summaryrefslogtreecommitdiff
path: root/ifilter.c
diff options
context:
space:
mode:
Diffstat (limited to 'ifilter.c')
-rw-r--r--ifilter.c73
1 files changed, 35 insertions, 38 deletions
diff --git a/ifilter.c b/ifilter.c
index a8fa8e2..cdef00c 100644
--- a/ifilter.c
+++ b/ifilter.c
@@ -17,9 +17,6 @@
17 | Ben Fuhrmannek <ben.fuhrmannek@sektioneins.de> | 17 | Ben Fuhrmannek <ben.fuhrmannek@sektioneins.de> |
18 +----------------------------------------------------------------------+ 18 +----------------------------------------------------------------------+
19*/ 19*/
20/*
21 $Id: ifilter.c,v 1.1.1.1 2007-11-28 01:15:35 sesser Exp $
22*/
23 20
24#ifdef HAVE_CONFIG_H 21#ifdef HAVE_CONFIG_H
25#include "config.h" 22#include "config.h"
@@ -67,12 +64,12 @@ size_t suhosin_strncspn(const char *input, size_t n, const char *reject)
67void suhosin_normalize_varname(char *varname) 64void suhosin_normalize_varname(char *varname)
68{ 65{
69 char *s=varname, *index=NULL, *indexend=NULL, *p; 66 char *s=varname, *index=NULL, *indexend=NULL, *p;
70 67
71 /* overjump leading space */ 68 /* overjump leading space */
72 while (*s == ' ') { 69 while (*s == ' ') {
73 s++; 70 s++;
74 } 71 }
75 72
76 /* and remove it */ 73 /* and remove it */
77 if (s != varname) { 74 if (s != varname) {
78 memmove(varname, s, strlen(s)+1); 75 memmove(varname, s, strlen(s)+1);
@@ -104,7 +101,7 @@ void suhosin_normalize_varname(char *varname)
104 } 101 }
105 indexend = strchr(index, ']'); 102 indexend = strchr(index, ']');
106 indexend = indexend ? indexend + 1 : index + strlen(index); 103 indexend = indexend ? indexend + 1 : index + strlen(index);
107 104
108 if (s != index) { 105 if (s != index) {
109 memmove(s, index, strlen(index)+1); 106 memmove(s, index, strlen(index)+1);
110 s += indexend-index; 107 s += indexend-index;
@@ -117,7 +114,7 @@ void suhosin_normalize_varname(char *varname)
117 index = s; 114 index = s;
118 } else { 115 } else {
119 index = NULL; 116 index = NULL;
120 } 117 }
121 } 118 }
122 *s++='\0'; 119 *s++='\0';
123} 120}
@@ -155,7 +152,7 @@ static void suhosin_server_strip(HashTable *arr, char *key, int klen)
155 Z_TYPE_P(zv) != IS_STRING) { 152 Z_TYPE_P(zv) != IS_STRING) {
156 return; 153 return;
157 } 154 }
158 155
159 t = (unsigned char *)Z_STRVAL_P(zv); 156 t = (unsigned char *)Z_STRVAL_P(zv);
160 // SDEBUG() 157 // SDEBUG()
161 for (; *t; t++) { 158 for (; *t; t++) {
@@ -178,7 +175,7 @@ static void suhosin_server_encode(HashTable *arr, char *key, int klen)
178 Z_TYPE_P(zv) != IS_STRING) { 175 Z_TYPE_P(zv) != IS_STRING) {
179 return; 176 return;
180 } 177 }
181 178
182 unsigned char *orig = (unsigned char *)Z_STRVAL_P(zv); 179 unsigned char *orig = (unsigned char *)Z_STRVAL_P(zv);
183 unsigned char *t; 180 unsigned char *t;
184 for (t = orig; *t; t++) { 181 for (t = orig; *t; t++) {
@@ -186,12 +183,12 @@ static void suhosin_server_encode(HashTable *arr, char *key, int klen)
186 extra += 2; 183 extra += 2;
187 } 184 }
188 } 185 }
189 186
190 /* no extra bytes required */ 187 /* no extra bytes required */
191 if (extra == 0) { 188 if (extra == 0) {
192 return; 189 return;
193 } 190 }
194 191
195 size_t dest_len = t - orig + 1 + extra; 192 size_t dest_len = t - orig + 1 + extra;
196 unsigned char dest[dest_len]; 193 unsigned char dest[dest_len];
197 unsigned char *n = dest; 194 unsigned char *n = dest;
@@ -256,7 +253,7 @@ void suhosin_register_server_variables(zval *track_vars_array)
256 if (failure) { 253 if (failure) {
257 suhosin_log(S_VARS, "Attacker tried to overwrite a superglobal through a HTTP header"); 254 suhosin_log(S_VARS, "Attacker tried to overwrite a superglobal through a HTTP header");
258 } 255 }
259 256
260 if (SUHOSIN7_G(raw_cookie)) { 257 if (SUHOSIN7_G(raw_cookie)) {
261 zval z; 258 zval z;
262 ZVAL_STRING(&z, SUHOSIN7_G(raw_cookie)); 259 ZVAL_STRING(&z, SUHOSIN7_G(raw_cookie));
@@ -269,7 +266,7 @@ void suhosin_register_server_variables(zval *track_vars_array)
269 efree(SUHOSIN7_G(decrypted_cookie)); 266 efree(SUHOSIN7_G(decrypted_cookie));
270 SUHOSIN7_G(decrypted_cookie) = NULL; 267 SUHOSIN7_G(decrypted_cookie) = NULL;
271 } 268 }
272 269
273 if (SUHOSIN7_G(server_encode)) { 270 if (SUHOSIN7_G(server_encode)) {
274 /* suhosin_server_encode(svars, ZEND_STRL("argv")); */ 271 /* suhosin_server_encode(svars, ZEND_STRL("argv")); */
275 suhosin_server_encode(svars, ZEND_STRL("REQUEST_URI")); 272 suhosin_server_encode(svars, ZEND_STRL("REQUEST_URI"));
@@ -332,7 +329,7 @@ static SAPI_INPUT_FILTER_FUNC(suhosin_input_filter)
332 } 329 }
333 return 1; 330 return 1;
334 } 331 }
335 332
336 /* Drop this variable if the limit is now reached */ 333 /* Drop this variable if the limit is now reached */
337 switch (arg) { 334 switch (arg) {
338 case PARSE_GET: 335 case PARSE_GET:
@@ -363,7 +360,7 @@ static SAPI_INPUT_FILTER_FUNC(suhosin_input_filter)
363 } 360 }
364 break; 361 break;
365 } 362 }
366 363
367 /* Drop this variable if it begins with whitespace which is disallowed */ 364 /* Drop this variable if it begins with whitespace which is disallowed */
368 // SDEBUG("checking '%c'", *var); 365 // SDEBUG("checking '%c'", *var);
369 if (isspace(*var)) { 366 if (isspace(*var)) {
@@ -394,7 +391,7 @@ static SAPI_INPUT_FILTER_FUNC(suhosin_input_filter)
394 } 391 }
395 } 392 }
396 // else { SDEBUG("not WS");} 393 // else { SDEBUG("not WS");}
397 394
398 /* Drop this variable if it exceeds the value length limit */ 395 /* Drop this variable if it exceeds the value length limit */
399 if (SUHOSIN7_G(max_value_length) && SUHOSIN7_G(max_value_length) < val_len) { 396 if (SUHOSIN7_G(max_value_length) && SUHOSIN7_G(max_value_length) < val_len) {
400 suhosin_log(S_VARS, "configured request variable value length limit exceeded - dropped variable '%s'", var); 397 suhosin_log(S_VARS, "configured request variable value length limit exceeded - dropped variable '%s'", var);
@@ -420,15 +417,15 @@ static SAPI_INPUT_FILTER_FUNC(suhosin_input_filter)
420 } 417 }
421 break; 418 break;
422 } 419 }
423 420
424 /* Normalize the variable name */ 421 /* Normalize the variable name */
425 suhosin_normalize_varname(var); 422 suhosin_normalize_varname(var);
426 423
427 /* Find length of variable name */ 424 /* Find length of variable name */
428 index = strchr(var, '['); 425 index = strchr(var, '[');
429 total_len = strlen(var); 426 total_len = strlen(var);
430 var_len = index ? index-var : total_len; 427 var_len = index ? index-var : total_len;
431 428
432 /* Drop this variable if it exceeds the varname/total length limit */ 429 /* Drop this variable if it exceeds the varname/total length limit */
433 if (SUHOSIN7_G(max_varname_length) && SUHOSIN7_G(max_varname_length) < var_len) { 430 if (SUHOSIN7_G(max_varname_length) && SUHOSIN7_G(max_varname_length) < var_len) {
434 suhosin_log(S_VARS, "configured request variable name length limit exceeded - dropped variable '%s'", var); 431 suhosin_log(S_VARS, "configured request variable name length limit exceeded - dropped variable '%s'", var);
@@ -470,51 +467,51 @@ static SAPI_INPUT_FILTER_FUNC(suhosin_input_filter)
470 } 467 }
471 break; 468 break;
472 } 469 }
473 470
474 /* Find out array depth */ 471 /* Find out array depth */
475 while (index) { 472 while (index) {
476 char *index_end; 473 char *index_end;
477 unsigned int index_length; 474 unsigned int index_length;
478 475
479 /* overjump '[' */ 476 /* overjump '[' */
480 index++; 477 index++;
481 478
482 /* increase array depth */ 479 /* increase array depth */
483 depth++; 480 depth++;
484 481
485 index_end = strchr(index, ']'); 482 index_end = strchr(index, ']');
486 if (index_end == NULL) { 483 if (index_end == NULL) {
487 index_end = index+strlen(index); 484 index_end = index+strlen(index);
488 } 485 }
489 486
490 index_length = index_end - index; 487 index_length = index_end - index;
491 488
492 /* max. array index length */ 489 /* max. array index length */
493 if (SUHOSIN7_G(max_array_index_length) && SUHOSIN7_G(max_array_index_length) < index_length) { 490 if (SUHOSIN7_G(max_array_index_length) && SUHOSIN7_G(max_array_index_length) < index_length) {
494 suhosin_log(S_VARS, "configured request variable array index length limit exceeded - dropped variable '%s'", var); 491 suhosin_log(S_VARS, "configured request variable array index length limit exceeded - dropped variable '%s'", var);
495 if (!SUHOSIN7_G(simulation)) { return 0; } 492 if (!SUHOSIN7_G(simulation)) { return 0; }
496 } 493 }
497 switch (arg) { 494 switch (arg) {
498 case PARSE_GET: 495 case PARSE_GET:
499 if (SUHOSIN7_G(max_get_array_index_length) && SUHOSIN7_G(max_get_array_index_length) < index_length) { 496 if (SUHOSIN7_G(max_get_array_index_length) && SUHOSIN7_G(max_get_array_index_length) < index_length) {
500 suhosin_log(S_VARS, "configured GET variable array index length limit exceeded - dropped variable '%s'", var); 497 suhosin_log(S_VARS, "configured GET variable array index length limit exceeded - dropped variable '%s'", var);
501 if (!SUHOSIN7_G(simulation)) { return 0; } 498 if (!SUHOSIN7_G(simulation)) { return 0; }
502 } 499 }
503 break; 500 break;
504 case PARSE_COOKIE: 501 case PARSE_COOKIE:
505 if (SUHOSIN7_G(max_cookie_array_index_length) && SUHOSIN7_G(max_cookie_array_index_length) < index_length) { 502 if (SUHOSIN7_G(max_cookie_array_index_length) && SUHOSIN7_G(max_cookie_array_index_length) < index_length) {
506 suhosin_log(S_VARS, "configured COOKIE variable array index length limit exceeded - dropped variable '%s'", var); 503 suhosin_log(S_VARS, "configured COOKIE variable array index length limit exceeded - dropped variable '%s'", var);
507 if (!SUHOSIN7_G(simulation)) { return 0; } 504 if (!SUHOSIN7_G(simulation)) { return 0; }
508 } 505 }
509 break; 506 break;
510 case PARSE_POST: 507 case PARSE_POST:
511 if (SUHOSIN7_G(max_post_array_index_length) && SUHOSIN7_G(max_post_array_index_length) < index_length) { 508 if (SUHOSIN7_G(max_post_array_index_length) && SUHOSIN7_G(max_post_array_index_length) < index_length) {
512 suhosin_log(S_VARS, "configured POST variable array index length limit exceeded - dropped variable '%s'", var); 509 suhosin_log(S_VARS, "configured POST variable array index length limit exceeded - dropped variable '%s'", var);
513 if (!SUHOSIN7_G(simulation)) { return 0; } 510 if (!SUHOSIN7_G(simulation)) { return 0; }
514 } 511 }
515 break; 512 break;
516 } 513 }
517 514
518 /* index whitelist/blacklist */ 515 /* index whitelist/blacklist */
519 if (SUHOSIN7_G(array_index_whitelist) && *(SUHOSIN7_G(array_index_whitelist))) { 516 if (SUHOSIN7_G(array_index_whitelist) && *(SUHOSIN7_G(array_index_whitelist))) {
520 if (suhosin_strnspn(index, index_length, SUHOSIN7_G(array_index_whitelist)) != index_length) { 517 if (suhosin_strnspn(index, index_length, SUHOSIN7_G(array_index_whitelist)) != index_length) {
@@ -527,10 +524,10 @@ static SAPI_INPUT_FILTER_FUNC(suhosin_input_filter)
527 if (!SUHOSIN7_G(simulation)) { return 0; } 524 if (!SUHOSIN7_G(simulation)) { return 0; }
528 } 525 }
529 } 526 }
530 527
531 index = strchr(index, '['); 528 index = strchr(index, '[');
532 } 529 }
533 530
534 /* Drop this variable if it exceeds the array depth limit */ 531 /* Drop this variable if it exceeds the array depth limit */
535 if (SUHOSIN7_G(max_array_depth) && SUHOSIN7_G(max_array_depth) < depth) { 532 if (SUHOSIN7_G(max_array_depth) && SUHOSIN7_G(max_array_depth) < depth) {
536 suhosin_log(S_VARS, "configured request variable array depth limit exceeded - dropped variable '%s'", var); 533 suhosin_log(S_VARS, "configured request variable array depth limit exceeded - dropped variable '%s'", var);
@@ -558,9 +555,9 @@ static SAPI_INPUT_FILTER_FUNC(suhosin_input_filter)
558 } 555 }
559 556
560 /* Check if variable value is truncated by a \0 */ 557 /* Check if variable value is truncated by a \0 */
561 558
562 if (val && *val && val_len != strnlen(*val, val_len)) { 559 if (val && *val && val_len != strnlen(*val, val_len)) {
563 560
564 if (SUHOSIN7_G(disallow_nul)) { 561 if (SUHOSIN7_G(disallow_nul)) {
565 suhosin_log(S_VARS, "ASCII-NUL chars not allowed within request variables - dropped variable '%s'", var); 562 suhosin_log(S_VARS, "ASCII-NUL chars not allowed within request variables - dropped variable '%s'", var);
566 if (!SUHOSIN7_G(simulation)) { return 0; } 563 if (!SUHOSIN7_G(simulation)) { return 0; }
@@ -586,7 +583,7 @@ static SAPI_INPUT_FILTER_FUNC(suhosin_input_filter)
586 break; 583 break;
587 } 584 }
588 } 585 }
589 586
590 /* Drop this variable if it is one of GLOBALS, _GET, _POST, ... */ 587 /* Drop this variable if it is one of GLOBALS, _GET, _POST, ... */
591 /* This is to protect several silly scripts that do globalizing themself */ 588 /* This is to protect several silly scripts that do globalizing themself */
592 if (suhosin_is_protected_varname(var, var_len)) { 589 if (suhosin_is_protected_varname(var, var_len)) {
@@ -607,7 +604,7 @@ static SAPI_INPUT_FILTER_FUNC(suhosin_input_filter)
607 SUHOSIN7_G(cur_post_vars)++; 604 SUHOSIN7_G(cur_post_vars)++;
608 break; 605 break;
609 } 606 }
610 607
611 if (new_val_len) { 608 if (new_val_len) {
612 *new_val_len = val_len; 609 *new_val_len = val_len;
613 } 610 }
@@ -625,7 +622,7 @@ SAPI_INPUT_FILTER_FUNC(suhosin_input_filter_wrapper)
625 // SDEBUG("ifilter arg=%d var=%s do_not_scan=%d already_scanned=%d", arg, var, SUHOSIN7_G(do_not_scan), already_scanned); 622 // SDEBUG("ifilter arg=%d var=%s do_not_scan=%d already_scanned=%d", arg, var, SUHOSIN7_G(do_not_scan), already_scanned);
626 // SDEBUG("ifilter arg=%d var=%s do_not_scan=%d", arg, var, SUHOSIN7_G(do_not_scan)); 623 // SDEBUG("ifilter arg=%d var=%s do_not_scan=%d", arg, var, SUHOSIN7_G(do_not_scan));
627 SDEBUG("ifilter arg=%d var=%s", arg, var); 624 SDEBUG("ifilter arg=%d var=%s", arg, var);
628 625
629 // if (SUHOSIN7_G(do_not_scan)) { 626 // if (SUHOSIN7_G(do_not_scan)) {
630 // SDEBUG("do_not_scan"); 627 // SDEBUG("do_not_scan");
631 // if (new_val_len) { 628 // if (new_val_len) {
@@ -633,7 +630,7 @@ SAPI_INPUT_FILTER_FUNC(suhosin_input_filter_wrapper)
633 // } 630 // }
634 // return 1; 631 // return 1;
635 // } 632 // }
636 633
637 // if (!already_scanned) { 634 // if (!already_scanned) {
638 if (suhosin_input_filter(arg, var, val, val_len, new_val_len) == 0) { 635 if (suhosin_input_filter(arg, var, val, val_len, new_val_len) == 0) {
639 SUHOSIN7_G(abort_request)=1; 636 SUHOSIN7_G(abort_request)=1;