From cb4150c0b3ef77631a62850e1449465f824a0f03 Mon Sep 17 00:00:00 2001
From: Ben Fuhrmannek
Date: Mon, 22 Feb 2016 18:59:55 +0100
Subject: ported disable display_errors

---
 php_suhosin7.h                              |  2 +-
 suhosin7.c                                  | 65 ++++++++++++++++++++++++++++-
 tests/misc/disable_display_errors_fail.phpt | 27 ++++++++++++
 tests/misc/disable_display_errors_off.phpt  | 35 ++++++++++++++++
 tests/misc/disable_display_errors_on.phpt   | 32 ++++++++++++++
 5 files changed, 158 insertions(+), 3 deletions(-)
 create mode 100644 tests/misc/disable_display_errors_fail.phpt
 create mode 100644 tests/misc/disable_display_errors_off.phpt
 create mode 100644 tests/misc/disable_display_errors_on.phpt

diff --git a/php_suhosin7.h b/php_suhosin7.h
index 894452d..7cc2938 100644
--- a/php_suhosin7.h
+++ b/php_suhosin7.h
@@ -252,7 +252,7 @@ ZEND_BEGIN_MODULE_GLOBALS(suhosin7)
 	zend_bool	server_encode;
 	zend_bool	server_strip;
 	// 
-	// zend_bool	disable_display_errors;
+	zend_bool	disable_display_errors;
 
 	/* random number generator */
 	// php_uint32   r_state[625];
diff --git a/suhosin7.c b/suhosin7.c
index c4a89ef..bfe349f 100644
--- a/suhosin7.c
+++ b/suhosin7.c
@@ -208,8 +208,42 @@ static ZEND_INI_MH(OnUpdateSuhosin_cookie_plainlist)
 	return SUCCESS;
 }
 
+static ZEND_INI_MH(OnUpdate_disable_display_errors) /* {{{ */
+{
+	zend_bool *p, val;
+#ifndef ZTS
+	char *base = (char *) mh_arg2;
+#else
+	char *base;
+
+	base = (char *) ts_resource(*((int *) mh_arg2));
+#endif
+
+	p = (zend_bool *) (base+(size_t) mh_arg1);
+
+	if (zend_string_equals_literal_ci(new_value, "on") ||
+		zend_string_equals_literal_ci(new_value, "yes") ||
+		zend_string_equals_literal_ci(new_value, "true")) {
+		*p = (zend_bool) 1;
+	} else if (zend_string_equals_literal_ci(new_value, "fail")) {
+		*p = (zend_bool) 2;
+	}
+	else {
+		*p = (zend_bool) zend_atoi(ZSTR_VAL(new_value), ZSTR_LEN(new_value));
+	}
+
+	return SUCCESS;
+}
+/* }}} */
+
+static ZEND_INI_MH(OnUpdate_fail)
+{
+	return FAILURE;
+}
+
 /* ------------------------------------------------------------------------ */
 
+
 #define DEF_LOG_UPDATER(fname, varname, inistr) static ZEND_INI_MH(fname) \
 { \
 	LOG_PERDIR_CHECK() \
@@ -287,7 +321,7 @@ PHP_INI_BEGIN()
 	// STD_S7_INI_BOOLEAN("suhosin.coredump",				"0",	PHP_INI_SYSTEM,	OnUpdateBool, coredump)
 	// STD_S7_INI_BOOLEAN("suhosin.stealth",				"1",	PHP_INI_SYSTEM,	OnUpdateBool, stealth)
 	// STD_S7_INI_BOOLEAN("suhosin.apc_bug_workaround",	"0",	PHP_INI_SYSTEM,	OnUpdateBool, apc_bug_workaround)
-	// STD_S7_INI_BOOLEAN("suhosin.disable.display_errors",	"0",	PHP_INI_SYSTEM,	OnUpdate_disable_display_errors, disable_display_errors)
+	STD_S7_INI_BOOLEAN("suhosin.disable.display_errors",	"0",	PHP_INI_SYSTEM,	OnUpdate_disable_display_errors, disable_display_errors)
 	
 	
 	// 
@@ -450,7 +484,34 @@ PHP_MINIT_FUNCTION(suhosin7)
 #endif
 
 	// TODO: stealth loading
-	
+
+	/* Force display_errors=off */
+	if (SUHOSIN7_G(disable_display_errors)) {
+		zend_ini_entry *i;
+		zend_string *ini_name = zend_string_init(ZEND_STRL("display_errors"), 0);
+		zend_string *val0 = zend_string_init(ZEND_STRL("0"), 1);
+		if ((i = zend_hash_find_ptr(EG(ini_directives), ini_name))) {
+			if (i->on_modify) {
+				i->on_modify(i, val0, i->mh_arg1, i->mh_arg2, i->mh_arg3, ZEND_INI_STAGE_STARTUP);
+				// i->on_modify = NULL;
+			}
+			
+			SDEBUG("display_errors=%s", ZSTR_VAL(val0));
+			if (SUHOSIN7_G(disable_display_errors) >= 2) {
+				i->modified = 0;
+				i->value = zend_string_copy(val0);
+				i->on_modify = OnUpdate_fail;
+			} else {
+				i->on_modify = NULL;
+			}
+		} else {
+			// no display_errors?
+			suhosin_log(S_INTERNAL, "suhosin cannot protect display_errors: option not found");
+		}
+		zend_string_release(ini_name);
+		zend_string_release(val0);
+	}
+
 	// hooks
 	// suhosin_hook_memory_limit();
 	suhosin_hook_treat_data();
diff --git a/tests/misc/disable_display_errors_fail.phpt b/tests/misc/disable_display_errors_fail.phpt
new file mode 100644
index 0000000..56df441
--- /dev/null
+++ b/tests/misc/disable_display_errors_fail.phpt
@@ -0,0 +1,27 @@
+--TEST--
+Testing: suhosin.disable.display_errors=fail
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+suhosin.log.syslog=0
+display_errors=1
+suhosin.disable.display_errors=fail
+--FILE--
+<?php
+/* Attention: suhosin.disable.display_errors=fail - will NOT silently disable unlike suhosin.disable.display_errors=On */
+var_dump(ini_get("display_errors"));
+var_dump(ini_set("display_errors", "0"));
+var_dump(ini_get("display_errors"));
+var_dump(ini_set("display_errors", "1"));
+var_dump(ini_get("display_errors"));
+foo();
+?>
+--EXPECTF--
+string(1) "0"
+bool(false)
+string(1) "0"
+bool(false)
+string(1) "0"
diff --git a/tests/misc/disable_display_errors_off.phpt b/tests/misc/disable_display_errors_off.phpt
new file mode 100644
index 0000000..3cacd96
--- /dev/null
+++ b/tests/misc/disable_display_errors_off.phpt
@@ -0,0 +1,35 @@
+--TEST--
+Testing: suhosin.disable.display_errors=Off
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+suhosin.log.syslog=0
+display_errors=1
+suhosin.disable.display_errors=0
+--FILE--
+<?php
+/* Attention: suhosin.disable.display_errors - will silently disable
+
+   This means ini_get() will return wrong values. You have to trigger errors to see if it works */
+
+ini_get();
+var_dump(ini_get("display_errors"));
+var_dump(ini_set("display_errors", "0"));
+ini_get();
+var_dump(ini_get("display_errors"));
+var_dump(ini_set("display_errors", "1"));
+var_dump(ini_get("display_errors"));
+ini_get();
+?>
+--EXPECTF--
+Warning: ini_get() expects exactly 1 parameter, 0 given in %s on line 6
+string(1) "1"
+string(1) "1"
+string(1) "0"
+string(1) "0"
+string(1) "1"
+
+Warning: ini_get() expects exactly 1 parameter, 0 given in %s on line 13
diff --git a/tests/misc/disable_display_errors_on.phpt b/tests/misc/disable_display_errors_on.phpt
new file mode 100644
index 0000000..e409d5f
--- /dev/null
+++ b/tests/misc/disable_display_errors_on.phpt
@@ -0,0 +1,32 @@
+--TEST--
+Testing: suhosin.disable.display_errors=On
+--SKIPIF--
+<?php include "../skipifnotcli.inc"; ?>
+--INI--
+suhosin.log.sapi=0
+suhosin.log.stdout=255
+suhosin.log.script=0
+suhosin.log.syslog=0
+display_errors=1
+suhosin.disable.display_errors=1
+--FILE--
+<?php
+/* Attention: suhosin.disable.display_errors - will silently disable
+
+   This means ini_get() will return wrong values. You have to trigger errors to see if it works */
+
+ini_get();
+var_dump(ini_get("display_errors"));
+var_dump(ini_set("display_errors", "0"));
+ini_get();
+var_dump(ini_get("display_errors"));
+var_dump(ini_set("display_errors", "1"));
+var_dump(ini_get("display_errors"));
+ini_get();
+?>
+--EXPECTF--
+string(1) "1"
+string(1) "1"
+string(1) "0"
+string(1) "0"
+string(1) "1"
-- 
cgit v1.3