From 81550450b59193c36118e402b6003a9d40f3ae09 Mon Sep 17 00:00:00 2001 From: Ben Fuhrmannek Date: Sat, 21 May 2016 13:39:07 +0200 Subject: post and file upload handling --- config.m4 | 2 +- ifilter.c | 15 +- php_suhosin7.h | 21 +- post_handler.c | 145 ++++++ rfc1867.c | 1370 +++++++++++++++++++++++++++++++++++++++++++++++++++++ suhosin7.c | 16 +- suhosin_rfc1867.h | 91 ++++ ufilter.c | 425 +++++++++++++++++ 8 files changed, 2065 insertions(+), 20 deletions(-) create mode 100644 post_handler.c create mode 100644 rfc1867.c create mode 100644 suhosin_rfc1867.h create mode 100644 ufilter.c diff --git a/config.m4 b/config.m4 index 63b7d18..23081dd 100644 --- a/config.m4 +++ b/config.m4 @@ -5,7 +5,7 @@ PHP_ARG_ENABLE(suhosin7, whether to enable suhosin support, [ --enable-suhosin7 Enable suhosin support]) if test "$PHP_SUHOSIN7" != "no"; then - PHP_NEW_EXTENSION(suhosin7, suhosin7.c ifilter.c memory_limit.c aes.c treat_data.c log.c execute.c execute_ih.c execute_rnd.c crypt.c cookiecrypt.c header.c session.c ex_imp.c, $ext_shared,, [-DZEND_ENABLE_STATIC_TSRMLS_CACHE=1]) + PHP_NEW_EXTENSION(suhosin7, suhosin7.c ifilter.c memory_limit.c aes.c treat_data.c log.c execute.c execute_ih.c execute_rnd.c crypt.c cookiecrypt.c header.c session.c ex_imp.c rfc1867.c ufilter.c post_handler.c, $ext_shared,, [-DZEND_ENABLE_STATIC_TSRMLS_CACHE=1]) PHP_ADD_EXTENSION_DEP(suhosin7, hash) echo "===== WARNING ============================================" echo " Suhosin7 for PHP 7 is in alpha stage at the moment and" diff --git a/ifilter.c b/ifilter.c index 2d41048..a8fa8e2 100644 --- a/ifilter.c +++ b/ifilter.c @@ -41,7 +41,7 @@ static size_t strnlen(const char *s, size_t maxlen) { } #endif -static size_t suhosin_strnspn(const char *input, size_t n, const char *accept) +size_t suhosin_strnspn(const char *input, size_t n, const char *accept) { size_t count = 0; for (; *input != '\0' && count < n; input++, count++) { @@ -51,7 +51,7 @@ static size_t suhosin_strnspn(const char *input, size_t n, const char *accept) return count; } -static size_t suhosin_strncspn(const char *input, size_t n, const char *reject) +size_t suhosin_strncspn(const char *input, size_t n, const char *reject) { size_t count = 0; for (; *input != '\0' && count < n; input++, count++) { @@ -635,7 +635,7 @@ SAPI_INPUT_FILTER_FUNC(suhosin_input_filter_wrapper) // } // if (!already_scanned) { - if (suhosin_input_filter(arg, var, val, val_len, new_val_len)==0) { + if (suhosin_input_filter(arg, var, val, val_len, new_val_len) == 0) { SUHOSIN7_G(abort_request)=1; return 0; } @@ -644,7 +644,14 @@ SAPI_INPUT_FILTER_FUNC(suhosin_input_filter_wrapper) } // } if (orig_input_filter) { - return orig_input_filter(arg, var, val, val_len, new_val_len); + + if (orig_input_filter(arg, var, val, val_len, new_val_len) == 0) { + SUHOSIN7_G(abort_request)=1; + return 0; + } else { + return 1; + } + } else { return 1; } diff --git a/php_suhosin7.h b/php_suhosin7.h index 8a58ef6..6c515ba 100644 --- a/php_suhosin7.h +++ b/php_suhosin7.h @@ -205,16 +205,16 @@ ZEND_BEGIN_MODULE_GLOBALS(suhosin7) zend_bool disallow_post_ws; /* fileupload */ - // zend_long upload_limit; - // zend_long upload_max_newlines; - // zend_long num_uploads; - // zend_bool upload_disallow_elf; - // zend_bool upload_disallow_binary; - // zend_bool upload_remove_binary; + zend_long upload_max_newlines; + zend_long upload_limit; + zend_long num_uploads; + zend_bool upload_disallow_elf; + zend_bool upload_disallow_binary; + zend_bool upload_remove_binary; #ifdef SUHOSIN7_EXPERIMENTAL - // zend_bool upload_allow_utf8; + zend_bool upload_allow_utf8; #endif - // char *upload_verification_script; + char *upload_verification_script; zend_bool no_more_variables; zend_bool no_more_get_variables; @@ -395,8 +395,12 @@ void suhosin_hook_ex_imp(); void suhosin_hook_session(); #endif +void suhosin_hook_post_handlers(); + // ifilter.c void suhosin_normalize_varname(char *varname); +size_t suhosin_strnspn(const char *input, size_t n, const char *accept); +size_t suhosin_strncspn(const char *input, size_t n, const char *reject); // cookiecrypt.c char *suhosin_cookie_decryptor(char *raw_cookie); @@ -415,6 +419,7 @@ void suhosin_aes_gkey(int nb,int nk,char *key); void suhosin_aes_encrypt(char *buff); void suhosin_aes_decrypt(char *buff); + // static inline void suhosin_bailout() diff --git a/post_handler.c b/post_handler.c new file mode 100644 index 0000000..1a2374c --- /dev/null +++ b/post_handler.c @@ -0,0 +1,145 @@ +/* + +----------------------------------------------------------------------+ + | Suhosin Version 1 | + +----------------------------------------------------------------------+ + | Copyright (c) 2006-2007 The Hardened-PHP Project | + | Copyright (c) 2007-2016 SektionEins GmbH | + +----------------------------------------------------------------------+ + | This source file is subject to version 3.01 of the PHP license, | + | that is bundled with this package in the file LICENSE, and is | + | available through the world-wide-web at the following url: | + | http://www.php.net/license/3_01.txt | + | If you did not receive a copy of the PHP license and are unable to | + | obtain it through the world-wide-web, please send a note to | + | license@php.net so we can mail you a copy immediately. | + +----------------------------------------------------------------------+ + | Authors: Stefan Esser | + | Ben Fuhrmannek | + +----------------------------------------------------------------------+ +*/ +/* + $Id: post_handler.c,v 1.1.1.1 2007-11-28 01:15:35 sesser Exp $ +*/ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "php.h" +#include "php_ini.h" +#include "php_suhosin7.h" +#include "SAPI.h" +#include "php_variables.h" +#include "php_content_types.h" +#include "suhosin_rfc1867.h" +#include "ext/standard/url.h" +#include "ext/standard/php_smart_string.h" + +#if defined(PHP_WIN32) +#include "win32/php_inttypes.h" +#endif + +SAPI_POST_HANDLER_FUNC(suhosin_rfc1867_post_handler); + +static void suhosin_post_handler_modification(sapi_post_entry *spe) +{ + char *content_type = estrndup(spe->content_type, spe->content_type_len); + suhosin_log(S_VARS, "some extension replaces the POST handler for %s - Suhosin's protection might be incomplete", content_type); + efree(content_type); +} + +// static PHP_INI_MH((*old_OnUpdate_mbstring_encoding_translation)) = NULL; +// +// /* {{{ static PHP_INI_MH(suhosin_OnUpdate_mbstring_encoding_translation) */ +// static PHP_INI_MH(suhosin_OnUpdate_mbstring_encoding_translation) +// { +// zend_bool *p; +// #ifndef ZTS +// char *base = (char *) mh_arg2; +// #else +// char *base; +// +// base = (char *) ts_resource(*((int *) mh_arg2)); +// #endif +// +// p = (zend_bool *) (base+(size_t) mh_arg1); +// +// if (new_value_length == 2 && strcasecmp("on", new_value) == 0) { +// *p = (zend_bool) 1; +// } +// else if (new_value_length == 3 && strcasecmp("yes", new_value) == 0) { +// *p = (zend_bool) 1; +// } +// else if (new_value_length == 4 && strcasecmp("true", new_value) == 0) { +// *p = (zend_bool) 1; +// } +// else { +// *p = (zend_bool) atoi(new_value); +// } +// if (*p) { +// suhosin_log(S_VARS, "Dynamic configuration (maybe a .htaccess file) tried to activate mbstring.encoding_translation which is incompatible with suhosin"); +// } +// return SUCCESS; +// } +/* }}} */ + +/* {{{ php_post_entries[] + */ +static sapi_post_entry suhosin_post_entries[] = { + // { DEFAULT_POST_CONTENT_TYPE, sizeof(DEFAULT_POST_CONTENT_TYPE)-1, sapi_read_standard_form_data, suhosin_std_post_handler }, + { ZEND_STRL(MULTIPART_CONTENT_TYPE), NULL, suhosin_rfc1867_post_handler }, + { NULL, 0, NULL, NULL } +}; +/* }}} */ + +void suhosin_hook_post_handlers() +{ + HashTable tempht; + // zend_ini_entry *ini_entry; + + sapi_unregister_post_entry(&suhosin_post_entries[0]); + // sapi_unregister_post_entry(&suhosin_post_entries[1]); + sapi_register_post_entries(suhosin_post_entries); + + /* we want to get notified if another extension deregisters the suhosin post handlers */ + + /* we need to tell suhosin patch that there is a new valid destructor */ + /* therefore we have create HashTable that has this destructor */ + // zend_hash_init(&tempht, 0, NULL, (dtor_func_t)suhosin_post_handler_modification, 0); + // zend_hash_destroy(&tempht); + /* And now we can overwrite the destructor for post entries */ + // SG(known_post_content_types).pDestructor = (dtor_func_t)suhosin_post_handler_modification; + + /* we have to stop mbstring from replacing our post handler */ + // if (zend_hash_find(EG(ini_directives), "mbstring.encoding_translation", sizeof("mbstring.encoding_translation"), (void **) &ini_entry) == FAILURE) { + // return; + // } + /* replace OnUpdate_mbstring_encoding_translation handler */ + // old_OnUpdate_mbstring_encoding_translation = ini_entry->on_modify; + // ini_entry->on_modify = suhosin_OnUpdate_mbstring_encoding_translation; +} + +// void suhosin_unhook_post_handlers() +// { +// zend_ini_entry *ini_entry; +// +// /* Restore to an empty destructor */ +// SG(known_post_content_types).pDestructor = NULL; +// +// /* Now restore the ini entry handler */ +// if (zend_hash_find(EG(ini_directives), "mbstring.encoding_translation", sizeof("mbstring.encoding_translation"), (void **) &ini_entry) == FAILURE) { +// return; +// } +// /* replace OnUpdate_mbstring_encoding_translation handler */ +// ini_entry->on_modify = old_OnUpdate_mbstring_encoding_translation; +// old_OnUpdate_mbstring_encoding_translation = NULL; +// } + +/* + * Local variables: + * tab-width: 4 + * c-basic-offset: 4 + * End: + * vim600: noet sw=4 ts=4 fdm=marker + * vim<600: noet sw=4 ts=4 + */ diff --git a/rfc1867.c b/rfc1867.c new file mode 100644 index 0000000..8daa0e8 --- /dev/null +++ b/rfc1867.c @@ -0,0 +1,1370 @@ +/* + +----------------------------------------------------------------------+ + | Suhosin Version 1 | + +----------------------------------------------------------------------+ + | Copyright (c) 2006-2007 The Hardened-PHP Project | + | Copyright (c) 2007-2016 SektionEins GmbH | + +----------------------------------------------------------------------+ + | This source file is subject to version 3.01 of the PHP license, | + | that is bundled with this package in the file LICENSE, and is | + | available through the world-wide-web at the following url: | + | http://www.php.net/license/3_01.txt | + | If you did not receive a copy of the PHP license and are unable to | + | obtain it through the world-wide-web, please send a note to | + | license@php.net so we can mail you a copy immediately. | + +----------------------------------------------------------------------+ + | Authors: Stefan Esser | + | Ben Fuhrmannek | + +----------------------------------------------------------------------+ + + Note: The following code is based on main/rfc1867.c from PHP 7. + | Copyright (c) 1997-2016 The PHP Group | + Original PHP Version 7 Authors: + | Authors: Rasmus Lerdorf | + | Jani Taskinen | + + */ + +/* $Id$ */ + +/* + * This product includes software developed by the Apache Group + * for use in the Apache HTTP server project (http://www.apache.org/). + * + */ + +#include +#include "php.h" +#include "php_open_temporary_file.h" +#include "zend_globals.h" +#include "php_globals.h" +#include "php_variables.h" +// #include "rfc1867.h" +#include "suhosin_rfc1867.h" +#include "php_suhosin7.h" +#include "ext/standard/php_string.h" +#include "ext/standard/php_smart_string.h" + +#if defined(PHP_WIN32) && !defined(HAVE_ATOLL) +# define atoll(s) _atoi64(s) +# define HAVE_ATOLL 1 +#endif + +#define DEBUG_FILE_UPLOAD ZEND_DEBUG + +static int dummy_encoding_translation(void) +{ + return 0; +} + +static char *php_ap_getword(const zend_encoding *encoding, char **line, char stop); +static char *php_ap_getword_conf(const zend_encoding *encoding, char *str); + +static php_rfc1867_encoding_translation_t php_rfc1867_encoding_translation = dummy_encoding_translation; +static php_rfc1867_get_detect_order_t php_rfc1867_get_detect_order = NULL; +static php_rfc1867_set_input_encoding_t php_rfc1867_set_input_encoding = NULL; +static php_rfc1867_getword_t php_rfc1867_getword = php_ap_getword; +static php_rfc1867_getword_conf_t php_rfc1867_getword_conf = php_ap_getword_conf; +static php_rfc1867_basename_t php_rfc1867_basename = NULL; + +#define php_rfc1867_callback suhosin_rfc1867_filter +// PHPAPI int (*php_rfc1867_callback)(unsigned int event, void *event_data, void **extra) = NULL; + +static void safe_php_register_variable(char *var, char *strval, size_t val_len, zval *track_vars_array, zend_bool override_protection); + +/* The longest property name we use in an uploaded file array */ +#define MAX_SIZE_OF_INDEX sizeof("[tmp_name]") + +/* The longest anonymous name */ +#define MAX_SIZE_ANONNAME 33 + +/* Errors */ +#define UPLOAD_ERROR_OK 0 /* File upload successful */ +#define UPLOAD_ERROR_A 1 /* Uploaded file exceeded upload_max_filesize */ +#define UPLOAD_ERROR_B 2 /* Uploaded file exceeded MAX_FILE_SIZE */ +#define UPLOAD_ERROR_C 3 /* Partially uploaded */ +#define UPLOAD_ERROR_D 4 /* No file uploaded */ +#define UPLOAD_ERROR_E 6 /* Missing /tmp or similar directory */ +#define UPLOAD_ERROR_F 7 /* Failed to write file to disk */ +#define UPLOAD_ERROR_X 8 /* File upload stopped by extension */ + +// void php_rfc1867_register_constants(void) /* {{{ */ +// { +// REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_OK", UPLOAD_ERROR_OK, CONST_CS | CONST_PERSISTENT); +// REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_INI_SIZE", UPLOAD_ERROR_A, CONST_CS | CONST_PERSISTENT); +// REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_FORM_SIZE", UPLOAD_ERROR_B, CONST_CS | CONST_PERSISTENT); +// REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_PARTIAL", UPLOAD_ERROR_C, CONST_CS | CONST_PERSISTENT); +// REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_NO_FILE", UPLOAD_ERROR_D, CONST_CS | CONST_PERSISTENT); +// REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_NO_TMP_DIR", UPLOAD_ERROR_E, CONST_CS | CONST_PERSISTENT); +// REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_CANT_WRITE", UPLOAD_ERROR_F, CONST_CS | CONST_PERSISTENT); +// REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_EXTENSION", UPLOAD_ERROR_X, CONST_CS | CONST_PERSISTENT); +// } +/* }}} */ + +static void normalize_protected_variable(char *varname) /* {{{ */ +{ + char *s = varname, *index = NULL, *indexend = NULL, *p; + + /* overjump leading space */ + while (*s == ' ') { + s++; + } + + /* and remove it */ + if (s != varname) { + memmove(varname, s, strlen(s)+1); + } + + for (p = varname; *p && *p != '['; p++) { + switch(*p) { + case ' ': + case '.': + *p = '_'; + break; + } + } + + /* find index */ + index = strchr(varname, '['); + if (index) { + index++; + s = index; + } else { + return; + } + + /* done? */ + while (index) { + while (*index == ' ' || *index == '\r' || *index == '\n' || *index=='\t') { + index++; + } + indexend = strchr(index, ']'); + indexend = indexend ? indexend + 1 : index + strlen(index); + + if (s != index) { + memmove(s, index, strlen(index)+1); + s += indexend-index; + } else { + s = indexend; + } + + if (*s == '[') { + s++; + index = s; + } else { + index = NULL; + } + } + *s = '\0'; +} +/* }}} */ + +static void add_protected_variable(char *varname) /* {{{ */ +{ + normalize_protected_variable(varname); + zend_hash_str_add_empty_element(&PG(rfc1867_protected_variables), varname, strlen(varname)); +} +/* }}} */ + +static zend_bool is_protected_variable(char *varname) /* {{{ */ +{ + normalize_protected_variable(varname); + return zend_hash_str_exists(&PG(rfc1867_protected_variables), varname, strlen(varname)); +} +/* }}} */ + +static void safe_php_register_variable(char *var, char *strval, size_t val_len, zval *track_vars_array, zend_bool override_protection) /* {{{ */ +{ + if (override_protection || !is_protected_variable(var)) { + php_register_variable_safe(var, strval, val_len, track_vars_array); + } +} +/* }}} */ + +static void safe_php_register_variable_ex(char *var, zval *val, zval *track_vars_array, zend_bool override_protection) /* {{{ */ +{ + if (override_protection || !is_protected_variable(var)) { + php_register_variable_ex(var, val, track_vars_array); + } +} +/* }}} */ + +static void register_http_post_files_variable(char *strvar, char *val, zval *http_post_files, zend_bool override_protection) /* {{{ */ +{ + safe_php_register_variable(strvar, val, strlen(val), http_post_files, override_protection); +} +/* }}} */ + +static void register_http_post_files_variable_ex(char *var, zval *val, zval *http_post_files, zend_bool override_protection) /* {{{ */ +{ + safe_php_register_variable_ex(var, val, http_post_files, override_protection); +} +/* }}} */ + +static int unlink_filename(zval *el) /* {{{ */ +{ + zend_string *filename = Z_STR_P(el); + VCWD_UNLINK(ZSTR_VAL(filename)); + return 0; +} +/* }}} */ + + +static void free_filename(zval *el) { + zend_string *filename = Z_STR_P(el); + zend_string_release(filename); +} + +PHPAPI void destroy_uploaded_files_hash(void) /* {{{ */ +{ + zend_hash_apply(SG(rfc1867_uploaded_files), unlink_filename); + zend_hash_destroy(SG(rfc1867_uploaded_files)); + FREE_HASHTABLE(SG(rfc1867_uploaded_files)); +} +/* }}} */ + +/* {{{ Following code is based on apache_multipart_buffer.c from libapreq-0.33 package. */ + +#define FILLUNIT (1024 * 5) + +typedef struct { + + /* read buffer */ + char *buffer; + char *buf_begin; + int bufsize; + int bytes_in_buffer; + + /* boundary info */ + char *boundary; + char *boundary_next; + int boundary_next_len; + + const zend_encoding *input_encoding; + const zend_encoding **detect_order; + size_t detect_order_size; +} multipart_buffer; + +typedef struct { + char *key; + char *value; +} mime_header_entry; + +/* + * Fill up the buffer with client data. + * Returns number of bytes added to buffer. + */ +static int fill_buffer(multipart_buffer *self) +{ + int bytes_to_read, total_read = 0, actual_read = 0; + + /* shift the existing data if necessary */ + if (self->bytes_in_buffer > 0 && self->buf_begin != self->buffer) { + memmove(self->buffer, self->buf_begin, self->bytes_in_buffer); + } + + self->buf_begin = self->buffer; + + /* calculate the free space in the buffer */ + bytes_to_read = self->bufsize - self->bytes_in_buffer; + + /* read the required number of bytes */ + while (bytes_to_read > 0) { + + char *buf = self->buffer + self->bytes_in_buffer; + + actual_read = (int)sapi_module.read_post(buf, bytes_to_read); + + /* update the buffer length */ + if (actual_read > 0) { + self->bytes_in_buffer += actual_read; + SG(read_post_bytes) += actual_read; + total_read += actual_read; + bytes_to_read -= actual_read; + } else { + break; + } + } + + return total_read; +} + +/* eof if we are out of bytes, or if we hit the final boundary */ +static int multipart_buffer_eof(multipart_buffer *self) +{ + if ( (self->bytes_in_buffer == 0 && fill_buffer(self) < 1) ) { + return 1; + } else { + return 0; + } +} + +/* create new multipart_buffer structure */ +static multipart_buffer *multipart_buffer_new(char *boundary, int boundary_len) +{ + multipart_buffer *self = (multipart_buffer *) ecalloc(1, sizeof(multipart_buffer)); + + int minsize = boundary_len + 6; + if (minsize < FILLUNIT) minsize = FILLUNIT; + + self->buffer = (char *) ecalloc(1, minsize + 1); + self->bufsize = minsize; + + spprintf(&self->boundary, 0, "--%s", boundary); + + self->boundary_next_len = (int)spprintf(&self->boundary_next, 0, "\n--%s", boundary); + + self->buf_begin = self->buffer; + self->bytes_in_buffer = 0; + + if (php_rfc1867_encoding_translation()) { + php_rfc1867_get_detect_order(&self->detect_order, &self->detect_order_size); + } else { + self->detect_order = NULL; + self->detect_order_size = 0; + } + + self->input_encoding = NULL; + + return self; +} + +/* + * Gets the next CRLF terminated line from the input buffer. + * If it doesn't find a CRLF, and the buffer isn't completely full, returns + * NULL; otherwise, returns the beginning of the null-terminated line, + * minus the CRLF. + * + * Note that we really just look for LF terminated lines. This works + * around a bug in internet explorer for the macintosh which sends mime + * boundaries that are only LF terminated when you use an image submit + * button in a multipart/form-data form. + */ +static char *next_line(multipart_buffer *self) +{ + /* look for LF in the data */ + char* line = self->buf_begin; + char* ptr = memchr(self->buf_begin, '\n', self->bytes_in_buffer); + + if (ptr) { /* LF found */ + + /* terminate the string, remove CRLF */ + if ((ptr - line) > 0 && *(ptr-1) == '\r') { + *(ptr-1) = 0; + } else { + *ptr = 0; + } + + /* bump the pointer */ + self->buf_begin = ptr + 1; + self->bytes_in_buffer -= (self->buf_begin - line); + + } else { /* no LF found */ + + /* buffer isn't completely full, fail */ + if (self->bytes_in_buffer < self->bufsize) { + return NULL; + } + /* return entire buffer as a partial line */ + line[self->bufsize] = 0; + self->buf_begin = ptr; + self->bytes_in_buffer = 0; + } + + return line; +} + +/* Returns the next CRLF terminated line from the client */ +static char *get_line(multipart_buffer *self) +{ + char* ptr = next_line(self); + + if (!ptr) { + fill_buffer(self); + ptr = next_line(self); + } + + return ptr; +} + +/* Free header entry */ +static void php_free_hdr_entry(mime_header_entry *h) +{ + if (h->key) { + efree(h->key); + } + if (h->value) { + efree(h->value); + } +} + +/* finds a boundary */ +static int find_boundary(multipart_buffer *self, char *boundary) +{ + char *line; + + /* loop thru lines */ + while( (line = get_line(self)) ) + { + /* finished if we found the boundary */ + if (!strcmp(line, boundary)) { + return 1; + } + } + + /* didn't find the boundary */ + return 0; +} + +/* parse headers */ +static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header) +{ + char *line; + mime_header_entry entry = {0}; + smart_string buf_value = {0}; + char *key = NULL; + size_t newlines = 0; + + /* didn't find boundary, abort */ + if (!find_boundary(self, self->boundary)) { + return 0; + } + + /* get lines of text, or CRLF_CRLF */ + + while ((line = get_line(self)) && line[0] != '\0') { + /* add header to table */ + char *value = NULL; + + if (php_rfc1867_encoding_translation()) { + self->input_encoding = zend_multibyte_encoding_detector((const unsigned char *) line, strlen(line), self->detect_order, self->detect_order_size); + } + + /* space in the beginning means same header */ + if (!isspace(line[0])) { + value = strchr(line, ':'); + } + + if (value) { + if (buf_value.c && key) { + /* new entry, add the old one to the list */ + smart_string_0(&buf_value); + entry.key = key; + entry.value = buf_value.c; + zend_llist_add_element(header, &entry); + buf_value.c = NULL; + key = NULL; + } + + *value = '\0'; + do { value++; } while (isspace(*value)); + + key = estrdup(line); + smart_string_appends(&buf_value, value); + newlines = 0; + } else if (buf_value.c) { /* If no ':' on the line, add to previous line */ + newlines++; + if (newlines > SUHOSIN7_G(upload_max_newlines)) { + SUHOSIN7_G(abort_request) = 1; + suhosin_log(S_FILES, "configured maximum number of newlines in RFC1867 MIME headers limit exceeded - dropping rest of upload"); + return 0; + } + smart_string_appends(&buf_value, line); + + } else { + continue; + } + } + + if (buf_value.c && key) { + /* add the last one to the list */ + smart_string_0(&buf_value); + entry.key = key; + entry.value = buf_value.c; + zend_llist_add_element(header, &entry); + } + + return 1; +} + +static char *php_mime_get_hdr_value(zend_llist header, char *key) +{ + mime_header_entry *entry; + + if (key == NULL) { + return NULL; + } + + entry = zend_llist_get_first(&header); + while (entry) { + if (!strcasecmp(entry->key, key)) { + return entry->value; + } + entry = zend_llist_get_next(&header); + } + + return NULL; +} + +static char *php_ap_getword(const zend_encoding *encoding, char **line, char stop) +{ + char *pos = *line, quote; + char *res; + + while (*pos && *pos != stop) { + if ((quote = *pos) == '"' || quote == '\'') { + ++pos; + while (*pos && *pos != quote) { + if (*pos == '\\' && pos[1] && pos[1] == quote) { + pos += 2; + } else { + ++pos; + } + } + if (*pos) { + ++pos; + } + } else ++pos; + } + if (*pos == '\0') { + res = estrdup(*line); + *line += strlen(*line); + return res; + } + + res = estrndup(*line, pos - *line); + + while (*pos == stop) { + ++pos; + } + + *line = pos; + return res; +} + +static char *substring_conf(char *start, int len, char quote) +{ + char *result = emalloc(len + 1); + char *resp = result; + int i; + + for (i = 0; i < len && start[i] != quote; ++i) { + if (start[i] == '\\' && (start[i + 1] == '\\' || (quote && start[i + 1] == quote))) { + *resp++ = start[++i]; + } else { + *resp++ = start[i]; + } + } + + *resp = '\0'; + return result; +} + +static char *php_ap_getword_conf(const zend_encoding *encoding, char *str) +{ + while (*str && isspace(*str)) { + ++str; + } + + if (!*str) { + return estrdup(""); + } + + if (*str == '"' || *str == '\'') { + char quote = *str; + + str++; + return substring_conf(str, (int)strlen(str), quote); + } else { + char *strend = str; + + while (*strend && !isspace(*strend)) { + ++strend; + } + return substring_conf(str, strend - str, 0); + } +} + +static char *php_ap_basename(const zend_encoding *encoding, char *path) +{ + char *s = strrchr(path, '\\'); + char *s2 = strrchr(path, '/'); + + if (s && s2) { + if (s > s2) { + ++s; + } else { + s = ++s2; + } + return s; + } else if (s) { + return ++s; + } else if (s2) { + return ++s2; + } + return path; +} + +/* + * Search for a string in a fixed-length byte string. + * If partial is true, partial matches are allowed at the end of the buffer. + * Returns NULL if not found, or a pointer to the start of the first match. + */ +static void *php_ap_memstr(char *haystack, int haystacklen, char *needle, int needlen, int partial) +{ + int len = haystacklen; + char *ptr = haystack; + + /* iterate through first character matches */ + while( (ptr = memchr(ptr, needle[0], len)) ) { + + /* calculate length after match */ + len = haystacklen - (ptr - (char *)haystack); + + /* done if matches up to capacity of buffer */ + if (memcmp(needle, ptr, needlen < len ? needlen : len) == 0 && (partial || len >= needlen)) { + break; + } + + /* next character */ + ptr++; len--; + } + + return ptr; +} + +/* read until a boundary condition */ +static int multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes, int *end) +{ + size_t len, max; + char *bound; + + /* fill buffer if needed */ + if (bytes > self->bytes_in_buffer) { + fill_buffer(self); + } + + /* look for a potential boundary match, only read data up to that point */ + if ((bound = php_ap_memstr(self->buf_begin, self->bytes_in_buffer, self->boundary_next, self->boundary_next_len, 1))) { + max = bound - self->buf_begin; + if (end && php_ap_memstr(self->buf_begin, self->bytes_in_buffer, self->boundary_next, self->boundary_next_len, 0)) { + *end = 1; + } + } else { + max = self->bytes_in_buffer; + } + + /* maximum number of bytes we are reading */ + len = max < bytes-1 ? max : bytes-1; + + /* if we read any data... */ + if (len > 0) { + + /* copy the data */ + memcpy(buf, self->buf_begin, len); + buf[len] = 0; + + if (bound && len > 0 && buf[len-1] == '\r') { + buf[--len] = 0; + } + + /* update the buffer */ + self->bytes_in_buffer -= (int)len; + self->buf_begin += len; + } + + return (int)len; +} + +/* + XXX: this is horrible memory-usage-wise, but we only expect + to do this on small pieces of form data. +*/ +static char *multipart_buffer_read_body(multipart_buffer *self, size_t *len) +{ + char buf[FILLUNIT], *out=NULL; + int total_bytes=0, read_bytes=0; + + while((read_bytes = multipart_buffer_read(self, buf, sizeof(buf), NULL))) { + out = erealloc(out, total_bytes + read_bytes + 1); + memcpy(out + total_bytes, buf, read_bytes); + total_bytes += read_bytes; + } + + if (out) { + out[total_bytes] = '\0'; + } + *len = total_bytes; + + return out; +} +/* }}} */ + +/* + * The combined READER/HANDLER + * + */ + +SAPI_API SAPI_POST_HANDLER_FUNC(suhosin_rfc1867_post_handler) /* {{{ */ +{ + char *boundary, *s = NULL, *boundary_end = NULL, *start_arr = NULL, *array_index = NULL; + char *lbuf = NULL, *abuf = NULL; + zend_string *temp_filename = NULL; + int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0, array_len = 0; + int64_t total_bytes = 0, max_file_size = 0; + int skip_upload = 0, anonindex = 0, is_anonymous; + HashTable *uploaded_files = NULL; + multipart_buffer *mbuff; + zval *array_ptr = (zval *) arg; + int fd = -1; + zend_llist header; + void *event_extra_data = NULL; + unsigned int llen = 0; + int upload_cnt = INI_INT("max_file_uploads"); + const zend_encoding *internal_encoding = zend_multibyte_get_internal_encoding(); + php_rfc1867_getword_t getword; + php_rfc1867_getword_conf_t getword_conf; + php_rfc1867_basename_t _basename; + zend_long count = 0; + + if (php_rfc1867_encoding_translation() && internal_encoding) { + getword = php_rfc1867_getword; + getword_conf = php_rfc1867_getword_conf; + _basename = php_rfc1867_basename; + } else { + getword = php_ap_getword; + getword_conf = php_ap_getword_conf; + _basename = php_ap_basename; + } + + if (SG(post_max_size) > 0 && SG(request_info).content_length > SG(post_max_size)) { + sapi_module.sapi_error(E_WARNING, "POST Content-Length of " ZEND_LONG_FMT " bytes exceeds the limit of " ZEND_LONG_FMT " bytes", SG(request_info).content_length, SG(post_max_size)); + return; + } + + /* Get the boundary */ + boundary = strstr(content_type_dup, "boundary"); + if (!boundary) { + int content_type_len = (int)strlen(content_type_dup); + char *content_type_lcase = estrndup(content_type_dup, content_type_len); + + php_strtolower(content_type_lcase, content_type_len); + boundary = strstr(content_type_lcase, "boundary"); + if (boundary) { + boundary = content_type_dup + (boundary - content_type_lcase); + } + efree(content_type_lcase); + } + + if (!boundary || !(boundary = strchr(boundary, '='))) { + sapi_module.sapi_error(E_WARNING, "Missing boundary in multipart/form-data POST data"); + return; + } + + boundary++; + boundary_len = (int)strlen(boundary); + + if (boundary[0] == '"') { + boundary++; + boundary_end = strchr(boundary, '"'); + if (!boundary_end) { + sapi_module.sapi_error(E_WARNING, "Invalid boundary in multipart/form-data POST data"); + return; + } + } else { + /* search for the end of the boundary */ + boundary_end = strpbrk(boundary, ",;"); + } + if (boundary_end) { + boundary_end[0] = '\0'; + boundary_len = boundary_end-boundary; + } + + /* Initialize the buffer */ + if (!(mbuff = multipart_buffer_new(boundary, boundary_len))) { + sapi_module.sapi_error(E_WARNING, "Unable to initialize the input buffer"); + return; + } + + /* Initialize $_FILES[] */ + zend_hash_init(&PG(rfc1867_protected_variables), 8, NULL, NULL, 0); + + ALLOC_HASHTABLE(uploaded_files); + zend_hash_init(uploaded_files, 8, NULL, free_filename, 0); + SG(rfc1867_uploaded_files) = uploaded_files; + + if (Z_TYPE(PG(http_globals)[TRACK_VARS_FILES]) != IS_ARRAY) { + /* php_auto_globals_create_files() might have already done that */ + array_init(&PG(http_globals)[TRACK_VARS_FILES]); + } + + zend_llist_init(&header, sizeof(mime_header_entry), (llist_dtor_func_t) php_free_hdr_entry, 0); + + if (php_rfc1867_callback != NULL) { + multipart_event_start event_start; + + event_start.content_length = SG(request_info).content_length; + if (php_rfc1867_callback(MULTIPART_EVENT_START, &event_start, &event_extra_data) == FAILURE) { + goto fileupload_done; + } + } + + while (!multipart_buffer_eof(mbuff)) + { + char buff[FILLUNIT]; + char *cd = NULL, *param = NULL, *filename = NULL, *tmp = NULL; + size_t blen = 0, wlen = 0; + zend_off_t offset; + + zend_llist_clean(&header); + + if (!multipart_buffer_headers(mbuff, &header)) { + goto fileupload_done; + } + + if ((cd = php_mime_get_hdr_value(header, "Content-Disposition"))) { + char *pair = NULL; + int end = 0; + + while (isspace(*cd)) { + ++cd; + } + + while (*cd && (pair = getword(mbuff->input_encoding, &cd, ';'))) + { + char *key = NULL, *word = pair; + + while (isspace(*cd)) { + ++cd; + } + + if (strchr(pair, '=')) { + key = getword(mbuff->input_encoding, &pair, '='); + + if (!strcasecmp(key, "name")) { + if (param) { + efree(param); + } + param = getword_conf(mbuff->input_encoding, pair); + if (mbuff->input_encoding && internal_encoding) { + unsigned char *new_param; + size_t new_param_len; + if ((size_t)-1 != zend_multibyte_encoding_converter(&new_param, &new_param_len, (unsigned char *)param, strlen(param), internal_encoding, mbuff->input_encoding)) { + efree(param); + param = (char *)new_param; + } + } + } else if (!strcasecmp(key, "filename")) { + if (filename) { + efree(filename); + } + filename = getword_conf(mbuff->input_encoding, pair); + if (mbuff->input_encoding && internal_encoding) { + unsigned char *new_filename; + size_t new_filename_len; + if ((size_t)-1 != zend_multibyte_encoding_converter(&new_filename, &new_filename_len, (unsigned char *)filename, strlen(filename), internal_encoding, mbuff->input_encoding)) { + efree(filename); + filename = (char *)new_filename; + } + } + } + } + if (key) { + efree(key); + } + efree(word); + } + + /* Normal form variable, safe to read all data into memory */ + if (!filename && param) { + size_t value_len; + char *value = multipart_buffer_read_body(mbuff, &value_len); + size_t new_val_len; /* Dummy variable */ + + if (!value) { + value = estrdup(""); + value_len = 0; + } + + if (mbuff->input_encoding && internal_encoding) { + unsigned char *new_value; + size_t new_value_len; + if ((size_t)-1 != zend_multibyte_encoding_converter(&new_value, &new_value_len, (unsigned char *)value, value_len, internal_encoding, mbuff->input_encoding)) { + efree(value); + value = (char *)new_value; + value_len = new_value_len; + } + } + + if (++count <= PG(max_input_vars) && sapi_module.input_filter(PARSE_POST, param, &value, value_len, &new_val_len)) { + if (php_rfc1867_callback != NULL) { + multipart_event_formdata event_formdata; + size_t newlength = new_val_len; + + event_formdata.post_bytes_processed = SG(read_post_bytes); + event_formdata.name = param; + event_formdata.value = &value; + event_formdata.length = new_val_len; + event_formdata.newlength = &newlength; + if (php_rfc1867_callback(MULTIPART_EVENT_FORMDATA, &event_formdata, &event_extra_data) == FAILURE) { + efree(param); + efree(value); + continue; + } + new_val_len = newlength; + } + safe_php_register_variable(param, value, new_val_len, array_ptr, 0); + } else { + if (count == PG(max_input_vars) + 1) { + php_error_docref(NULL, E_WARNING, "Input variables exceeded " ZEND_LONG_FMT ". To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); + } + + if (php_rfc1867_callback != NULL) { + multipart_event_formdata event_formdata; + + event_formdata.post_bytes_processed = SG(read_post_bytes); + event_formdata.name = param; + event_formdata.value = &value; + event_formdata.length = value_len; + event_formdata.newlength = NULL; + php_rfc1867_callback(MULTIPART_EVENT_FORMDATA, &event_formdata, &event_extra_data); + } + } + + if (!strcasecmp(param, "MAX_FILE_SIZE")) { +#ifdef HAVE_ATOLL + max_file_size = atoll(value); +#else + max_file_size = strtoll(value, NULL, 10); +#endif + } + + efree(param); + efree(value); + continue; + } + + /* If file_uploads=off, skip the file part */ + if (!PG(file_uploads)) { + skip_upload = 1; + } else if (upload_cnt <= 0) { + skip_upload = 1; + sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded"); + } + + /* Return with an error if the posted data is garbled */ + if (!param && !filename) { + sapi_module.sapi_error(E_WARNING, "File Upload Mime headers garbled"); + goto fileupload_done; + } + + if (!param) { + is_anonymous = 1; + param = emalloc(MAX_SIZE_ANONNAME); + snprintf(param, MAX_SIZE_ANONNAME, "%u", anonindex++); + } else { + is_anonymous = 0; + } + + /* New Rule: never repair potential malicious user input */ + if (!skip_upload) { + long c = 0; + tmp = param; + + while (*tmp) { + if (*tmp == '[') { + c++; + } else if (*tmp == ']') { + c--; + if (tmp[1] && tmp[1] != '[') { + skip_upload = 1; + break; + } + } + if (c < 0) { + skip_upload = 1; + break; + } + tmp++; + } + /* Brackets should always be closed */ + if(c != 0) { + skip_upload = 1; + } + } + + total_bytes = cancel_upload = 0; + temp_filename = NULL; + fd = -1; + + if (!skip_upload && php_rfc1867_callback != NULL) { + multipart_event_file_start event_file_start; + + event_file_start.post_bytes_processed = SG(read_post_bytes); + event_file_start.name = param; + event_file_start.filename = &filename; + if (php_rfc1867_callback(MULTIPART_EVENT_FILE_START, &event_file_start, &event_extra_data) == FAILURE) { + temp_filename = NULL; + efree(param); + efree(filename); + continue; + } + } + + if (skip_upload) { + efree(param); + efree(filename); + continue; + } + + if (filename[0] == '\0') { +#if DEBUG_FILE_UPLOAD + sapi_module.sapi_error(E_NOTICE, "No file uploaded"); +#endif + cancel_upload = UPLOAD_ERROR_D; + } + + offset = 0; + end = 0; + + if (!cancel_upload) { + /* only bother to open temp file if we have data */ + blen = multipart_buffer_read(mbuff, buff, sizeof(buff), &end); +#if DEBUG_FILE_UPLOAD + if (blen > 0) { +#else + /* in non-debug mode we have no problem with 0-length files */ + { +#endif + fd = php_open_temporary_fd_ex(PG(upload_tmp_dir), "php", &temp_filename, 1); + upload_cnt--; + if (fd == -1) { + sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file"); + cancel_upload = UPLOAD_ERROR_E; + } + } + } + + while (!cancel_upload && (blen > 0)) + { + if (php_rfc1867_callback != NULL) { + multipart_event_file_data event_file_data; + + event_file_data.post_bytes_processed = SG(read_post_bytes); + event_file_data.offset = offset; + event_file_data.data = buff; + event_file_data.length = blen; + event_file_data.newlength = &blen; + if (php_rfc1867_callback(MULTIPART_EVENT_FILE_DATA, &event_file_data, &event_extra_data) == FAILURE) { + cancel_upload = UPLOAD_ERROR_X; + continue; + } + } + + if (PG(upload_max_filesize) > 0 && (zend_long)(total_bytes+blen) > PG(upload_max_filesize)) { +#if DEBUG_FILE_UPLOAD + sapi_module.sapi_error(E_NOTICE, "upload_max_filesize of " ZEND_LONG_FMT " bytes exceeded - file [%s=%s] not saved", PG(upload_max_filesize), param, filename); +#endif + cancel_upload = UPLOAD_ERROR_A; + } else if (max_file_size && ((zend_long)(total_bytes+blen) > max_file_size)) { +#if DEBUG_FILE_UPLOAD + sapi_module.sapi_error(E_NOTICE, "MAX_FILE_SIZE of " ZEND_LONG_FMT " bytes exceeded - file [%s=%s] not saved", max_file_size, param, filename); +#endif + cancel_upload = UPLOAD_ERROR_B; + } else if (blen > 0) { +#ifdef PHP_WIN32 + wlen = write(fd, buff, (unsigned int)blen); +#else + wlen = write(fd, buff, blen); +#endif + + if (wlen == -1) { + /* write failed */ +#if DEBUG_FILE_UPLOAD + sapi_module.sapi_error(E_NOTICE, "write() failed - %s", strerror(errno)); +#endif + cancel_upload = UPLOAD_ERROR_F; + } else if (wlen < blen) { +#if DEBUG_FILE_UPLOAD + sapi_module.sapi_error(E_NOTICE, "Only %d bytes were written, expected to write %d", wlen, blen); +#endif + cancel_upload = UPLOAD_ERROR_F; + } else { + total_bytes += wlen; + } + offset += wlen; + } + + /* read data for next iteration */ + blen = multipart_buffer_read(mbuff, buff, sizeof(buff), &end); + } + + if (fd != -1) { /* may not be initialized if file could not be created */ + close(fd); + } + + if (!cancel_upload && !end) { +#if DEBUG_FILE_UPLOAD + sapi_module.sapi_error(E_NOTICE, "Missing mime boundary at the end of the data for file %s", filename[0] != '\0' ? filename : ""); +#endif + cancel_upload = UPLOAD_ERROR_C; + } +#if DEBUG_FILE_UPLOAD + if (filename[0] != '\0' && total_bytes == 0 && !cancel_upload) { + sapi_module.sapi_error(E_WARNING, "Uploaded file size 0 - file [%s=%s] not saved", param, filename); + cancel_upload = 5; + } +#endif + if (php_rfc1867_callback != NULL) { + multipart_event_file_end event_file_end; + + event_file_end.post_bytes_processed = SG(read_post_bytes); + event_file_end.temp_filename = ZSTR_VAL(temp_filename); + event_file_end.cancel_upload = cancel_upload; + if (php_rfc1867_callback(MULTIPART_EVENT_FILE_END, &event_file_end, &event_extra_data) == FAILURE) { + cancel_upload = UPLOAD_ERROR_X; + } + } + + if (cancel_upload) { + if (temp_filename) { + if (cancel_upload != UPLOAD_ERROR_E) { /* file creation failed */ + unlink(ZSTR_VAL(temp_filename)); + } + zend_string_release(temp_filename); + } + temp_filename = NULL; + } else { + zend_hash_add_ptr(SG(rfc1867_uploaded_files), temp_filename, temp_filename); + } + + /* is_arr_upload is true when name of file upload field + * ends in [.*] + * start_arr is set to point to 1st [ */ + is_arr_upload = (start_arr = strchr(param,'[')) && (param[strlen(param)-1] == ']'); + + if (is_arr_upload) { + array_len = (int)strlen(start_arr); + if (array_index) { + efree(array_index); + } + array_index = estrndup(start_arr + 1, array_len - 2); + } + + /* Add $foo_name */ + if (llen < strlen(param) + MAX_SIZE_OF_INDEX + 1) { + llen = (int)strlen(param); + lbuf = (char *) safe_erealloc(lbuf, llen, 1, MAX_SIZE_OF_INDEX + 1); + llen += MAX_SIZE_OF_INDEX + 1; + } + + if (is_arr_upload) { + if (abuf) efree(abuf); + abuf = estrndup(param, strlen(param)-array_len); + snprintf(lbuf, llen, "%s_name[%s]", abuf, array_index); + } else { + snprintf(lbuf, llen, "%s_name", param); + } + + /* The \ check should technically be needed for win32 systems only where + * it is a valid path separator. However, IE in all it's wisdom always sends + * the full path of the file on the user's filesystem, which means that unless + * the user does basename() they get a bogus file name. Until IE's user base drops + * to nill or problem is fixed this code must remain enabled for all systems. */ + s = _basename(internal_encoding, filename); + if (!s) { + s = filename; + } + + if (!is_anonymous) { + safe_php_register_variable(lbuf, s, strlen(s), NULL, 0); + } + + /* Add $foo[name] */ + if (is_arr_upload) { + snprintf(lbuf, llen, "%s[name][%s]", abuf, array_index); + } else { + snprintf(lbuf, llen, "%s[name]", param); + } + register_http_post_files_variable(lbuf, s, &PG(http_globals)[TRACK_VARS_FILES], 0); + efree(filename); + s = NULL; + + /* Possible Content-Type: */ + if (cancel_upload || !(cd = php_mime_get_hdr_value(header, "Content-Type"))) { + cd = ""; + } else { + /* fix for Opera 6.01 */ + s = strchr(cd, ';'); + if (s != NULL) { + *s = '\0'; + } + } + + /* Add $foo_type */ + if (is_arr_upload) { + snprintf(lbuf, llen, "%s_type[%s]", abuf, array_index); + } else { + snprintf(lbuf, llen, "%s_type", param); + } + if (!is_anonymous) { + safe_php_register_variable(lbuf, cd, strlen(cd), NULL, 0); + } + + /* Add $foo[type] */ + if (is_arr_upload) { + snprintf(lbuf, llen, "%s[type][%s]", abuf, array_index); + } else { + snprintf(lbuf, llen, "%s[type]", param); + } + register_http_post_files_variable(lbuf, cd, &PG(http_globals)[TRACK_VARS_FILES], 0); + + /* Restore Content-Type Header */ + if (s != NULL) { + *s = ';'; + } + s = ""; + + { + /* store temp_filename as-is (in case upload_tmp_dir + * contains escapeable characters. escape only the variable name.) */ + zval zfilename; + + /* Initialize variables */ + add_protected_variable(param); + + /* if param is of form xxx[.*] this will cut it to xxx */ + if (!is_anonymous) { + if (temp_filename) { + ZVAL_STR_COPY(&zfilename, temp_filename); + } else { + ZVAL_EMPTY_STRING(&zfilename); + } + safe_php_register_variable_ex(param, &zfilename, NULL, 1); + } + + /* Add $foo[tmp_name] */ + if (is_arr_upload) { + snprintf(lbuf, llen, "%s[tmp_name][%s]", abuf, array_index); + } else { + snprintf(lbuf, llen, "%s[tmp_name]", param); + } + add_protected_variable(lbuf); + if (temp_filename) { + ZVAL_STR_COPY(&zfilename, temp_filename); + } else { + ZVAL_EMPTY_STRING(&zfilename); + } + register_http_post_files_variable_ex(lbuf, &zfilename, &PG(http_globals)[TRACK_VARS_FILES], 1); + } + + { + zval file_size, error_type; + int size_overflow = 0; + char file_size_buf[65]; + + ZVAL_LONG(&error_type, cancel_upload); + + /* Add $foo[error] */ + if (cancel_upload) { + ZVAL_LONG(&file_size, 0); + } else { + if (total_bytes > ZEND_LONG_MAX) { +#ifdef PHP_WIN32 + if (_i64toa_s(total_bytes, file_size_buf, 65, 10)) { + file_size_buf[0] = '0'; + file_size_buf[1] = '\0'; + } +#else + { + int __len = snprintf(file_size_buf, 65, "%lld", total_bytes); + file_size_buf[__len] = '\0'; + } +#endif + size_overflow = 1; + + } else { + ZVAL_LONG(&file_size, total_bytes); + } + } + + if (is_arr_upload) { + snprintf(lbuf, llen, "%s[error][%s]", abuf, array_index); + } else { + snprintf(lbuf, llen, "%s[error]", param); + } + register_http_post_files_variable_ex(lbuf, &error_type, &PG(http_globals)[TRACK_VARS_FILES], 0); + + /* Add $foo_size */ + if (is_arr_upload) { + snprintf(lbuf, llen, "%s_size[%s]", abuf, array_index); + } else { + snprintf(lbuf, llen, "%s_size", param); + } + if (!is_anonymous) { + if (size_overflow) { + ZVAL_STRING(&file_size, file_size_buf); + } + safe_php_register_variable_ex(lbuf, &file_size, NULL, size_overflow); + } + + /* Add $foo[size] */ + if (is_arr_upload) { + snprintf(lbuf, llen, "%s[size][%s]", abuf, array_index); + } else { + snprintf(lbuf, llen, "%s[size]", param); + } + if (size_overflow) { + ZVAL_STRING(&file_size, file_size_buf); + } + register_http_post_files_variable_ex(lbuf, &file_size, &PG(http_globals)[TRACK_VARS_FILES], size_overflow); + } + efree(param); + } + } + +fileupload_done: + if (php_rfc1867_callback != NULL) { + multipart_event_end event_end; + + event_end.post_bytes_processed = SG(read_post_bytes); + php_rfc1867_callback(MULTIPART_EVENT_END, &event_end, &event_extra_data); + } + + if (lbuf) efree(lbuf); + if (abuf) efree(abuf); + if (array_index) efree(array_index); + zend_hash_destroy(&PG(rfc1867_protected_variables)); + zend_llist_destroy(&header); + if (mbuff->boundary_next) efree(mbuff->boundary_next); + if (mbuff->boundary) efree(mbuff->boundary); + if (mbuff->buffer) efree(mbuff->buffer); + if (mbuff) efree(mbuff); +} +/* }}} */ + +// SAPI_API void php_rfc1867_set_multibyte_callbacks( +// php_rfc1867_encoding_translation_t encoding_translation, +// php_rfc1867_get_detect_order_t get_detect_order, +// php_rfc1867_set_input_encoding_t set_input_encoding, +// php_rfc1867_getword_t getword, +// php_rfc1867_getword_conf_t getword_conf, +// php_rfc1867_basename_t basename) /* {{{ */ +// { +// php_rfc1867_encoding_translation = encoding_translation; +// php_rfc1867_get_detect_order = get_detect_order; +// php_rfc1867_set_input_encoding = set_input_encoding; +// php_rfc1867_getword = getword; +// php_rfc1867_getword_conf = getword_conf; +// php_rfc1867_basename = basename; +// } +/* }}} */ + +/* + * Local variables: + * tab-width: 4 + * c-basic-offset: 4 + * End: + * vim600: sw=4 ts=4 fdm=marker + * vim<600: sw=4 ts=4 + */ diff --git a/suhosin7.c b/suhosin7.c index b91de37..2952629 100644 --- a/suhosin7.c +++ b/suhosin7.c @@ -356,15 +356,15 @@ PHP_INI_BEGIN() STD_S7_INI_ENTRY("suhosin.post.disallow_nul", "1", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdatePostBool, disallow_post_nul) STD_S7_INI_ENTRY("suhosin.post.disallow_ws", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdatePostBool, disallow_post_ws) // - // STD_S7_INI_ENTRY("suhosin.upload.max_uploads", "25", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadLong, upload_limit) - // STD_S7_INI_ENTRY("suhosin.upload.max_newlines", "100", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadLong, upload_max_newlines) - // STD_S7_INI_ENTRY("suhosin.upload.disallow_elf", "1", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadBool, upload_disallow_elf) - // STD_S7_INI_ENTRY("suhosin.upload.disallow_binary", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadBool, upload_disallow_binary) - // STD_S7_INI_ENTRY("suhosin.upload.remove_binary", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadBool, upload_remove_binary) + STD_S7_INI_ENTRY("suhosin.upload.max_uploads", "25", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadLong, upload_limit) + STD_S7_INI_ENTRY("suhosin.upload.max_newlines", "100", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadLong, upload_max_newlines) + STD_S7_INI_ENTRY("suhosin.upload.disallow_elf", "1", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadBool, upload_disallow_elf) + STD_S7_INI_ENTRY("suhosin.upload.disallow_binary", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadBool, upload_disallow_binary) + STD_S7_INI_ENTRY("suhosin.upload.remove_binary", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadBool, upload_remove_binary) #ifdef SUHOSIN7_EXPERIMENTAL - // STD_S7_INI_BOOLEAN("suhosin.upload.allow_utf8", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadBool, upload_allow_utf8) + STD_S7_INI_BOOLEAN("suhosin.upload.allow_utf8", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadBool, upload_allow_utf8) #endif - // STD_S7_INI_ENTRY("suhosin.upload.verification_script", NULL, PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadString, upload_verification_script) + STD_S7_INI_ENTRY("suhosin.upload.verification_script", NULL, PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadString, upload_verification_script) // STD_S7_INI_BOOLEAN("suhosin.sql.bailout_on_error", "0", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateSQLBool, sql_bailout_on_error) @@ -526,6 +526,8 @@ PHP_MINIT_FUNCTION(suhosin7) suhosin_hook_session(); #endif + suhosin_hook_post_handlers(); + return SUCCESS; } /* }}} */ diff --git a/suhosin_rfc1867.h b/suhosin_rfc1867.h new file mode 100644 index 0000000..5d946b0 --- /dev/null +++ b/suhosin_rfc1867.h @@ -0,0 +1,91 @@ +/* + +----------------------------------------------------------------------+ + | Suhosin Version 1 | + +----------------------------------------------------------------------+ + | Copyright (c) 2006-2007 The Hardened-PHP Project | + | Copyright (c) 2007-2015 SektionEins GmbH | + +----------------------------------------------------------------------+ + | This source file is subject to version 3.01 of the PHP license, | + | that is bundled with this package in the file LICENSE, and is | + | available through the world-wide-web at the following url: | + | http://www.php.net/license/3_01.txt | + | If you did not receive a copy of the PHP license and are unable to | + | obtain it through the world-wide-web, please send a note to | + | license@php.net so we can mail you a copy immediately. | + +----------------------------------------------------------------------+ + | Author: Stefan Esser | + +----------------------------------------------------------------------+ +*/ + +/* $Id: suhosin_rfc1867.h,v 1.1.1.1 2007-11-28 01:15:35 sesser Exp $ */ + +#ifndef SUHOSIN_RFC1867_H +#define SUHOSIN_RFC1867_H + +#include "rfc1867.h" +#include "SAPI.h" + +// #define MULTIPART_CONTENT_TYPE "multipart/form-data" +// #ifdef MULTIPART_EVENT_START +// #define HAVE_RFC1867_CALLBACK 1 +// #else +// #define HAVE_RFC1867_CALLBACK 0 + +// #define MULTIPART_EVENT_START 0 +// #define MULTIPART_EVENT_FORMDATA 1 +// #define MULTIPART_EVENT_FILE_START 2 +// #define MULTIPART_EVENT_FILE_DATA 3 +// #define MULTIPART_EVENT_FILE_END 4 +// #define MULTIPART_EVENT_END 5 +// +// typedef struct _multipart_event_start { +// size_t content_length; +// } multipart_event_start; +// +// typedef struct _multipart_event_formdata { +// size_t post_bytes_processed; +// char *name; +// char **value; +// size_t length; +// size_t *newlength; +// } multipart_event_formdata; +// +// typedef struct _multipart_event_file_start { +// size_t post_bytes_processed; +// char *name; +// char **filename; +// } multipart_event_file_start; +// +// typedef struct _multipart_event_file_data { +// size_t post_bytes_processed; +// zend_off_t offset; +// char *data; +// size_t length; +// size_t *newlength; +// } multipart_event_file_data; +// +// typedef struct _multipart_event_file_end { +// size_t post_bytes_processed; +// char *temp_filename; +// int cancel_upload; +// } multipart_event_file_end; +// +// typedef struct _multipart_event_end { +// size_t post_bytes_processed; +// } multipart_event_end; +// +// +// #endif +// +int suhosin_rfc1867_filter(unsigned int event, void *event_data, void **extra); + +SAPI_POST_HANDLER_FUNC(suhosin_rfc1867_post_handler); + +// void destroy_uploaded_files_hash(TSRMLS_D); +// #if !HAVE_RFC1867_CALLBACK +// extern PHP_SUHOSIN_API int (*php_rfc1867_callback)(unsigned int event, void *event_data, void **extra); +// #else +extern PHPAPI int (*php_rfc1867_callback)(unsigned int event, void *event_data, void **extra); +// #endif + +#endif /* SUHOSIN_RFC1867_H */ diff --git a/ufilter.c b/ufilter.c new file mode 100644 index 0000000..cb36a67 --- /dev/null +++ b/ufilter.c @@ -0,0 +1,425 @@ +/* + +----------------------------------------------------------------------+ + | Suhosin Version 1 | + +----------------------------------------------------------------------+ + | Copyright (c) 2006-2007 The Hardened-PHP Project | + | Copyright (c) 2007-2016 SektionEins GmbH | + +----------------------------------------------------------------------+ + | This source file is subject to version 3.01 of the PHP license, | + | that is bundled with this package in the file LICENSE, and is | + | available through the world-wide-web at the following url: | + | http://www.php.net/license/3_01.txt | + | If you did not receive a copy of the PHP license and are unable to | + | obtain it through the world-wide-web, please send a note to | + | license@php.net so we can mail you a copy immediately. | + +----------------------------------------------------------------------+ + | Authors: Stefan Esser | + | Ben Fuhrmannek | + +----------------------------------------------------------------------+ +*/ +/* + $Id: ufilter.c,v 1.1.1.1 2007-11-28 01:15:35 sesser Exp $ +*/ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "php.h" +#include "php_ini.h" +#include "ext/standard/info.h" +#include "php_suhosin7.h" +#include "php_variables.h" +#include "suhosin_rfc1867.h" +#include "ext/standard/php_var.h" + +// #if !HAVE_RFC1867_CALLBACK +// PHP_SUHOSIN_API int (*php_rfc1867_callback)(unsigned int event, void *event_data, void **extra) = NULL; +// #endif +// + +/* {{{ SAPI_UPLOAD_VARNAME_FILTER_FUNC + */ +static int check_fileupload_varname(char *varname) +{ + char *index, *prev_index = NULL, *var; + unsigned int var_len, total_len, depth = 0; + + var = estrdup(varname); + + /* Normalize the variable name */ + suhosin_normalize_varname(var); + + /* Find length of variable name */ + index = strchr(var, '['); + total_len = strlen(var); + var_len = index ? index-var : total_len; + + /* Drop this variable if it exceeds the varname/total length limit */ + if (SUHOSIN7_G(max_varname_length) && SUHOSIN7_G(max_varname_length) < var_len) { + suhosin_log(S_FILES, "configured request variable name length limit exceeded - dropped variable '%s'", var); + if (!SUHOSIN7_G(simulation)) { + goto return_failure; + } + } + if (SUHOSIN7_G(max_totalname_length) && SUHOSIN7_G(max_totalname_length) < total_len) { + suhosin_log(S_FILES, "configured request variable total name length limit exceeded - dropped variable '%s'", var); + if (!SUHOSIN7_G(simulation)) { + goto return_failure; + } + } + if (SUHOSIN7_G(max_post_name_length) && SUHOSIN7_G(max_post_name_length) < var_len) { + suhosin_log(S_FILES, "configured POST variable name length limit exceeded - dropped variable '%s'", var); + if (!SUHOSIN7_G(simulation)) { + goto return_failure; + } + } + if (SUHOSIN7_G(max_post_totalname_length) && SUHOSIN7_G(max_post_totalname_length) < var_len) { + suhosin_log(S_FILES, "configured POST variable total name length limit exceeded - dropped variable '%s'", var); + if (!SUHOSIN7_G(simulation)) { + goto return_failure; + } + } + + /* Find out array depth */ + while (index) { + char *index_end; + unsigned int index_length; + + /* overjump '[' */ + index++; + + /* increase array depth */ + depth++; + + index_end = strchr(index, ']'); + if (index_end == NULL) { + index_end = index+strlen(index); + } + + index_length = index_end - index; + + if (SUHOSIN7_G(max_array_index_length) && SUHOSIN7_G(max_array_index_length) < index_length) { + suhosin_log(S_FILES, "configured request variable array index length limit exceeded - dropped variable '%s'", var); + if (!SUHOSIN7_G(simulation)) { + goto return_failure; + } + } + if (SUHOSIN7_G(max_post_array_index_length) && SUHOSIN7_G(max_post_array_index_length) < index_length) { + suhosin_log(S_FILES, "configured POST variable array index length limit exceeded - dropped variable '%s'", var); + if (!SUHOSIN7_G(simulation)) { + goto return_failure; + } + } + + /* index whitelist/blacklist */ + if (SUHOSIN7_G(array_index_whitelist) && *(SUHOSIN7_G(array_index_whitelist))) { + if (suhosin_strnspn(index, index_length, SUHOSIN7_G(array_index_whitelist)) != index_length) { + suhosin_log(S_VARS, "array index contains not whitelisted characters - dropped variable '%s'", var); + if (!SUHOSIN7_G(simulation)) { + goto return_failure; + } + } + } else if (SUHOSIN7_G(array_index_blacklist) && *(SUHOSIN7_G(array_index_blacklist))) { + if (suhosin_strncspn(index, index_length, SUHOSIN7_G(array_index_blacklist)) != index_length) { + suhosin_log(S_VARS, "array index contains blacklisted characters - dropped variable '%s'", var); + if (!SUHOSIN7_G(simulation)) { + goto return_failure; + } + } + } + + + index = strchr(index, '['); + } + + /* Drop this variable if it exceeds the array depth limit */ + if (SUHOSIN7_G(max_array_depth) && SUHOSIN7_G(max_array_depth) < depth) { + suhosin_log(S_FILES, "configured request variable array depth limit exceeded - dropped variable '%s'", var); + if (!SUHOSIN7_G(simulation)) { + goto return_failure; + } + } + if (SUHOSIN7_G(max_post_array_depth) && SUHOSIN7_G(max_post_array_depth) < depth) { + suhosin_log(S_FILES, "configured POST variable array depth limit exceeded - dropped variable '%s'", var); + if (!SUHOSIN7_G(simulation)) { + goto return_failure; + } + } + + + /* Drop this variable if it is one of GLOBALS, _GET, _POST, ... */ + /* This is to protect several silly scripts that do globalizing themself */ + if (suhosin_is_protected_varname(var, var_len)) { + suhosin_log(S_FILES, "tried to register forbidden variable '%s' through FILE variables", var); + if (!SUHOSIN7_G(simulation)) { + goto return_failure; + } + } + + efree(var); + return SUCCESS; + +return_failure: + efree(var); + return FAILURE; +} +/* }}} */ + +#ifdef SUHOSIN7_EXPERIMENTAL +static inline int suhosin_validate_utf8_multibyte(const char* cp, size_t maxlen) +{ + if (maxlen < 2 || !(*cp & 0x80)) { return 0; } + if ((*cp & 0xe0) == 0xc0 && // 1st byte is 110xxxxx + (*(cp+1) & 0xc0) == 0x80 && // 2nd byte is 10xxxxxx + (*cp & 0x1e)) { // overlong check 110[xxxx]x 10xxxxxx + return 2; + } + if (maxlen < 3) { return 0; } + if ((*cp & 0xf0) == 0xe0 && // 1st byte is 1110xxxx + (*(cp+1) & 0xc0) == 0x80 && // 2nd byte is 10xxxxxx + (*(cp+2) & 0xc0) == 0x80 && // 3rd byte is 10xxxxxx + ((*cp & 0x0f) | (*(cp+1) & 0x20))) { // 1110[xxxx] 10[x]xxxxx 10xxxxxx + return 3; + } + if (maxlen < 4) { return 0; } + if ((*cp & 0xf8) == 0xf0 && // 1st byte is 11110xxx + (*(cp+1) & 0xc0) == 0x80 && // 2nd byte is 10xxxxxx + (*(cp+2) & 0xc0) == 0x80 && // 3rd byte is 10xxxxxx + (*(cp+3) & 0xc0) == 0x80 && // 4th byte is 10xxxxxx + ((*cp & 0x07) | (*(cp+1) & 0x30))) { // 11110[xxx] 10[xx]xxxx 10xxxxxx 10xxxxxx + return 4; + } + return 0; +} +#endif + +int suhosin_rfc1867_filter(unsigned int event, void *event_data, void **extra) +{ + int retval = SUCCESS; + + SDEBUG("rfc1867_filter %u", event); + + switch (event) { + case MULTIPART_EVENT_START: + case MULTIPART_EVENT_FORMDATA: + /* nothing todo */ + break; + + case MULTIPART_EVENT_FILE_START: + { + multipart_event_file_start *mefs = (multipart_event_file_start *) event_data; + + /* Drop if no more variables flag is set */ + if (SUHOSIN7_G(no_more_uploads)) { + goto continue_with_failure; + } + + /* Drop this fileupload if the limit is reached */ + if (SUHOSIN7_G(upload_limit) && SUHOSIN7_G(upload_limit) <= SUHOSIN7_G(num_uploads)) { + suhosin_log(S_FILES, "configured fileupload limit exceeded - file dropped"); + if (!SUHOSIN7_G(simulation)) { + SUHOSIN7_G(no_more_uploads) = 1; + goto continue_with_failure; + } + } + + if (check_fileupload_varname(mefs->name) == FAILURE) { + goto continue_with_failure; + } + } + + break; + + case MULTIPART_EVENT_FILE_DATA: + + if (SUHOSIN7_G(upload_disallow_elf)) { + multipart_event_file_data *mefd = (multipart_event_file_data *) event_data; + + if (mefd->offset == 0 && mefd->length > 10) { + if (mefd->data[0] == 0x7F && mefd->data[1] == 'E' && mefd->data[2] == 'L' && mefd->data[3] == 'F') { + suhosin_log(S_FILES, "uploaded file is an ELF executable - file dropped"); + if (!SUHOSIN7_G(simulation)) { + goto continue_with_failure; + } + } + } + } + + if (SUHOSIN7_G(upload_disallow_binary)) { + + multipart_event_file_data *mefd = (multipart_event_file_data *) event_data; + + char *cp, *cpend; + int n; + cpend = mefd->data + mefd->length; + for (cp = mefd->data; cp < cpend; cp++) { + if (*cp >= 32 || isspace(*cp)) { + continue; + } +#ifdef SUHOSIN7_EXPERIMENTAL + if ((*cp & 0x80) && SUHOSIN7_G(upload_allow_utf8)) { + SDEBUG("checking char %x", *cp); + if ((n = suhosin_validate_utf8_multibyte(cp, cpend-cp))) { // valid UTF8 multibyte character + cp += n - 1; + continue; + } + } +#endif + suhosin_log(S_FILES, "uploaded file contains binary data - file dropped"); + if (!SUHOSIN7_G(simulation)) { + goto continue_with_failure; + } + break; + } + } + + if (SUHOSIN7_G(upload_remove_binary)) { + + multipart_event_file_data *mefd = (multipart_event_file_data *) event_data; + size_t i, j; + int n; + + for (i=0, j=0; ilength; i++) { + if (mefd->data[i] >= 32 || isspace(mefd->data[i])) { + mefd->data[j++] = mefd->data[i]; + } +#ifdef SUHOSIN7_EXPERIMENTAL + else if (SUHOSIN7_G(upload_allow_utf8) && mefd->data[i] & 0x80) { + n = suhosin_validate_utf8_multibyte(mefd->data + i, mefd->length - i); + if (!n) { continue; } + while (n--) { + mefd->data[j++] = mefd->data[i++]; + } + i--; + } +#endif + } + mefd->data[j] = '\0'; + + SDEBUG("removing binary %zu %zu",i,j); + /* IMPORTANT FOR DAISY CHAINING */ + mefd->length = j; + if (mefd->newlength) { + *mefd->newlength = j; + } + } + + break; + + case MULTIPART_EVENT_FILE_END: + + if (SUHOSIN7_G(upload_verification_script)) { + multipart_event_file_end *mefe = (multipart_event_file_end *) event_data; + char cmd[8192]; + FILE *in; + int first=1; + struct stat st; + char *sname = SUHOSIN7_G(upload_verification_script); + + /* ignore files that will get deleted anyway */ + if (mefe->cancel_upload) { + break; + } + + /* ignore empty scriptnames */ + while (isspace(*sname)) ++sname; + if (*sname == 0) { + SUHOSIN7_G(num_uploads)++; + break; + } + + if (VCWD_STAT(sname, &st) < 0) { + suhosin_log(S_FILES, "unable to find fileupload verification script %s - file dropped", sname); + if (!SUHOSIN7_G(simulation)) { + goto continue_with_failure; + } else { + goto continue_with_next; + } + } + if (access(sname, X_OK|R_OK) < 0) { + suhosin_log(S_FILES, "fileupload verification script %s is not executable - file dropped", sname); + if (!SUHOSIN7_G(simulation)) { + goto continue_with_failure; + } else { + goto continue_with_next; + } + } + + ap_php_snprintf(cmd, sizeof(cmd), "%s %s 2>&1", sname, mefe->temp_filename); + + if ((in = VCWD_POPEN(cmd, "r")) == NULL) { + suhosin_log(S_FILES, "unable to execute fileupload verification script %s - file dropped", sname); + if (!SUHOSIN7_G(simulation)) { + goto continue_with_failure; + } else { + goto continue_with_next; + } + } + + retval = FAILURE; + + /* read and forget the result */ + while (1) { + int readbytes = fread(cmd, 1, sizeof(cmd), in); + if (readbytes<=0) { + break; + } + if (first) { + if (strncmp(cmd, "sh: ", 4) == 0) { + /* assume this is an error */ + suhosin_log(S_FILES, "error while executing fileupload verification script %s - file dropped", sname); + if (!SUHOSIN7_G(simulation)) { + goto continue_with_failure; + } else { + goto continue_with_next; + } + } else { + retval = atoi(cmd) == 1 ? SUCCESS : FAILURE; + first = 0; + } + } + } + pclose(in); + } + + if (retval != SUCCESS) { + suhosin_log(S_FILES, "fileupload verification script disallows file - file dropped"); + if (!SUHOSIN7_G(simulation)) { + goto continue_with_failure; + } + } + + SUHOSIN7_G(num_uploads)++; + break; + + case MULTIPART_EVENT_END: + /* nothing todo */ + break; + + default: + /* unknown: return failure */ + goto continue_with_failure; + } +continue_with_next: +// #if HAVE_RFC1867_CALLBACK + if (php_rfc1867_callback != NULL) { + return php_rfc1867_callback(event, event_data, extra); + } +// #endif + return SUCCESS; +continue_with_failure: + SUHOSIN7_G(abort_request) = 1; + return FAILURE; +} + + + +/* + * Local variables: + * tab-width: 4 + * c-basic-offset: 4 + * End: + * vim600: sw=4 ts=4 fdm=marker + * vim<600: sw=4 ts=4 + */ -- cgit v1.3