
321 // STD_S7_INI_ENTRY("suhosin.cookie.max_array_index_length", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateCookieLong, max_cookie_array_index_length) 321 STD_S7_INI_ENTRY("suhosin.cookie.max_array_index_length", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateCookieLong, max_cookie_array_index_length)
322 // STD_S7_INI_ENTRY("suhosin.cookie.disallow_nul", "1", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateCookieBool, disallow_cookie_nul) 322 STD_S7_INI_ENTRY("suhosin.cookie.disallow_nul", "1", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateCookieBool, disallow_cookie_nul)
323 // STD_S7_INI_ENTRY("suhosin.cookie.disallow_ws", "1", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateCookieBool, disallow_cookie_ws) 323 STD_S7_INI_ENTRY("suhosin.cookie.disallow_ws", "1", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateCookieBool, disallow_cookie_ws)
324 // 324 //
325 // STD_S7_INI_ENTRY("suhosin.get.max_vars", "100", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateGetLong, max_get_vars) 325 STD_S7_INI_ENTRY("suhosin.get.max_vars", "100", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateGetLong, max_get_vars)
326 // STD_S7_INI_ENTRY("suhosin.get.max_name_length", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateGetLong, max_get_name_length) 326 STD_S7_INI_ENTRY("suhosin.get.max_name_length", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateGetLong, max_get_name_length)
327 // STD_S7_INI_ENTRY("suhosin.get.max_totalname_length", "256", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateGetLong, max_get_totalname_length) 327 STD_S7_INI_ENTRY("suhosin.get.max_totalname_length", "256", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateGetLong, max_get_totalname_length)
328 // STD_S7_INI_ENTRY("suhosin.get.max_value_length", "512", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateGetLong, max_get_value_length) 328 STD_S7_INI_ENTRY("suhosin.get.max_value_length", "512", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateGetLong, max_get_value_length)
329 // STD_S7_INI_ENTRY("suhosin.get.max_array_depth", "50", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateGetLong, max_get_array_depth) 329 STD_S7_INI_ENTRY("suhosin.get.max_array_depth", "50", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateGetLong, max_get_array_depth)
330 // STD_S7_INI_ENTRY("suhosin.get.max_array_index_length", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateGetLong, max_get_array_index_length) 330 STD_S7_INI_ENTRY("suhosin.get.max_array_index_length", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateGetLong, max_get_array_index_length)
331 // STD_S7_INI_ENTRY("suhosin.get.disallow_nul", "1", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateGetBool, disallow_get_nul) 331 STD_S7_INI_ENTRY("suhosin.get.disallow_nul", "1", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateGetBool, disallow_get_nul)
332 // STD_S7_INI_ENTRY("suhosin.get.disallow_ws", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateGetBool, disallow_get_ws) 332 STD_S7_INI_ENTRY("suhosin.get.disallow_ws", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateGetBool, disallow_get_ws)
333 // 333 //
334 // STD_S7_INI_ENTRY("suhosin.post.max_vars", "1000", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdatePostLong, max_post_vars) 334 STD_S7_INI_ENTRY("suhosin.post.max_vars", "1000", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdatePostLong, max_post_vars)
335 // STD_S7_INI_ENTRY("suhosin.post.max_name_length", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdatePostLong, max_post_name_length) 335 STD_S7_INI_ENTRY("suhosin.post.max_name_length", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdatePostLong, max_post_name_length)
336 // STD_S7_INI_ENTRY("suhosin.post.max_totalname_length", "256", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdatePostLong, max_post_totalname_length) 336 STD_S7_INI_ENTRY("suhosin.post.max_totalname_length", "256", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdatePostLong, max_post_totalname_length)
337 // STD_S7_INI_ENTRY("suhosin.post.max_value_length", "1000000", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdatePostLong, max_post_value_length) 337 STD_S7_INI_ENTRY("suhosin.post.max_value_length", "1000000", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdatePostLong, max_post_value_length)
338 // STD_S7_INI_ENTRY("suhosin.post.max_array_depth", "50", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdatePostLong, max_post_array_depth) 338 STD_S7_INI_ENTRY("suhosin.post.max_array_depth", "50", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdatePostLong, max_post_array_depth)
339 // STD_S7_INI_ENTRY("suhosin.post.max_array_index_length", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdatePostLong, max_post_array_index_length) 339 STD_S7_INI_ENTRY("suhosin.post.max_array_index_length", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdatePostLong, max_post_array_index_length)
340 // STD_S7_INI_ENTRY("suhosin.post.disallow_nul", "1", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdatePostBool, disallow_post_nul) 340 STD_S7_INI_ENTRY("suhosin.post.disallow_nul", "1", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdatePostBool, disallow_post_nul)
341 // STD_S7_INI_ENTRY("suhosin.post.disallow_ws", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdatePostBool, disallow_post_ws) 341 STD_S7_INI_ENTRY("suhosin.post.disallow_ws", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdatePostBool, disallow_post_ws)
342 // 342 //
343 // STD_S7_INI_ENTRY("suhosin.upload.max_uploads", "25", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadLong, upload_limit) 343 // STD_S7_INI_ENTRY("suhosin.upload.max_uploads", "25", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadLong, upload_limit)
344 // STD_S7_INI_ENTRY("suhosin.upload.max_newlines", "100", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadLong, upload_max_newlines) 344 // STD_S7_INI_ENTRY("suhosin.upload.max_newlines", "100", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadLong, upload_max_newlines)
@@ -385,8 +385,8 @@ PHP_INI_BEGIN()
385 PHP_INI_ENTRY("suhosin.cookie.cryptlist", NULL, PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateSuhosin_cookie_cryptlist) 385 PHP_INI_ENTRY("suhosin.cookie.cryptlist", NULL, PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateSuhosin_cookie_cryptlist)
386 PHP_INI_ENTRY("suhosin.cookie.plainlist", NULL, PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateSuhosin_cookie_plainlist) 386 PHP_INI_ENTRY("suhosin.cookie.plainlist", NULL, PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateSuhosin_cookie_plainlist)
387 // 387 //
388 // STD_S7_INI_BOOLEAN("suhosin.server.encode", "1", PHP_INI_SYSTEM, OnUpdateBool, server_encode) 388 STD_S7_INI_BOOLEAN("suhosin.server.encode", "1", PHP_INI_SYSTEM, OnUpdateBool, server_encode)
389 // STD_S7_INI_BOOLEAN("suhosin.server.strip", "1", PHP_INI_SYSTEM, OnUpdateBool, server_strip) 389 STD_S7_INI_BOOLEAN("suhosin.server.strip", "1", PHP_INI_SYSTEM, OnUpdateBool, server_strip)
390 // 390 //
391 // STD_S7_INI_ENTRY("suhosin.rand.seedingkey", "", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateMiscString, seedingkey) 391 // STD_S7_INI_ENTRY("suhosin.rand.seedingkey", "", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateMiscString, seedingkey)
392 // STD_S7_INI_BOOLEAN("suhosin.rand.reseed_every_request", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateMiscBool, reseed_every_request) 392 // STD_S7_INI_BOOLEAN("suhosin.rand.reseed_every_request", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateMiscBool, reseed_every_request)
@@ -442,22 +442,32 @@ PHP_MINIT_FUNCTION(suhosin7)
442 SDEBUG("(MINIT)"); 442 SDEBUG("(MINIT)");
443 ZEND_INIT_MODULE_GLOBALS(suhosin7, php_suhosin7_init_globals, NULL); 443 ZEND_INIT_MODULE_GLOBALS(suhosin7, php_suhosin7_init_globals, NULL);
444 444
445 /* only register constants if they have not previously been registered by a patched PHP */ 445 REGISTER_MAIN_LONG_CONSTANT("S_MEMORY", S_MEMORY, CONST_PERSISTENT | CONST_CS);
446 // if (zend_hash_str_exists(EG(zend_constants), "S_MEMORY", sizeof("S_MEMORY"))==0) { 446 REGISTER_MAIN_LONG_CONSTANT("S_VARS", S_VARS, CONST_PERSISTENT | CONST_CS);
447 REGISTER_MAIN_LONG_CONSTANT("S_MEMORY", S_MEMORY, CONST_PERSISTENT | CONST_CS); 447 REGISTER_MAIN_LONG_CONSTANT("S_FILES", S_FILES, CONST_PERSISTENT | CONST_CS);
448 REGISTER_MAIN_LONG_CONSTANT("S_VARS", S_VARS, CONST_PERSISTENT | CONST_CS); 448 REGISTER_MAIN_LONG_CONSTANT("S_INCLUDE", S_INCLUDE, CONST_PERSISTENT | CONST_CS);
449 REGISTER_MAIN_LONG_CONSTANT("S_FILES", S_FILES, CONST_PERSISTENT | CONST_CS); 449 REGISTER_MAIN_LONG_CONSTANT("S_SQL", S_SQL, CONST_PERSISTENT | CONST_CS);
450 REGISTER_MAIN_LONG_CONSTANT("S_INCLUDE", S_INCLUDE, CONST_PERSISTENT | CONST_CS); 450 REGISTER_MAIN_LONG_CONSTANT("S_EXECUTOR", S_EXECUTOR, CONST_PERSISTENT | CONST_CS);
451 REGISTER_MAIN_LONG_CONSTANT("S_SQL", S_SQL, CONST_PERSISTENT | CONST_CS); 451 REGISTER_MAIN_LONG_CONSTANT("S_MAIL", S_MAIL, CONST_PERSISTENT | CONST_CS);
452 REGISTER_MAIN_LONG_CONSTANT("S_EXECUTOR", S_EXECUTOR, CONST_PERSISTENT | CONST_CS); 452 REGISTER_MAIN_LONG_CONSTANT("S_SESSION", S_SESSION, CONST_PERSISTENT | CONST_CS);
453 REGISTER_MAIN_LONG_CONSTANT("S_MAIL", S_MAIL, CONST_PERSISTENT | CONST_CS); 453 REGISTER_MAIN_LONG_CONSTANT("S_MISC", S_MISC, CONST_PERSISTENT | CONST_CS);
454 REGISTER_MAIN_LONG_CONSTANT("S_SESSION", S_SESSION, CONST_PERSISTENT | CONST_CS); 454 REGISTER_MAIN_LONG_CONSTANT("S_INTERNAL", S_INTERNAL, CONST_PERSISTENT | CONST_CS);
455 REGISTER_MAIN_LONG_CONSTANT("S_MISC", S_MISC, CONST_PERSISTENT | CONST_CS); 455 REGISTER_MAIN_LONG_CONSTANT("S_ALL", S_ALL, CONST_PERSISTENT | CONST_CS);
456 REGISTER_MAIN_LONG_CONSTANT("S_INTERNAL", S_INTERNAL, CONST_PERSISTENT | CONST_CS);
457 REGISTER_MAIN_LONG_CONSTANT("S_ALL", S_ALL, CONST_PERSISTENT | CONST_CS);
458 // }
459 456
460 REGISTER_INI_ENTRIES(); 457 REGISTER_INI_ENTRIES();
458
459#if !defined(HAVE_PHP_SESSION) && !defined(SUHOSIN_NO_SESSION_WARNING)
460 php_error_docref(NULL TSRMLS_CC, E_WARNING, "Suhosin was compiled without session support, which is probably not what you want. All session related features will not be available, e.g. session encryption. If session support is really not needed, recompile Suhosin with -DSUHOSIN_NO_SESSION_WARNING=1 to suppress this warning.");
461#endif
462
463 // TODO: stealth loading
464
465 // hooks
466 // suhosin_hook_memory_limit();
467 suhosin_hook_treat_data();
468 suhosin_hook_execute();
469 suhosin_hook_register_server_variables();
470
461 return SUCCESS; 471 return SUCCESS;
462} 472}
463/* }}} */ 473/* }}} */
diff --git a/treat_data.c b/treat_data.c
index dc31b17..1c41e85 100644
--- a/treat_data.c
+++ b/treat_data.c
@@ -41,7 +41,7 @@ SAPI_TREAT_DATA_FUNC(suhosin_treat_data)
41 zend_long count = 0; 41 zend_long count = 0;
42 42
43 /* Mark that we were not yet called */ 43 /* Mark that we were not yet called */
44 SUHOSIN7_G(already_scanned) = 0; 44 // SUHOSIN7_G(already_scanned) = 0;
45 45
46 ZVAL_UNDEF(&array); 46 ZVAL_UNDEF(&array);
47 switch (arg) { 47 switch (arg) {