summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--config.m42
-rw-r--r--execute.c700
-rw-r--r--execute.h21
-rw-r--r--execute_ih.c495
-rw-r--r--execute_rnd.c (renamed from execute_rnd.inc.c)0
-rw-r--r--header.c4
-rw-r--r--log.c28
-rw-r--r--php_suhosin7.h2
-rw-r--r--suhosin7.c2
9 files changed, 658 insertions, 596 deletions
diff --git a/config.m4 b/config.m4
index 65b0c83..6b78024 100644
--- a/config.m4
+++ b/config.m4
@@ -5,7 +5,7 @@ PHP_ARG_ENABLE(suhosin7, whether to enable suhosin support,
5[ --enable-suhosin7 Enable suhosin support]) 5[ --enable-suhosin7 Enable suhosin support])
6 6
7if test "$PHP_SUHOSIN7" != "no"; then 7if test "$PHP_SUHOSIN7" != "no"; then
8 PHP_NEW_EXTENSION(suhosin7, suhosin7.c ifilter.c memory_limit.c aes.c treat_data.c log.c execute.c crypt.c cookiecrypt.c header.c, $ext_shared,, -DZEND_ENABLE_STATIC_ACHE=1) 8 PHP_NEW_EXTENSION(suhosin7, suhosin7.c ifilter.c memory_limit.c aes.c treat_data.c log.c execute.c execute_ih.c crypt.c cookiecrypt.c header.c, $ext_shared,, -DZEND_ENABLE_STATIC_ACHE=1)
9 PHP_ADD_EXTENSION_DEP(suhosin7, hash) 9 PHP_ADD_EXTENSION_DEP(suhosin7, hash)
10fi 10fi
11 11
diff --git a/execute.c b/execute.c
index 0e569e0..4a6e279 100644
--- a/execute.c
+++ b/execute.c
@@ -23,29 +23,30 @@
23#include "config.h" 23#include "config.h"
24#endif 24#endif
25 25
26#include <fcntl.h> 26// #include <fcntl.h>
27#include "php.h" 27#include "php.h"
28#include "php_ini.h" 28// #include "php_ini.h"
29#include "zend_hash.h" 29// #include "zend_hash.h"
30#include "zend_extensions.h" 30#include "zend_extensions.h"
31#include "ext/standard/info.h" 31// #include "ext/standard/info.h"
32#include "ext/standard/php_rand.h" 32// #include "ext/standard/php_rand.h"
33#include "ext/standard/php_lcg.h" 33// #include "ext/standard/php_lcg.h"
34#include "php_suhosin7.h" 34#include "php_suhosin7.h"
35#include "zend_compile.h" 35// #include "zend_compile.h"
36#include "zend_llist.h" 36// #include "zend_llist.h"
37#include "SAPI.h" 37#include "SAPI.h"
38#include "execute.h"
38 39
39#include "sha256.h" 40// #include "sha256.h"
40 41
41#ifdef PHP_WIN32 42#ifdef PHP_WIN32
42# include "win32/fnmatch.h" 43// # include "win32/fnmatch.h"
43# include "win32/winutil.h" 44# include "win32/winutil.h"
44# include "win32/time.h" 45# include "win32/time.h"
45#else 46#else
46# ifdef HAVE_FNMATCH 47// # ifdef HAVE_FNMATCH
47# include <fnmatch.h> 48// # include <fnmatch.h>
48# endif 49// # endif
49# include <sys/time.h> 50# include <sys/time.h>
50#endif 51#endif
51 52
@@ -86,7 +87,7 @@ conts:
86#define SUHOSIN_CODE_TYPE_UNKNOWN 0 87#define SUHOSIN_CODE_TYPE_UNKNOWN 0
87#define SUHOSIN_CODE_TYPE_COMMANDLINE 1 88#define SUHOSIN_CODE_TYPE_COMMANDLINE 1
88#define SUHOSIN_CODE_TYPE_EVAL 2 89#define SUHOSIN_CODE_TYPE_EVAL 2
89#define SUHOSIN_CODE_TYPE_REGEXP 3 90// #define SUHOSIN_CODE_TYPE_REGEXP 3
90#define SUHOSIN_CODE_TYPE_ASSERT 4 91#define SUHOSIN_CODE_TYPE_ASSERT 4
91#define SUHOSIN_CODE_TYPE_CFUNC 5 92#define SUHOSIN_CODE_TYPE_CFUNC 5
92#define SUHOSIN_CODE_TYPE_SUHOSIN 6 93#define SUHOSIN_CODE_TYPE_SUHOSIN 6
@@ -98,7 +99,7 @@ conts:
98#define SUHOSIN_CODE_TYPE_BADFILE 12 99#define SUHOSIN_CODE_TYPE_BADFILE 12
99#define SUHOSIN_CODE_TYPE_LONGNAME 13 100#define SUHOSIN_CODE_TYPE_LONGNAME 13
100#define SUHOSIN_CODE_TYPE_MANYDOTS 14 101#define SUHOSIN_CODE_TYPE_MANYDOTS 14
101#define SUHOSIN_CODE_TYPE_WRITABLE 15 102#define SUHOSIN_CODE_TYPE_WRITABLE 15
102#define SUHOSIN_CODE_TYPE_MBREGEXP 16 103#define SUHOSIN_CODE_TYPE_MBREGEXP 16
103 104
104static int suhosin_check_filename(char *s, int len) 105static int suhosin_check_filename(char *s, int len)
@@ -315,9 +316,9 @@ static int suhosin_detect_codetype(zend_op_array *op_array)
315 return SUHOSIN_CODE_TYPE_EVAL; 316 return SUHOSIN_CODE_TYPE_EVAL;
316 } 317 }
317 318
318 if (strstr(s, "regexp code") != NULL) { 319 // if (strstr(s, "regexp code") != NULL) {
319 return SUHOSIN_CODE_TYPE_REGEXP; 320 // return SUHOSIN_CODE_TYPE_REGEXP;
320 } 321 // }
321 322
322 if (strstr(s, "mbregex replace") != NULL) { 323 if (strstr(s, "mbregex replace") != NULL) {
323 return SUHOSIN_CODE_TYPE_MBREGEXP; 324 return SUHOSIN_CODE_TYPE_MBREGEXP;
@@ -519,18 +520,23 @@ not_evaled_code:
519 } 520 }
520 break; 521 break;
521 522
522 case SUHOSIN_CODE_TYPE_REGEXP: 523 // case SUHOSIN_CODE_TYPE_REGEXP:
524 // if (SUHOSIN7_G(executor_disable_emod)) {
525 // suhosin_log(S_EXECUTOR|S_GETCALLER, "use of preg_replace() with /e modifier is forbidden by configuration");
526 // if (!SUHOSIN7_G(simulation)) {
527 // zend_error(E_ERROR, "SUHOSIN - Use of preg_replace() with /e modifier is forbidden by configuration");
528 // }
529 // }
530 // break;
531
532 case SUHOSIN_CODE_TYPE_MBREGEXP:
523 if (SUHOSIN7_G(executor_disable_emod)) { 533 if (SUHOSIN7_G(executor_disable_emod)) {
524 suhosin_log(S_EXECUTOR|S_GETCALLER, "use of preg_replace() with /e modifier is forbidden by configuration"); 534 suhosin_log(S_EXECUTOR|S_GETCALLER, "use of /e modifier in replace function is forbidden by configuration");
525 if (!SUHOSIN7_G(simulation)) { 535 if (!SUHOSIN7_G(simulation)) {
526 zend_error(E_ERROR, "SUHOSIN - Use of preg_replace() with /e modifier is forbidden by configuration"); 536 zend_error(E_ERROR, "SUHOSIN - Use of /e modifier in replace function is forbidden by configuration");
527 } 537 }
528 } 538 }
529 break; 539 break;
530
531 case SUHOSIN_CODE_TYPE_MBREGEXP:
532 /* XXX TODO: Do we want to disallow this, too? */
533 break;
534 540
535 case SUHOSIN_CODE_TYPE_ASSERT: 541 case SUHOSIN_CODE_TYPE_ASSERT:
536 break; 542 break;
@@ -603,499 +609,16 @@ continue_execution:
603/* }}} */ 609/* }}} */
604 610
605 611
606#define IH_HANDLER_PARAMS_REST int ht, zval *return_value
607#define IH_HANDLER_PARAMS internal_function_handler *ih, IH_HANDLER_PARAMS_REST
608#define IH_HANDLER_PARAM_PASSTHRU ih, ht, return_value
609
610
611HashTable ihandler_table;
612 612
613typedef struct _internal_function_handler { 613// ----------------------------------------------------------------------------
614 614
615 char *name; 615static HashTable ihandler_table;
616 int (*handler)(struct _internal_function_handler *ih, IH_HANDLER_PARAMS_REST);
617 void *arg1;
618 void *arg2;
619 void *arg3;
620 616
621} internal_function_handler;
622
623// int ih_preg_replace(IH_HANDLER_PARAMS)
624// {
625// zval **regex,
626// **replace,
627// **subject,
628// **limit, **zcount;
629//
630// if (zend_parse_parameters(ZEND_NUM_ARGS(), "ZZZ|ZZ", &regex, &replace, &subject, &limit, &zcount) == FAILURE) {
631// return(0);
632// }
633//
634// if (Z_TYPE_PP(regex) == IS_ARRAY) {
635// zval **regex_entry;
636//
637// zend_hash_internal_pointer_reset(Z_ARRVAL_PP(regex));
638// /* For each entry in the regex array, get the entry */
639// while (zend_hash_get_current_data(Z_ARRVAL_PP(regex), (void **)&regex_entry) == SUCCESS) {
640//
641// if (Z_TYPE_PP(regex_entry) == IS_STRING) {
642// if (strlen(Z_STRVAL_PP(regex_entry)) != Z_STRLEN_PP(regex_entry)) {
643// suhosin_log(S_EXECUTOR, "string termination attack on first preg_replace parameter detected");
644// if (!SUHOSIN7_G(simulation)) {
645// RETVAL_FALSE;
646// return (1);
647// }
648// }
649// }
650//
651// zend_hash_move_forward(Z_ARRVAL_PP(regex));
652//
653// }
654//
655// } else if (Z_TYPE_PP(regex) == IS_STRING) {
656// if (strlen(Z_STRVAL_PP(regex)) != Z_STRLEN_PP(regex)) {
657// suhosin_log(S_EXECUTOR, "string termination attack on first preg_replace parameter detected");
658// if (!SUHOSIN7_G(simulation)) {
659// RETVAL_FALSE;
660// return (1);
661// }
662// }
663// }
664//
665// return (0);
666// }
667 617
668// int ih_symlink(IH_HANDLER_PARAMS)
669// {
670// if (SUHOSIN7_G(executor_allow_symlink)) {
671// return (0);
672// }
673//
674// if (PG(open_basedir) && PG(open_basedir)[0]) {
675// suhosin_log(S_EXECUTOR, "symlink called during open_basedir");
676// if (!SUHOSIN7_G(simulation)) {
677// RETVAL_FALSE;
678// return (1);
679// }
680// }
681//
682// return (0);
683// }
684 618
685// int ih_mail(IH_HANDLER_PARAMS) 619static suhosin_internal_function_handler ihandlers[] = {
686// { 620 S7_IH_ENTRY0i(preg_replace)
687// char *to=NULL, *message=NULL, *headers=NULL;
688// char *subject=NULL, *extra_cmd=NULL;
689// char *tmp;
690// int to_len, message_len, headers_len;
691// int subject_len, extra_cmd_len;
692//
693// if (SUHOSIN7_G(mailprotect) == 0) {
694// return (0);
695// }
696//
697// if (zend_parse_parameters(ZEND_NUM_ARGS(), "sss|ss",
698// &to, &to_len,
699// &subject, &subject_len,
700// &message, &message_len,
701// &headers, &headers_len,
702// &extra_cmd, &extra_cmd_len
703// ) == FAILURE) {
704// RETVAL_FALSE;
705// return (1);
706// }
707//
708// if (headers_len > 0 && headers &&
709// (strstr(headers, "\n\n") || strstr(headers, "\n\r\n") /* double newline */
710// || *headers == '\n' || (headers[0] == '\r' && headers[1] == '\n') /* starts with newline */
711// )) {
712// suhosin_log(S_MAIL, "mail() - double newline in headers, possible injection, mail dropped");
713// if (!SUHOSIN7_G(simulation)) {
714// RETVAL_FALSE;
715// return (1);
716// }
717// }
718//
719// /* check for spam attempts with buggy webforms */
720// if (to_len > 0 && to) {
721// do {
722// if ((tmp = strchr(to, '\n')) == NULL)
723// tmp = strchr(to, '\r');
724// if (tmp == NULL) break;
725// to = tmp + 1;
726// if (!isspace(*to)) break;
727// } while (1);
728// if (tmp != NULL) {
729// suhosin_log(S_MAIL, "mail() - newline in To header, possible injection, mail dropped");
730// if (!SUHOSIN7_G(simulation)) {
731// RETVAL_FALSE;
732// return (1);
733// }
734// }
735// }
736//
737// if (subject_len > 0 && subject) {
738// do {
739// if ((tmp = strchr(subject, '\n')) == NULL)
740// tmp = strchr(subject, '\r');
741// if (tmp == NULL) break;
742// subject = tmp + 1;
743// if (!isspace(*subject)) break;
744// } while (1);
745// if (tmp != NULL) {
746// suhosin_log(S_MAIL, "mail() - newline in Subject header, possible injection, mail dropped");
747// if (!SUHOSIN7_G(simulation)) {
748// RETVAL_FALSE;
749// return (1);
750// }
751// }
752// }
753//
754// if (SUHOSIN7_G(mailprotect) > 1) {
755// /* search for to, cc or bcc headers */
756// if (headers_len > 0 && headers != NULL) {
757// if (strncasecmp(headers, "to:", sizeof("to:") - 1) == 0 || suhosin_strcasestr(headers, "\nto:")) {
758// suhosin_log(S_MAIL, "mail() - To: headers aren't allowed in the headers parameter.");
759// if (!SUHOSIN7_G(simulation)) {
760// RETVAL_FALSE;
761// return (1);
762// }
763// }
764//
765// if (strncasecmp(headers, "cc:", sizeof("cc:") - 1) == 0 || suhosin_strcasestr(headers, "\ncc:")) {
766// suhosin_log(S_MAIL, "mail() - CC: headers aren't allowed in the headers parameter.");
767// if (!SUHOSIN7_G(simulation)) {
768// RETVAL_FALSE;
769// return (1);
770// }
771// }
772//
773// if (strncasecmp(headers, "bcc:", sizeof("bcc:") - 1) == 0 || suhosin_strcasestr(headers, "\nbcc:")) {
774// suhosin_log(S_MAIL, "mail() - BCC: headers aren't allowed in the headers parameter.");
775// if (!SUHOSIN7_G(simulation)) {
776// RETVAL_FALSE;
777// return (1);
778// }
779// }
780// }
781// }
782//
783// return (0);
784// }
785 621
786// #define SQLSTATE_SQL 0
787// #define SQLSTATE_IDENTIFIER 1
788// #define SQLSTATE_STRING 2
789// #define SQLSTATE_COMMENT 3
790// #define SQLSTATE_MLCOMMENT 4
791//
792// int ih_querycheck(IH_HANDLER_PARAMS)
793// {
794// void **p = zend_vm_stack_top() - 1;
795// unsigned long arg_count;
796// zval **arg;
797// char *query, *s, *e;
798// zval *backup;
799// int len;
800// char quote;
801// int state = SQLSTATE_SQL;
802// int cnt_union = 0, cnt_select = 0, cnt_comment = 0, cnt_opencomment = 0;
803// int mysql_extension = 0;
804//
805//
806// SDEBUG("function: %s", ih->name);
807// arg_count = (unsigned long) *p;
808//
809// if (ht < (long) ih->arg1) {
810// return (0);
811// }
812//
813// if ((long) ih->arg2) {
814// mysql_extension = 1;
815// }
816//
817// arg = (zval **) p - (arg_count - (long) ih->arg1 + 1); /* count from 0 */
818//
819// backup = *arg;
820// if (Z_TYPE_P(backup) != IS_STRING) {
821// return (0);
822// }
823// len = Z_STRLEN_P(backup);
824// query = Z_STRVAL_P(backup);
825// SDEBUG("SQL |%s|", query);
826//
827// s = query;
828// e = s+len;
829//
830// while (s < e) {
831// switch (state)
832// {
833// case SQLSTATE_SQL:
834// switch (s[0])
835// {
836// case '`':
837// state = SQLSTATE_IDENTIFIER;
838// quote = '`';
839// break;
840// case '\'':
841// case '"':
842// state = SQLSTATE_STRING;
843// quote = *s;
844// break;
845// case '/':
846// if (s[1]=='*') {
847// if (mysql_extension == 1 && s[2] == '!') {
848// s += 2;
849// break;
850// }
851// s++;
852// state = SQLSTATE_MLCOMMENT;
853// cnt_comment++;
854// }
855// break;
856// case '-':
857// if (s[1]=='-') {
858// s++;
859// state = SQLSTATE_COMMENT;
860// cnt_comment++;
861// }
862// break;
863// case '#':
864// state = SQLSTATE_COMMENT;
865// cnt_comment++;
866// break;
867// case 'u':
868// case 'U':
869// if (strncasecmp("union", s, 5)==0) {
870// s += 4;
871// cnt_union++;
872// }
873// break;
874// case 's':
875// case 'S':
876// if (strncasecmp("select", s, 6)==0) {
877// s += 5;
878// cnt_select++;
879// }
880// break;
881// }
882// break;
883// case SQLSTATE_STRING:
884// case SQLSTATE_IDENTIFIER:
885// if (s[0] == quote) {
886// if (s[1] == quote) {
887// s++;
888// } else {
889// state = SQLSTATE_SQL;
890// }
891// }
892// if (s[0] == '\\') {
893// s++;
894// }
895// break;
896// case SQLSTATE_COMMENT:
897// while (s[0] && s[0] != '\n') {
898// s++;
899// }
900// state = SQLSTATE_SQL;
901// break;
902// case SQLSTATE_MLCOMMENT:
903// while (s[0] && (s[0] != '*' || s[1] != '/')) {
904// s++;
905// }
906// if (s[0]) {
907// state = SQLSTATE_SQL;
908// }
909// break;
910// }
911// s++;
912// }
913// if (state == SQLSTATE_MLCOMMENT) {
914// cnt_opencomment = 1;
915// }
916//
917// if (cnt_opencomment && SUHOSIN7_G(sql_opencomment)>0) {
918// suhosin_log(S_SQL, "Open comment in SQL query: '%*s'", len, query);
919// if (SUHOSIN7_G(sql_opencomment)>1) {
920// suhosin_bailout();
921// }
922// }
923//
924// if (cnt_comment && SUHOSIN7_G(sql_comment)>0) {
925// suhosin_log(S_SQL, "Comment in SQL query: '%*s'", len, query);
926// if (SUHOSIN7_G(sql_comment)>1) {
927// suhosin_bailout();
928// }
929// }
930//
931// if (cnt_union && SUHOSIN7_G(sql_union)>0) {
932// suhosin_log(S_SQL, "UNION in SQL query: '%*s'", len, query);
933// if (SUHOSIN7_G(sql_union)>1) {
934// suhosin_bailout();
935// }
936// }
937//
938// if (cnt_select>1 && SUHOSIN7_G(sql_mselect)>0) {
939// suhosin_log(S_SQL, "Multiple SELECT in SQL query: '%*s'", len, query);
940// if (SUHOSIN7_G(sql_mselect)>1) {
941// suhosin_bailout();
942// }
943// }
944//
945// return (0);
946// }
947//
948//
949// int ih_fixusername(IH_HANDLER_PARAMS)
950// {
951// void **p = zend_vm_stack_top() - 1;
952// unsigned long arg_count;
953// zval **arg;
954// char *prefix, *postfix, *user, *user_match, *cp;
955// zval *backup, *my_user;
956// int prefix_len, postfix_len, len;
957//
958// SDEBUG("function (fixusername): %s", ih->name);
959//
960// prefix = SUHOSIN7_G(sql_user_prefix);
961// postfix = SUHOSIN7_G(sql_user_postfix);
962// user_match = SUHOSIN7_G(sql_user_match);
963//
964// arg_count = (unsigned long) *p;
965//
966// if (ht < (long) ih->arg1) {
967// return (0);
968// }
969//
970// arg = (zval **) p - (arg_count - (long) ih->arg1 + 1); /* count from 0 */
971//
972// backup = *arg;
973// if (Z_TYPE_P(backup) != IS_STRING) {
974// user = "";
975// len = 0;
976// } else {
977// len = Z_STRLEN_P(backup);
978// user = Z_STRVAL_P(backup);
979// }
980//
981// cp = user;
982// while (cp < user+len) {
983// if (*cp < 32) {
984// suhosin_log(S_SQL, "SQL username contains invalid characters");
985// if (!SUHOSIN7_G(simulation)) {
986// RETVAL_FALSE;
987// return (1);
988// }
989// break;
990// }
991// cp++;
992// }
993//
994// if ((prefix != NULL && prefix[0]) || (postfix != NULL && postfix[0])) {
995// if (prefix == NULL) {
996// prefix = "";
997// }
998// if (postfix == NULL) {
999// postfix = "";
1000// }
1001// prefix_len = strlen(prefix);
1002// postfix_len = strlen(postfix);
1003//
1004// MAKE_STD_ZVAL(my_user);
1005// my_user->type = IS_STRING;
1006// my_user->value.str.len = spprintf(&my_user->value.str.val, 0, "%s%s%s", prefix, user, postfix);
1007//
1008// /* XXX: memory_leak? */
1009// *arg = my_user;
1010//
1011// len = Z_STRLEN_P(my_user);
1012// user = Z_STRVAL_P(my_user);
1013// }
1014//
1015// if (user_match && user_match[0]) {
1016// #ifdef HAVE_FNMATCH
1017// if (fnmatch(user_match, user, 0) != 0) {
1018// suhosin_log(S_SQL, "SQL username ('%s') does not match suhosin.sql.user_match ('%s')", user, user_match);
1019// if (!SUHOSIN7_G(simulation)) {
1020// RETVAL_FALSE;
1021// return (1);
1022// }
1023// }
1024// #else
1025// #warning no support for fnmatch() - setting suhosin.sql.user_match will always fail.
1026// suhosin_log(S_SQL, "suhosin.sql.user_match specified, but system does not support fnmatch()");
1027// if (!SUHOSIN7_G(simulation)) {
1028// RETVAL_FALSE;
1029// return (1);
1030// }
1031// #endif
1032// }
1033//
1034// SDEBUG("function: %s - user: %s", ih->name, user);
1035//
1036// return (0);
1037// }
1038//
1039//
1040// static int ih_function_exists(IH_HANDLER_PARAMS)
1041// {
1042// zval **function_name;
1043// zend_function *func;
1044// char *lcname;
1045// zend_bool retval;
1046// int func_name_len;
1047//
1048// if (ZEND_NUM_ARGS()!=1 || zend_get_parameters_ex(1, &function_name)==FAILURE) {
1049// ZEND_WRONG_PARAM_COUNT_WITH_RETVAL(1);
1050// }
1051// convert_to_string_ex(function_name);
1052// func_name_len = Z_STRLEN_PP(function_name);
1053// lcname = estrndup(Z_STRVAL_PP(function_name), func_name_len);
1054// zend_str_tolower(lcname, func_name_len);
1055//
1056// retval = (zend_hash_find(EG(function_table), lcname, func_name_len+1, (void **)&func) == SUCCESS);
1057//
1058// /*
1059// * A bit of a hack, but not a bad one: we see if the handler of the function
1060// * is actually one that displays "function is disabled" message.
1061// */
1062// if (retval && func->type == ZEND_INTERNAL_FUNCTION &&
1063// func->internal_function.handler == zif_display_disabled_function) {
1064// retval = 0;
1065// }
1066//
1067// /* Now check if function is forbidden by Suhosin */
1068// if (SUHOSIN7_G(in_code_type) == SUHOSIN_EVAL) {
1069// if (SUHOSIN7_G(eval_whitelist) != NULL) {
1070// if (!zend_hash_exists(SUHOSIN7_G(eval_whitelist), lcname, func_name_len+1)) {
1071// retval = 0;
1072// }
1073// } else if (SUHOSIN7_G(eval_blacklist) != NULL) {
1074// if (zend_hash_exists(SUHOSIN7_G(eval_blacklist), lcname, func_name_len+1)) {
1075// retval = 0;
1076// }
1077// }
1078// }
1079//
1080// if (SUHOSIN7_G(func_whitelist) != NULL) {
1081// if (!zend_hash_exists(SUHOSIN7_G(func_whitelist), lcname, func_name_len+1)) {
1082// retval = 0;
1083// }
1084// } else if (SUHOSIN7_G(func_blacklist) != NULL) {
1085// if (zend_hash_exists(SUHOSIN7_G(func_blacklist), lcname, func_name_len+1)) {
1086// retval = 0;
1087// }
1088// }
1089//
1090// efree(lcname);
1091//
1092// RETVAL_BOOL(retval);
1093// return (1);
1094// }
1095
1096// #include "execute_rnd.inc.c"
1097
1098internal_function_handler ihandlers[] = {
1099 // { "preg_replace", ih_preg_replace, NULL, NULL, NULL }, 622 // { "preg_replace", ih_preg_replace, NULL, NULL, NULL },
1100 // { "mail", ih_mail, NULL, NULL, NULL }, 623 // { "mail", ih_mail, NULL, NULL, NULL },
1101 // { "symlink", ih_symlink, NULL, NULL, NULL }, 624 // { "symlink", ih_symlink, NULL, NULL, NULL },
@@ -1139,7 +662,7 @@ internal_function_handler ihandlers[] = {
1139 // { "mysql_db_query", ih_querycheck, (void *)2, (void *)1, NULL }, 662 // { "mysql_db_query", ih_querycheck, (void *)2, (void *)1, NULL },
1140 // { "mysql_unbuffered_query", ih_querycheck, (void *)1, (void *)1, NULL }, 663 // { "mysql_unbuffered_query", ih_querycheck, (void *)1, (void *)1, NULL },
1141 664
1142#ifdef SUHOSIN_EXPERIMENTAL 665#ifdef SUHOSIN7_EXPERIMENTAL
1143 /* MaxDB */ 666 /* MaxDB */
1144 // { "maxdb::maxdb", ih_fixusername, (void *)2, NULL, NULL }, 667 // { "maxdb::maxdb", ih_fixusername, (void *)2, NULL, NULL },
1145 // { "maxdb_connect", ih_fixusername, (void *)2, NULL, NULL }, 668 // { "maxdb_connect", ih_fixusername, (void *)2, NULL, NULL },
@@ -1198,8 +721,8 @@ internal_function_handler ihandlers[] = {
1198 { NULL, NULL, NULL, NULL, NULL } 721 { NULL, NULL, NULL, NULL, NULL }
1199}; 722};
1200 723
1201#define FUNCTION_WARNING() zend_error(E_WARNING, "%s() has been disabled for security reasons", suhosin_get_active_function_name()); 724#define FUNCTION_WARNING(fname) zend_error(E_WARNING, "%s() has been disabled for security reasons", (fname));
1202#define FUNCTION_SIMULATE_WARNING() zend_error(E_WARNING, "SIMULATION - %s() has been disabled for security reasons", suhosin_get_active_function_name()); 725#define FUNCTION_SIMULATE_WARNING(fname) zend_error(E_WARNING, "SIMULATION - %s() has been disabled for security reasons", (fname));
1203 726
1204/* {{{ void suhosin_execute_internal 727/* {{{ void suhosin_execute_internal
1205 * This function provides a hook for internal execution */ 728 * This function provides a hook for internal execution */
@@ -1208,10 +731,28 @@ internal_function_handler ihandlers[] = {
1208 731
1209ZEND_API static void suhosin_execute_internal(zend_execute_data *execute_data, zval *return_value) 732ZEND_API static void suhosin_execute_internal(zend_execute_data *execute_data, zval *return_value)
1210{ 733{
734 if (execute_data == NULL) {
735 // if (EG(current_execute_data) != NULL) {
736 // execute_data = EG(current_execute_data);
737 // }
738 suhosin_log(S_EXECUTOR|S_GETCALLER, "execution without data. something is wrong.");
739 suhosin_bailout();
740 return;
741 }
742
743 zend_function *func = execute_data->func;
744 if (func == NULL) {
745 suhosin_log(S_EXECUTOR|S_GETCALLER, "execution without function context. something is wrong.");
746 suhosin_bailout();
747 }
748
749
1211 // zval *return_value; 750 // zval *return_value;
1212 // zval **return_value_ptr; 751 // zval **return_value_ptr;
1213 // zval *this_ptr; 752 // zval *this_ptr;
1214 int ht = 0; 753 int ht = 0;
754 int retval = SUCCESS;
755
1215 756
1216 // if (fci) { 757 // if (fci) {
1217 // return_value = *fci->retval_ptr_ptr; 758 // return_value = *fci->retval_ptr_ptr;
@@ -1249,32 +790,35 @@ ZEND_API static void suhosin_execute_internal(zend_execute_data *execute_data, z
1249 // zend_str_tolower(lcname, function_name_strlen); 790 // zend_str_tolower(lcname, function_name_strlen);
1250 // } 791 // }
1251 792
1252 // TODO: check execute_data + ->func 793 zend_string *function_name = func->common.function_name;
1253 794 if (function_name == NULL) {
1254 zend_string *function_name = execute_data->func->op_array.function_name; 795 function_name = func->op_array.function_name;
1255 796 }
1256 // TODO: check for function_name == NULL 797 if (function_name == NULL) {
1257 798 // no function name -> skip whitelists/blacklists
1258 SDEBUG("function: %s", ZSTR_VAL(function_name)); 799 goto execute_internal_continue;
800 }
801
802 SDEBUG("function: [%s]/%zu", ZSTR_VAL(function_name), ZSTR_LEN(function_name)) ;
1259 803
1260 if (SUHOSIN7_G(in_code_type) == SUHOSIN_EVAL) { 804 if (SUHOSIN7_G(in_code_type) == SUHOSIN_EVAL) {
1261 805
1262 if (SUHOSIN7_G(eval_whitelist) != NULL) { 806 if (SUHOSIN7_G(eval_whitelist) != NULL) {
1263 if (!zend_hash_exists(SUHOSIN7_G(eval_whitelist), function_name)) { 807 if (!zend_hash_exists(SUHOSIN7_G(eval_whitelist), function_name)) {
1264 suhosin_log(S_EXECUTOR|S_GETCALLER, "function outside of eval whitelist called: %s()", ZSTR_VAL(function_name)); 808 suhosin_log(S_EXECUTOR|S_GETCALLER, "eval'd function not whitelisted: %s()", ZSTR_VAL(function_name));
1265 if (!SUHOSIN7_G(simulation)) { 809 if (!SUHOSIN7_G(simulation)) {
1266 goto execute_internal_bailout; 810 goto execute_internal_bailout;
1267 } else { 811 } else {
1268 FUNCTION_SIMULATE_WARNING() 812 FUNCTION_SIMULATE_WARNING(ZSTR_VAL(function_name))
1269 } 813 }
1270 } 814 }
1271 } else if (SUHOSIN7_G(eval_blacklist) != NULL) { 815 } else if (SUHOSIN7_G(eval_blacklist) != NULL) {
1272 if (zend_hash_exists(SUHOSIN7_G(eval_blacklist), function_name)) { 816 if (zend_hash_exists(SUHOSIN7_G(eval_blacklist), function_name)) {
1273 suhosin_log(S_EXECUTOR|S_GETCALLER, "function within eval blacklist called: %s()", ZSTR_VAL(function_name)); 817 suhosin_log(S_EXECUTOR|S_GETCALLER, "eval'd function blacklisted: %s()", ZSTR_VAL(function_name));
1274 if (!SUHOSIN7_G(simulation)) { 818 if (!SUHOSIN7_G(simulation)) {
1275 goto execute_internal_bailout; 819 goto execute_internal_bailout;
1276 } else { 820 } else {
1277 FUNCTION_SIMULATE_WARNING() 821 FUNCTION_SIMULATE_WARNING(ZSTR_VAL(function_name))
1278 } 822 }
1279 } 823 }
1280 } 824 }
@@ -1282,49 +826,51 @@ ZEND_API static void suhosin_execute_internal(zend_execute_data *execute_data, z
1282 826
1283 if (SUHOSIN7_G(func_whitelist) != NULL) { 827 if (SUHOSIN7_G(func_whitelist) != NULL) {
1284 if (!zend_hash_exists(SUHOSIN7_G(func_whitelist), function_name)) { 828 if (!zend_hash_exists(SUHOSIN7_G(func_whitelist), function_name)) {
1285 suhosin_log(S_EXECUTOR|S_GETCALLER, "function outside of whitelist called: %s()", ZSTR_VAL(function_name)); 829 suhosin_log(S_EXECUTOR|S_GETCALLER, "function not whitelisted: %s()", ZSTR_VAL(function_name));
1286 if (!SUHOSIN7_G(simulation)) { 830 if (!SUHOSIN7_G(simulation)) {
1287 goto execute_internal_bailout; 831 goto execute_internal_bailout;
1288 } else { 832 } else {
1289 FUNCTION_SIMULATE_WARNING() 833 FUNCTION_SIMULATE_WARNING(ZSTR_VAL(function_name))
1290 } 834 }
1291 } 835 }
1292 } else if (SUHOSIN7_G(func_blacklist) != NULL) { 836 } else if (SUHOSIN7_G(func_blacklist) != NULL) {
1293 if (zend_hash_exists(SUHOSIN7_G(func_blacklist), function_name)) { 837 if (zend_hash_exists(SUHOSIN7_G(func_blacklist), function_name)) {
1294 suhosin_log(S_EXECUTOR|S_GETCALLER, "function within blacklist called: %s()", ZSTR_VAL(function_name)); 838 suhosin_log(S_EXECUTOR|S_GETCALLER, "function blacklisted: %s()", ZSTR_VAL(function_name));
1295 if (!SUHOSIN7_G(simulation)) { 839 if (!SUHOSIN7_G(simulation)) {
1296 goto execute_internal_bailout; 840 goto execute_internal_bailout;
1297 } else { 841 } else {
1298 FUNCTION_SIMULATE_WARNING() 842 FUNCTION_SIMULATE_WARNING(ZSTR_VAL(function_name))
1299 } 843 }
1300 } 844 }
1301 } 845 }
1302 846
1303 internal_function_handler *ih; 847 suhosin_internal_function_handler *ih;
1304 int retval = 0; 848 // SDEBUG("before %d", zend_hash_exists(&ihandler_table, function_name));
1305 if ((ih = zend_hash_find_ptr(&ihandler_table, function_name))) { 849 if ((ih = zend_hash_find_ptr(&ihandler_table, function_name))) {
1306 850 // SDEBUG("AFTER");
1307 void *handler = execute_data->func->internal_function.handler; 851 void *handler = execute_data->func->internal_function.handler;
1308 852
1309 if (handler != ZEND_FN(display_disabled_function)) { 853 if (handler != ZEND_FN(display_disabled_function)) {
1310 retval = ih->handler(IH_HANDLER_PARAM_PASSTHRU); 854 retval = ih->handler(S7_IH_HANDLER_PARAM_PASSTHRU);
1311 } 855 }
1312 856
1313 } 857 }
858
859execute_internal_continue:
1314 860
1315 if (retval == 0) { 861 if (retval == SUCCESS) {
1316 old_execute_internal(execute_data, return_value); 862 old_execute_internal(execute_data, return_value);
1317 } 863 }
1318 864
1319 // if (free_lcname == 1) {
1320 // efree(lcname);
1321 // }
1322 return; 865 return;
866
1323execute_internal_bailout: 867execute_internal_bailout:
1324 // if (free_lcname == 1) { 868
1325 // efree(lcname); 869 if (function_name != NULL) {
1326 // } 870 FUNCTION_WARNING(ZSTR_VAL(function_name))
1327 FUNCTION_WARNING() 871 } else {
872 FUNCTION_WARNING("<unknown>");
873 }
1328 suhosin_bailout(); 874 suhosin_bailout();
1329} 875}
1330/* }}} */ 876/* }}} */
@@ -1332,20 +878,20 @@ execute_internal_bailout:
1332 878
1333/* {{{ int function_lookup(zend_extension *extension) 879/* {{{ int function_lookup(zend_extension *extension)
1334 */ 880 */
1335static int function_lookup(zend_extension *extension) 881// static int function_lookup(zend_extension *extension)
1336{ 882// {
1337 // if (zo_set_oe_ex != NULL) { 883// if (zo_set_oe_ex != NULL) {
1338 // return ZEND_HASH_APPLY_STOP; 884// return ZEND_HASH_APPLY_STOP;
1339 // } 885// }
1340 886//
1341 // if (extension->handle != NULL) { 887// if (extension->handle != NULL) {
1342 // 888//
1343 // zo_set_oe_ex = (void *)DL_FETCH_SYMBOL(extension->handle, "zend_optimizer_set_oe_ex"); 889// zo_set_oe_ex = (void *)DL_FETCH_SYMBOL(extension->handle, "zend_optimizer_set_oe_ex");
1344 // 890//
1345 // } 891// }
1346 892//
1347 return 0; 893// return 0;
1348} 894// }
1349/* }}} */ 895/* }}} */
1350 896
1351 897
@@ -1353,26 +899,24 @@ static int function_lookup(zend_extension *extension)
1353 */ 899 */
1354void suhosin_hook_execute() 900void suhosin_hook_execute()
1355{ 901{
1356 internal_function_handler *ih;
1357
1358 old_execute_ex = zend_execute_ex; 902 old_execute_ex = zend_execute_ex;
1359 zend_execute_ex = suhosin_execute_ex; 903 zend_execute_ex = suhosin_execute_ex;
1360 904
1361/* old_compile_file = zend_compile_file; 905/* old_compile_file = zend_compile_file;
1362 zend_compile_file = suhosin_compile_file; */ 906 zend_compile_file = suhosin_compile_file; */
1363 907
1364#if ZO_COMPATIBILITY_HACK_TEMPORARY_DISABLED 908// #if ZO_COMPATIBILITY_HACK_TEMPORARY_DISABLED
1365 if (zo_set_oe_ex == NULL) { 909// if (zo_set_oe_ex == NULL) {
1366 zo_set_oe_ex = (void *)DL_FETCH_SYMBOL(NULL, "zend_optimizer_set_oe_ex"); 910// zo_set_oe_ex = (void *)DL_FETCH_SYMBOL(NULL, "zend_optimizer_set_oe_ex");
1367 } 911// }
1368 if (zo_set_oe_ex == NULL) { 912// if (zo_set_oe_ex == NULL) {
1369 zend_llist_apply(&zend_extensions, (llist_apply_func_t)function_lookup); 913// zend_llist_apply(&zend_extensions, (llist_apply_func_t)function_lookup);
1370 } 914// }
1371 915//
1372 if (zo_set_oe_ex != NULL) { 916// if (zo_set_oe_ex != NULL) {
1373 old_execute_ZO = zo_set_oe_ex(suhosin_execute_ZO); 917// old_execute_ZO = zo_set_oe_ex(suhosin_execute_ZO);
1374 } 918// }
1375#endif 919// #endif
1376 920
1377 old_execute_internal = zend_execute_internal; 921 old_execute_internal = zend_execute_internal;
1378 if (old_execute_internal == NULL) { 922 if (old_execute_internal == NULL) {
@@ -1382,9 +926,11 @@ void suhosin_hook_execute()
1382 926
1383 /* register internal function handlers */ 927 /* register internal function handlers */
1384 zend_hash_init(&ihandler_table, 16, NULL, NULL, 1); 928 zend_hash_init(&ihandler_table, 16, NULL, NULL, 1);
1385 ih = &ihandlers[0]; 929 suhosin_internal_function_handler *ih = &ihandlers[0];
1386 while (ih->name) { 930 while (ih->name) {
1387 zend_hash_str_add_ptr(&ihandler_table, ih->name, sizeof(ih->name)-1, ih); 931 // SDEBUG("adding [%s]/%zu", ih->name, strlen(ih->name));
932 // zend_hash_str_add_ptr(&ihandler_table, ZEND_STRL(ih->name), ih);
933 zend_hash_str_add_ptr(&ihandler_table, ih->name, strlen(ih->name), ih);
1388 ih++; 934 ih++;
1389 } 935 }
1390 936
@@ -1403,11 +949,11 @@ void suhosin_hook_execute()
1403 */ 949 */
1404void suhosin_unhook_execute() 950void suhosin_unhook_execute()
1405{ 951{
1406#if ZO_COMPATIBILITY_HACK_TEMPORARY_DISABLED 952// #if ZO_COMPATIBILITY_HACK_TEMPORARY_DISABLED
1407 if (zo_set_oe_ex) { 953// if (zo_set_oe_ex) {
1408 zo_set_oe_ex(old_execute_ZO); 954// zo_set_oe_ex(old_execute_ZO);
1409 } 955// }
1410#endif 956// #endif
1411 957
1412 zend_execute_ex = old_execute_ex; 958 zend_execute_ex = old_execute_ex;
1413 959
diff --git a/execute.h b/execute.h
new file mode 100644
index 0000000..03d19d3
--- /dev/null
+++ b/execute.h
@@ -0,0 +1,21 @@
1#pragma once
2
3#define S7_IH_HANDLER_PARAMS_REST INTERNAL_FUNCTION_PARAMETERS
4#define S7_IH_HANDLER_PARAMS suhosin_internal_function_handler *ih, S7_IH_HANDLER_PARAMS_REST
5#define S7_IH_HANDLER_PARAM_PASSTHRU ih, INTERNAL_FUNCTION_PARAM_PASSTHRU
6
7#define S7_IH_FN(fname) suhosin_ih_ ## fname
8#define S7_IH_FUNCTION(fname) int S7_IH_FN(fname)(S7_IH_HANDLER_PARAMS)
9#define S7_IH_ENTRY(php_fname, fname, arg1, arg2, arg3) { php_fname, S7_IH_FN(fname), (void*)(arg1), (void*)(arg2), (void*)(arg3) },
10#define S7_IH_ENTRY0(php_fname, fname) S7_IH_ENTRY(php_fname, fname, NULL, NULL, NULL)
11#define S7_IH_ENTRY0i(fname) S7_IH_ENTRY0(#fname, fname)
12
13typedef struct _suhosin_internal_function_handler {
14 char *name;
15 int (*handler)(struct _suhosin_internal_function_handler *ih, S7_IH_HANDLER_PARAMS_REST);
16 void *arg1;
17 void *arg2;
18 void *arg3;
19} suhosin_internal_function_handler;
20
21S7_IH_FUNCTION(preg_replace);
diff --git a/execute_ih.c b/execute_ih.c
new file mode 100644
index 0000000..fa511b9
--- /dev/null
+++ b/execute_ih.c
@@ -0,0 +1,495 @@
1#include "php.h"
2#include "php_suhosin7.h"
3#include "execute.h"
4
5// #ifdef SUHOSIN7_PREG_REPLACE_NULL
6// preg_replace \0 protection may be redundant, because PHP already checks for \0
7S7_IH_FUNCTION(preg_replace)
8{
9 zval *regex, *replace, *subject, *zcount = NULL;
10 zend_long limit = -1;
11 // int replace_count;
12
13#ifndef FAST_ZPP
14 /* Get function parameters and do error-checking. */
15 if (zend_parse_parameters(ZEND_NUM_ARGS(), "zzz|lz/", &regex, &replace, &subject, &limit, &zcount) == FAILURE) {
16 return FAILURE;
17 }
18#else
19 ZEND_PARSE_PARAMETERS_START(3, 5)
20 Z_PARAM_ZVAL(regex)
21 Z_PARAM_ZVAL(replace)
22 Z_PARAM_ZVAL(subject)
23 Z_PARAM_OPTIONAL
24 Z_PARAM_LONG(limit)
25 Z_PARAM_ZVAL_EX(zcount, 0, 1)
26 ZEND_PARSE_PARAMETERS_END_EX(return FAILURE);
27#endif
28
29 if (Z_TYPE_P(regex) != IS_ARRAY) {
30 convert_to_string_ex(regex);
31 // regex is string
32
33 if (strlen(Z_STRVAL_P(regex)) != Z_STRLEN_P(regex)) {
34 suhosin_log(S_EXECUTOR, "string termination attack on first preg_replace parameter detected");
35 if (!SUHOSIN7_G(simulation)) {
36 RETVAL_NULL();
37 return FAILURE;
38 }
39 }
40 } else {
41 // regex is array
42
43 /* For each entry in the regex array, get the entry */
44 zval *regex_entry;
45 ZEND_HASH_FOREACH_VAL(Z_ARRVAL_P(regex), regex_entry) {
46 /* Make sure we're dealing with strings. */
47 zend_string *regex_str = zval_get_string(regex_entry);
48
49 if (strlen(ZSTR_VAL(regex_str)) != ZSTR_LEN(regex_str)) {
50 suhosin_log(S_EXECUTOR, "string termination attack on first preg_replace parameter detected");
51 if (!SUHOSIN7_G(simulation)) {
52 RETVAL_NULL();
53 zend_string_release(regex_str);
54 return FAILURE;
55 }
56 }
57
58 zend_string_release(regex_str);
59 } ZEND_HASH_FOREACH_END();
60
61 }
62
63 return SUCCESS;
64}
65
66// #endif /* SUHOSIN7_PREG_REPLACE_NULL */
67
68
69// int ih_symlink(IH_HANDLER_PARAMS)
70// {
71// if (SUHOSIN7_G(executor_allow_symlink)) {
72// return (0);
73// }
74//
75// if (PG(open_basedir) && PG(open_basedir)[0]) {
76// suhosin_log(S_EXECUTOR, "symlink called during open_basedir");
77// if (!SUHOSIN7_G(simulation)) {
78// RETVAL_FALSE;
79// return (1);
80// }
81// }
82//
83// return (0);
84// }
85
86// int ih_mail(IH_HANDLER_PARAMS)
87// {
88// char *to=NULL, *message=NULL, *headers=NULL;
89// char *subject=NULL, *extra_cmd=NULL;
90// char *tmp;
91// int to_len, message_len, headers_len;
92// int subject_len, extra_cmd_len;
93//
94// if (SUHOSIN7_G(mailprotect) == 0) {
95// return (0);
96// }
97//
98// if (zend_parse_parameters(ZEND_NUM_ARGS(), "sss|ss",
99// &to, &to_len,
100// &subject, &subject_len,
101// &message, &message_len,
102// &headers, &headers_len,
103// &extra_cmd, &extra_cmd_len
104// ) == FAILURE) {
105// RETVAL_FALSE;
106// return (1);
107// }
108//
109// if (headers_len > 0 && headers &&
110// (strstr(headers, "\n\n") || strstr(headers, "\n\r\n") /* double newline */
111// || *headers == '\n' || (headers[0] == '\r' && headers[1] == '\n') /* starts with newline */
112// )) {
113// suhosin_log(S_MAIL, "mail() - double newline in headers, possible injection, mail dropped");
114// if (!SUHOSIN7_G(simulation)) {
115// RETVAL_FALSE;
116// return (1);
117// }
118// }
119//
120// /* check for spam attempts with buggy webforms */
121// if (to_len > 0 && to) {
122// do {
123// if ((tmp = strchr(to, '\n')) == NULL)
124// tmp = strchr(to, '\r');
125// if (tmp == NULL) break;
126// to = tmp + 1;
127// if (!isspace(*to)) break;
128// } while (1);
129// if (tmp != NULL) {
130// suhosin_log(S_MAIL, "mail() - newline in To header, possible injection, mail dropped");
131// if (!SUHOSIN7_G(simulation)) {
132// RETVAL_FALSE;
133// return (1);
134// }
135// }
136// }
137//
138// if (subject_len > 0 && subject) {
139// do {
140// if ((tmp = strchr(subject, '\n')) == NULL)
141// tmp = strchr(subject, '\r');
142// if (tmp == NULL) break;
143// subject = tmp + 1;
144// if (!isspace(*subject)) break;
145// } while (1);
146// if (tmp != NULL) {
147// suhosin_log(S_MAIL, "mail() - newline in Subject header, possible injection, mail dropped");
148// if (!SUHOSIN7_G(simulation)) {
149// RETVAL_FALSE;
150// return (1);
151// }
152// }
153// }
154//
155// if (SUHOSIN7_G(mailprotect) > 1) {
156// /* search for to, cc or bcc headers */
157// if (headers_len > 0 && headers != NULL) {
158// if (strncasecmp(headers, "to:", sizeof("to:") - 1) == 0 || suhosin_strcasestr(headers, "\nto:")) {
159// suhosin_log(S_MAIL, "mail() - To: headers aren't allowed in the headers parameter.");
160// if (!SUHOSIN7_G(simulation)) {
161// RETVAL_FALSE;
162// return (1);
163// }
164// }
165//
166// if (strncasecmp(headers, "cc:", sizeof("cc:") - 1) == 0 || suhosin_strcasestr(headers, "\ncc:")) {
167// suhosin_log(S_MAIL, "mail() - CC: headers aren't allowed in the headers parameter.");
168// if (!SUHOSIN7_G(simulation)) {
169// RETVAL_FALSE;
170// return (1);
171// }
172// }
173//
174// if (strncasecmp(headers, "bcc:", sizeof("bcc:") - 1) == 0 || suhosin_strcasestr(headers, "\nbcc:")) {
175// suhosin_log(S_MAIL, "mail() - BCC: headers aren't allowed in the headers parameter.");
176// if (!SUHOSIN7_G(simulation)) {
177// RETVAL_FALSE;
178// return (1);
179// }
180// }
181// }
182// }
183//
184// return (0);
185// }
186
187// #define SQLSTATE_SQL 0
188// #define SQLSTATE_IDENTIFIER 1
189// #define SQLSTATE_STRING 2
190// #define SQLSTATE_COMMENT 3
191// #define SQLSTATE_MLCOMMENT 4
192//
193// int ih_querycheck(IH_HANDLER_PARAMS)
194// {
195// void **p = zend_vm_stack_top() - 1;
196// unsigned long arg_count;
197// zval **arg;
198// char *query, *s, *e;
199// zval *backup;
200// int len;
201// char quote;
202// int state = SQLSTATE_SQL;
203// int cnt_union = 0, cnt_select = 0, cnt_comment = 0, cnt_opencomment = 0;
204// int mysql_extension = 0;
205//
206//
207// SDEBUG("function: %s", ih->name);
208// arg_count = (unsigned long) *p;
209//
210// if (ht < (long) ih->arg1) {
211// return (0);
212// }
213//
214// if ((long) ih->arg2) {
215// mysql_extension = 1;
216// }
217//
218// arg = (zval **) p - (arg_count - (long) ih->arg1 + 1); /* count from 0 */
219//
220// backup = *arg;
221// if (Z_TYPE_P(backup) != IS_STRING) {
222// return (0);
223// }
224// len = Z_STRLEN_P(backup);
225// query = Z_STRVAL_P(backup);
226// SDEBUG("SQL |%s|", query);
227//
228// s = query;
229// e = s+len;
230//
231// while (s < e) {
232// switch (state)
233// {
234// case SQLSTATE_SQL:
235// switch (s[0])
236// {
237// case '`':
238// state = SQLSTATE_IDENTIFIER;
239// quote = '`';
240// break;
241// case '\'':
242// case '"':
243// state = SQLSTATE_STRING;
244// quote = *s;
245// break;
246// case '/':
247// if (s[1]=='*') {
248// if (mysql_extension == 1 && s[2] == '!') {
249// s += 2;
250// break;
251// }
252// s++;
253// state = SQLSTATE_MLCOMMENT;
254// cnt_comment++;
255// }
256// break;
257// case '-':
258// if (s[1]=='-') {
259// s++;
260// state = SQLSTATE_COMMENT;
261// cnt_comment++;
262// }
263// break;
264// case '#':
265// state = SQLSTATE_COMMENT;
266// cnt_comment++;
267// break;
268// case 'u':
269// case 'U':
270// if (strncasecmp("union", s, 5)==0) {
271// s += 4;
272// cnt_union++;
273// }
274// break;
275// case 's':
276// case 'S':
277// if (strncasecmp("select", s, 6)==0) {
278// s += 5;
279// cnt_select++;
280// }
281// break;
282// }
283// break;
284// case SQLSTATE_STRING:
285// case SQLSTATE_IDENTIFIER:
286// if (s[0] == quote) {
287// if (s[1] == quote) {
288// s++;
289// } else {
290// state = SQLSTATE_SQL;
291// }
292// }
293// if (s[0] == '\\') {
294// s++;
295// }
296// break;
297// case SQLSTATE_COMMENT:
298// while (s[0] && s[0] != '\n') {
299// s++;
300// }
301// state = SQLSTATE_SQL;
302// break;
303// case SQLSTATE_MLCOMMENT:
304// while (s[0] && (s[0] != '*' || s[1] != '/')) {
305// s++;
306// }
307// if (s[0]) {
308// state = SQLSTATE_SQL;
309// }
310// break;
311// }
312// s++;
313// }
314// if (state == SQLSTATE_MLCOMMENT) {
315// cnt_opencomment = 1;
316// }
317//
318// if (cnt_opencomment && SUHOSIN7_G(sql_opencomment)>0) {
319// suhosin_log(S_SQL, "Open comment in SQL query: '%*s'", len, query);
320// if (SUHOSIN7_G(sql_opencomment)>1) {
321// suhosin_bailout();
322// }
323// }
324//
325// if (cnt_comment && SUHOSIN7_G(sql_comment)>0) {
326// suhosin_log(S_SQL, "Comment in SQL query: '%*s'", len, query);
327// if (SUHOSIN7_G(sql_comment)>1) {
328// suhosin_bailout();
329// }
330// }
331//
332// if (cnt_union && SUHOSIN7_G(sql_union)>0) {
333// suhosin_log(S_SQL, "UNION in SQL query: '%*s'", len, query);
334// if (SUHOSIN7_G(sql_union)>1) {
335// suhosin_bailout();
336// }
337// }
338//
339// if (cnt_select>1 && SUHOSIN7_G(sql_mselect)>0) {
340// suhosin_log(S_SQL, "Multiple SELECT in SQL query: '%*s'", len, query);
341// if (SUHOSIN7_G(sql_mselect)>1) {
342// suhosin_bailout();
343// }
344// }
345//
346// return (0);
347// }
348//
349//
350// int ih_fixusername(IH_HANDLER_PARAMS)
351// {
352// void **p = zend_vm_stack_top() - 1;
353// unsigned long arg_count;
354// zval **arg;
355// char *prefix, *postfix, *user, *user_match, *cp;
356// zval *backup, *my_user;
357// int prefix_len, postfix_len, len;
358//
359// SDEBUG("function (fixusername): %s", ih->name);
360//
361// prefix = SUHOSIN7_G(sql_user_prefix);
362// postfix = SUHOSIN7_G(sql_user_postfix);
363// user_match = SUHOSIN7_G(sql_user_match);
364//
365// arg_count = (unsigned long) *p;
366//
367// if (ht < (long) ih->arg1) {
368// return (0);
369// }
370//
371// arg = (zval **) p - (arg_count - (long) ih->arg1 + 1); /* count from 0 */
372//
373// backup = *arg;
374// if (Z_TYPE_P(backup) != IS_STRING) {
375// user = "";
376// len = 0;
377// } else {
378// len = Z_STRLEN_P(backup);
379// user = Z_STRVAL_P(backup);
380// }
381//
382// cp = user;
383// while (cp < user+len) {
384// if (*cp < 32) {
385// suhosin_log(S_SQL, "SQL username contains invalid characters");
386// if (!SUHOSIN7_G(simulation)) {
387// RETVAL_FALSE;
388// return (1);
389// }
390// break;
391// }
392// cp++;
393// }
394//
395// if ((prefix != NULL && prefix[0]) || (postfix != NULL && postfix[0])) {
396// if (prefix == NULL) {
397// prefix = "";
398// }
399// if (postfix == NULL) {
400// postfix = "";
401// }
402// prefix_len = strlen(prefix);
403// postfix_len = strlen(postfix);
404//
405// MAKE_STD_ZVAL(my_user);
406// my_user->type = IS_STRING;
407// my_user->value.str.len = spprintf(&my_user->value.str.val, 0, "%s%s%s", prefix, user, postfix);
408//
409// /* XXX: memory_leak? */
410// *arg = my_user;
411//
412// len = Z_STRLEN_P(my_user);
413// user = Z_STRVAL_P(my_user);
414// }
415//
416// if (user_match && user_match[0]) {
417// #ifdef HAVE_FNMATCH
418// if (fnmatch(user_match, user, 0) != 0) {
419// suhosin_log(S_SQL, "SQL username ('%s') does not match suhosin.sql.user_match ('%s')", user, user_match);
420// if (!SUHOSIN7_G(simulation)) {
421// RETVAL_FALSE;
422// return (1);
423// }
424// }
425// #else
426// #warning no support for fnmatch() - setting suhosin.sql.user_match will always fail.
427// suhosin_log(S_SQL, "suhosin.sql.user_match specified, but system does not support fnmatch()");
428// if (!SUHOSIN7_G(simulation)) {
429// RETVAL_FALSE;
430// return (1);
431// }
432// #endif
433// }
434//
435// SDEBUG("function: %s - user: %s", ih->name, user);
436//
437// return (0);
438// }
439//
440//
441// static int ih_function_exists(IH_HANDLER_PARAMS)
442// {
443// zval **function_name;
444// zend_function *func;
445// char *lcname;
446// zend_bool retval;
447// int func_name_len;
448//
449// if (ZEND_NUM_ARGS()!=1 || zend_get_parameters_ex(1, &function_name)==FAILURE) {
450// ZEND_WRONG_PARAM_COUNT_WITH_RETVAL(1);
451// }
452// convert_to_string_ex(function_name);
453// func_name_len = Z_STRLEN_PP(function_name);
454// lcname = estrndup(Z_STRVAL_PP(function_name), func_name_len);
455// zend_str_tolower(lcname, func_name_len);
456//
457// retval = (zend_hash_find(EG(function_table), lcname, func_name_len+1, (void **)&func) == SUCCESS);
458//
459// /*
460// * A bit of a hack, but not a bad one: we see if the handler of the function
461// * is actually one that displays "function is disabled" message.
462// */
463// if (retval && func->type == ZEND_INTERNAL_FUNCTION &&
464// func->internal_function.handler == zif_display_disabled_function) {
465// retval = 0;
466// }
467//
468// /* Now check if function is forbidden by Suhosin */
469// if (SUHOSIN7_G(in_code_type) == SUHOSIN_EVAL) {
470// if (SUHOSIN7_G(eval_whitelist) != NULL) {
471// if (!zend_hash_exists(SUHOSIN7_G(eval_whitelist), lcname, func_name_len+1)) {
472// retval = 0;
473// }
474// } else if (SUHOSIN7_G(eval_blacklist) != NULL) {
475// if (zend_hash_exists(SUHOSIN7_G(eval_blacklist), lcname, func_name_len+1)) {
476// retval = 0;
477// }
478// }
479// }
480//
481// if (SUHOSIN7_G(func_whitelist) != NULL) {
482// if (!zend_hash_exists(SUHOSIN7_G(func_whitelist), lcname, func_name_len+1)) {
483// retval = 0;
484// }
485// } else if (SUHOSIN7_G(func_blacklist) != NULL) {
486// if (zend_hash_exists(SUHOSIN7_G(func_blacklist), lcname, func_name_len+1)) {
487// retval = 0;
488// }
489// }
490//
491// efree(lcname);
492//
493// RETVAL_BOOL(retval);
494// return (1);
495// }
diff --git a/execute_rnd.inc.c b/execute_rnd.c
index 9647b63..9647b63 100644
--- a/execute_rnd.inc.c
+++ b/execute_rnd.c
diff --git a/header.c b/header.c
index 65b2c26..a916746 100644
--- a/header.c
+++ b/header.c
@@ -75,7 +75,7 @@ static int suhosin_header_handler(sapi_header_struct *sapi_header, sapi_header_o
75 int nlen, vlen, len, tlen; 75 int nlen, vlen, len, tlen;
76 char cryptkey[33]; 76 char cryptkey[33];
77 77
78 suhosin_generate_key(SUHOSIN7_G(cookie_cryptkey), SUHOSIN7_G(cookie_cryptua), SUHOSIN7_G(cookie_cryptdocroot), SUHOSIN7_G(cookie_cryptraddr), (char *)&cryptkey TSRMLS_CC); 78 suhosin_generate_key(SUHOSIN7_G(cookie_cryptkey), SUHOSIN7_G(cookie_cryptua), SUHOSIN7_G(cookie_cryptdocroot), SUHOSIN7_G(cookie_cryptraddr), (char *)cryptkey);
79 start = estrndup(sapi_header->header, sapi_header->header_len); 79 start = estrndup(sapi_header->header, sapi_header->header_len);
80 rend = end = start + sapi_header->header_len; 80 rend = end = start + sapi_header->header_len;
81 81
@@ -119,7 +119,7 @@ static int suhosin_header_handler(sapi_header_struct *sapi_header, sapi_header_o
119suhosin_skip_header_handling: 119suhosin_skip_header_handling:
120 /* If existing call the sapi header handler */ 120 /* If existing call the sapi header handler */
121 if (orig_header_handler) { 121 if (orig_header_handler) {
122 retval = orig_header_handler(sapi_header, op, sapi_headers TSRMLS_CC); 122 retval = orig_header_handler(sapi_header, op, sapi_headers);
123 } 123 }
124 124
125 return retval; 125 return retval;
diff --git a/log.c b/log.c
index 5b14c61..67e37b4 100644
--- a/log.c
+++ b/log.c
@@ -158,22 +158,22 @@ SUHOSIN7_API void suhosin_log(int loglevel, char *fmt, ...)
158 } 158 }
159 159
160 if (zend_is_executing()) { 160 if (zend_is_executing()) {
161 zend_execute_data *exdata = EG(current_execute_data); 161 // zend_execute_data *exdata = EG(current_execute_data);
162 if (exdata) { 162 // if (exdata) {
163 if (getcaller && exdata->prev_execute_data && exdata->prev_execute_data->opline && exdata->prev_execute_data->func) { 163 // if (getcaller && exdata->prev_execute_data && exdata->prev_execute_data->opline && exdata->prev_execute_data->func) {
164 lineno = exdata->prev_execute_data->opline->lineno; 164 // lineno = exdata->prev_execute_data->opline->lineno;
165 fname = (char *)ZSTR_VAL(exdata->prev_execute_data->func->op_array.filename); 165 // fname = (char *)ZSTR_VAL(exdata->prev_execute_data->func->op_array.filename);
166 } else if (exdata->opline && exdata->func) { 166 // } else if (exdata->opline && exdata->func) {
167 lineno = exdata->opline->lineno; 167 // lineno = exdata->opline->lineno;
168 fname = (char *)ZSTR_VAL(exdata->func->op_array.filename); 168 // fname = (char *)ZSTR_VAL(exdata->func->op_array.filename);
169 } else { 169 // } else {
170 lineno = 0; 170 // lineno = 0;
171 fname = "[unknown filename]"; 171 // fname = "[unknown filename]";
172 } 172 // }
173 } else { 173 // } else {
174 lineno = zend_get_executed_lineno(); 174 lineno = zend_get_executed_lineno();
175 fname = (char *)zend_get_executed_filename(); 175 fname = (char *)zend_get_executed_filename();
176 } 176 // }
177 ap_php_snprintf(buf, sizeof(buf), "%s - %s (attacker '%s', file '%s', line %u)", alertstring, error, ip_address, fname, lineno); 177 ap_php_snprintf(buf, sizeof(buf), "%s - %s (attacker '%s', file '%s', line %u)", alertstring, error, ip_address, fname, lineno);
178 } else { 178 } else {
179 fname = suhosin_getenv("SCRIPT_FILENAME", 15); 179 fname = suhosin_getenv("SCRIPT_FILENAME", 15);
diff --git a/php_suhosin7.h b/php_suhosin7.h
index eaf2f87..2b5f48e 100644
--- a/php_suhosin7.h
+++ b/php_suhosin7.h
@@ -68,7 +68,7 @@ extern zend_module_entry suhosin7_module_entry;
68// PHP_RSHUTDOWN_FUNCTION(suhosin); 68// PHP_RSHUTDOWN_FUNCTION(suhosin);
69// PHP_MINFO_FUNCTION(suhosin); 69// PHP_MINFO_FUNCTION(suhosin);
70 70
71#include "ext/standard/basic_functions.h" 71// #include "ext/standard/basic_functions.h"
72 72
73static inline int suhosin_is_protected_varname(char *var, int var_len) 73static inline int suhosin_is_protected_varname(char *var, int var_len)
74{ 74{
diff --git a/suhosin7.c b/suhosin7.c
index 3b84767..5f36aa4 100644
--- a/suhosin7.c
+++ b/suhosin7.c
@@ -301,7 +301,7 @@ PHP_INI_BEGIN()
301 PHP_INI_ENTRY("suhosin.executor.func.whitelist", NULL, PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateSuhosin_func_whitelist) 301 PHP_INI_ENTRY("suhosin.executor.func.whitelist", NULL, PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateSuhosin_func_whitelist)
302 PHP_INI_ENTRY("suhosin.executor.func.blacklist", NULL, PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateSuhosin_func_blacklist) 302 PHP_INI_ENTRY("suhosin.executor.func.blacklist", NULL, PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateSuhosin_func_blacklist)
303 // STD_S7_INI_BOOLEAN("suhosin.executor.disable_eval", "0", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateExecBool, executor_disable_eval) 303 // STD_S7_INI_BOOLEAN("suhosin.executor.disable_eval", "0", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateExecBool, executor_disable_eval)
304 // STD_S7_INI_BOOLEAN("suhosin.executor.disable_emodifier", "0", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateExecBool, executor_disable_emod) 304 STD_S7_INI_BOOLEAN("suhosin.executor.disable_emodifier", "0", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateExecBool, executor_disable_emod)
305 // 305 //
306 // STD_S7_INI_BOOLEAN("suhosin.executor.allow_symlink", "0", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateExecBool, executor_allow_symlink) 306 // STD_S7_INI_BOOLEAN("suhosin.executor.allow_symlink", "0", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateExecBool, executor_allow_symlink)
307 STD_S7_INI_ENTRY("suhosin.executor.max_depth", "750", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateExecLong, max_execution_depth) 307 STD_S7_INI_ENTRY("suhosin.executor.max_depth", "750", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateExecLong, max_execution_depth)