From d209a0a5962e62de134b56495349028e1fa97f76 Mon Sep 17 00:00:00 2001 From: Ben Fuhrmannek Date: Fri, 29 Jan 2016 13:55:22 +0100 Subject: code cleanup for a fresh start --- README.md | 25 +++- ifilter.c | 319 +++++++++++++++++++++---------------------- memory_limit.c | 7 +- php_suhosin7.h | 200 ++++++++++++++++++++++++++- sha256.c | 4 +- suhosin7.c | 423 ++++++++++++++++++++++++++++++++++++++++++++++++++++----- treat_data.c | 9 +- 7 files changed, 773 insertions(+), 214 deletions(-) diff --git a/README.md b/README.md index 7efedf8..7bc8475 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,27 @@ # suhosin7 -WARNING THIS IS ONLY A PARTIAL PORT AND THEREFORE HORRIBLY BROKEN +WARNING: THIS IS ONLY A PARTIAL PORT AND THEREFORE HORRIBLY BROKEN DO NOT ATTEMPT TO RUN... EVEN ON A TEST SYSTEM + +PHP7 is different from PHP5 under the hood, that features will be added and tested one by one. + + +## Reporting issues +The issue tracker will be available once Suhosin7 can actually be compiled. + +When reporting bugs, please include as much information needed to reproduce the bug +* PHP version +* Suhosin version / GIT revision / ... +* Installed from OS package manager? +* Operating System +* Description +* Proof of Concept, e.g. PHP code +* How to trigger the bug, e.g. PHP command line or Apache configuration +* List of loaded PHP extensions, if problem is related to interaction with other extensions + +When reporting feature requests, please consider writing a patch yourself and provide a pull request. + +## FAQ + +nothing yet. + diff --git a/ifilter.c b/ifilter.c index 7160f10..b49e61e 100644 --- a/ifilter.c +++ b/ifilter.c @@ -31,8 +31,7 @@ #include "php_variables.h" #include "ext/standard/php_var.h" - -static void (*orig_register_server_variables)(zval *track_vars_array TSRMLS_DC) = NULL; +static void (*orig_register_server_variables)(zval *track_vars_array) = NULL; #if !HAVE_STRNLEN static size_t strnlen(const char *s, size_t maxlen) { @@ -148,20 +147,21 @@ static const char suhosin_is_dangerous_char[256] = { */ static void suhosin_server_strip(HashTable *arr, char *key, int klen) { - zval **tzval; - unsigned char *s, *t; + zval *zv; + unsigned char *t; - if (zend_hash_find(arr, key, klen, (void **) &tzval) == SUCCESS && - Z_TYPE_PP(tzval) == IS_STRING) { + if ((zv = zend_hash_str_find(arr, key, klen)) == NULL || + Z_TYPE_P(zv) != IS_STRING) { + return; + } - s = t = (unsigned char *)Z_STRVAL_PP(tzval); - for (; *t; t++) { - if (suhosin_is_dangerous_char[*t]) { - *t = '?'; - } + t = (unsigned char *)Z_STRVAL_P(zv); + for (; *t; t++) { + if (suhosin_is_dangerous_char[*t]) { + *t = '?'; } - Z_STRLEN_PP(tzval) = t-s; } + zend_string_forget_hash_val(Z_STR_P(zv)); } /* }}} */ @@ -169,43 +169,43 @@ static void suhosin_server_strip(HashTable *arr, char *key, int klen) */ static void suhosin_server_encode(HashTable *arr, char *key, int klen) { - zval **tzval; - unsigned char *temp = NULL, *t, *newv, *n; + zval *zv; int extra = 0; - if (zend_hash_find(arr, key, klen, (void **) &tzval) == SUCCESS && - Z_TYPE_PP(tzval) == IS_STRING) { - - temp = (unsigned char *)Z_STRVAL_PP(tzval); - - for (t = temp; *t; t++) { - if (suhosin_is_dangerous_char[*t]) { - extra += 2; - } - } + if ((zv = zend_hash_str_find(arr, key, klen)) == NULL || + Z_TYPE_P(zv) != IS_STRING) { + return; + } - /* no extra bytes required */ - if (extra == 0) { - return; + unsigned char *orig = (unsigned char *)Z_STRVAL_P(zv); + unsigned char *t; + for (t = orig; *t; t++) { + if (suhosin_is_dangerous_char[*t]) { + extra += 2; } - - n = newv = emalloc(t - temp + 1 + extra); - t = temp; - for (t = temp; *t; t++, n++) { - if (suhosin_is_dangerous_char[*t]) { - *n++ = '%'; - *n++ = suhosin_hexchars[*t >> 4]; - *n = suhosin_hexchars[*t & 15]; - } else { - *n = *t; - } + } + + /* no extra bytes required */ + if (extra == 0) { + return; + } + + size_t dest_len = t - orig + 1 + extra; + unsigned char dest[dest_len]; + unsigned char *n = dest; + for (t = orig; *t; t++, n++) { + if (suhosin_is_dangerous_char[*t]) { + *n++ = '%'; + *n++ = suhosin_hexchars[*t >> 4]; + *n = suhosin_hexchars[*t & 15]; + } else { + *n = *t; } - *n = 0; - - /* XXX: we leak memory here, but only for the duration of the request */ - Z_STRVAL_PP(tzval) = (char *)newv; - Z_STRLEN_PP(tzval) = n-newv; } + *n = 0; + + zend_string *zs = zend_string_extend(Z_STR_P(zv), dest_len, 0); + memcpy(Z_STR_P(zv), dest, dest_len); } /* }}} */ @@ -220,31 +220,31 @@ void suhosin_register_server_variables(zval *track_vars_array TSRMLS_DC) svars = Z_ARRVAL_P(track_vars_array); if (!SUHOSIN_G(simulation)) { - retval = zend_hash_del(svars, "HTTP_GET_VARS", sizeof("HTTP_GET_VARS")); + retval = zend_hash_str_del(svars, ZEND_STRL("HTTP_GET_VARS")); if (retval == SUCCESS) failure = 1; - retval = zend_hash_del(svars, "HTTP_POST_VARS", sizeof("HTTP_POST_VARS")); + retval = zend_hash_str_del(svars, ZEND_STRL("HTTP_POST_VARS")); if (retval == SUCCESS) failure = 1; - retval = zend_hash_del(svars, "HTTP_COOKIE_VARS", sizeof("HTTP_COOKIE_VARS")); + retval = zend_hash_str_del(svars, ZEND_STRL("HTTP_COOKIE_VARS")); if (retval == SUCCESS) failure = 1; - retval = zend_hash_del(svars, "HTTP_ENV_VARS", sizeof("HTTP_ENV_VARS")); + retval = zend_hash_str_del(svars, ZEND_STRL("HTTP_ENV_VARS")); if (retval == SUCCESS) failure = 1; - retval = zend_hash_del(svars, "HTTP_SERVER_VARS", sizeof("HTTP_SERVER_VARS")); + retval = zend_hash_str_del(svars, ZEND_STRL("HTTP_SERVER_VARS")); if (retval == SUCCESS) failure = 1; - retval = zend_hash_del(svars, "HTTP_SESSION_VARS", sizeof("HTTP_SESSION_VARS")); + retval = zend_hash_str_del(svars, ZEND_STRL("HTTP_SESSION_VARS")); if (retval == SUCCESS) failure = 1; - retval = zend_hash_del(svars, "HTTP_POST_FILES", sizeof("HTTP_POST_FILES")); + retval = zend_hash_str_del(svars, ZEND_STRL("HTTP_POST_FILES")); if (retval == SUCCESS) failure = 1; - retval = zend_hash_del(svars, "HTTP_RAW_POST_DATA", sizeof("HTTP_RAW_POST_DATA")); + retval = zend_hash_str_del(svars, ZEND_STRL("HTTP_RAW_POST_DATA")); if (retval == SUCCESS) failure = 1; } else { - retval = zend_hash_exists(svars, "HTTP_GET_VARS", sizeof("HTTP_GET_VARS")); - retval+= zend_hash_exists(svars, "HTTP_POST_VARS", sizeof("HTTP_POST_VARS")); - retval+= zend_hash_exists(svars, "HTTP_COOKIE_VARS", sizeof("HTTP_COOKIE_VARS")); - retval+= zend_hash_exists(svars, "HTTP_ENV_VARS", sizeof("HTTP_ENV_VARS")); - retval+= zend_hash_exists(svars, "HTTP_SERVER_VARS", sizeof("HTTP_SERVER_VARS")); - retval+= zend_hash_exists(svars, "HTTP_SESSION_VARS", sizeof("HTTP_SESSION_VARS")); - retval+= zend_hash_exists(svars, "HTTP_POST_FILES", sizeof("HTTP_POST_FILES")); - retval+= zend_hash_exists(svars, "HTTP_RAW_POST_DATA", sizeof("HTTP_RAW_POST_DATA")); + retval = zend_hash_str_exists(svars, ZEND_STRL("HTTP_GET_VARS")); + retval+= zend_hash_str_exists(svars, ZEND_STRL("HTTP_POST_VARS")); + retval+= zend_hash_str_exists(svars, ZEND_STRL("HTTP_COOKIE_VARS")); + retval+= zend_hash_str_exists(svars, ZEND_STRL("HTTP_ENV_VARS")); + retval+= zend_hash_str_exists(svars, ZEND_STRL("HTTP_SERVER_VARS")); + retval+= zend_hash_str_exists(svars, ZEND_STRL("HTTP_SESSION_VARS")); + retval+= zend_hash_str_exists(svars, ZEND_STRL("HTTP_POST_FILES")); + retval+= zend_hash_str_exists(svars, ZEND_STRL("HTTP_RAW_POST_DATA")); if (retval > 0) failure = 1; } @@ -253,40 +253,39 @@ void suhosin_register_server_variables(zval *track_vars_array TSRMLS_DC) } if (SUHOSIN_G(raw_cookie)) { - zval *z; - MAKE_STD_ZVAL(z); - ZVAL_STRING(z, SUHOSIN_G(raw_cookie), 1); - zend_hash_add(svars, "RAW_HTTP_COOKIE", sizeof("RAW_HTTP_COOKIE"), (void **)&z, sizeof(zval *), NULL); + zval z; + ZVAL_STRING(&z, SUHOSIN_G(raw_cookie)); + zend_hash_str_add(svars, "RAW_HTTP_COOKIE", sizeof("RAW_HTTP_COOKIE")-1, &z); } if (SUHOSIN_G(decrypted_cookie)) { - zval *z; - MAKE_STD_ZVAL(z); - ZVAL_STRING(z, SUHOSIN_G(decrypted_cookie), 0); - zend_hash_update(svars, "HTTP_COOKIE", sizeof("HTTP_COOKIE"), (void **)&z, sizeof(zval *), NULL); + zval z; + ZVAL_STRING(&z, SUHOSIN_G(decrypted_cookie)); + zend_hash_str_update(svars, "HTTP_COOKIE", sizeof("HTTP_COOKIE")-1, &z); SUHOSIN_G(decrypted_cookie) = NULL; } if (SUHOSIN_G(server_encode)) { - /* suhosin_server_encode(svars, "argv", sizeof("argv")); */ - suhosin_server_encode(svars, "REQUEST_URI", sizeof("REQUEST_URI")); - suhosin_server_encode(svars, "QUERY_STRING", sizeof("QUERY_STRING")); + /* suhosin_server_encode(svars, ZEND_STRL("argv")); */ + suhosin_server_encode(svars, ZEND_STRL("REQUEST_URI")); + suhosin_server_encode(svars, ZEND_STRL("QUERY_STRING")); } if (SUHOSIN_G(server_strip)) { - suhosin_server_strip(svars, "PHP_SELF", sizeof("PHP_SELF")); - suhosin_server_strip(svars, "PATH_INFO", sizeof("PATH_INFO")); - suhosin_server_strip(svars, "PATH_TRANSLATED", sizeof("PATH_TRANSLATED")); - suhosin_server_strip(svars, "HTTP_USER_AGENT", sizeof("HTTP_USER_AGENT")); + suhosin_server_strip(svars, ZEND_STRL("PHP_SELF")); + suhosin_server_strip(svars, ZEND_STRL("PATH_INFO")); + suhosin_server_strip(svars, ZEND_STRL("PATH_TRANSLATED")); + suhosin_server_strip(svars, ZEND_STRL("HTTP_USER_AGENT")); } } /* }}} */ /* Old Input filter */ -unsigned int (*old_input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC) = NULL; +// unsigned int (*old_input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC) = NULL; +unsigned int (*old_input_filter)(int arg, char *var, char **val, size_t val_len, size_t *new_val_len); /* {{{ suhosin_input_filter_wrapper */ -unsigned int suhosin_input_filter_wrapper(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC) +unsigned int suhosin_input_filter_wrapper(int arg, char *var, char **val, size_t val_len, size_t *new_val_len) { zend_bool already_scanned = SUHOSIN_G(already_scanned); SUHOSIN_G(already_scanned) = 0; @@ -295,11 +294,11 @@ unsigned int suhosin_input_filter_wrapper(int arg, char *var, char **val, unsign if (new_val_len) { *new_val_len = val_len; } - return 1; + return 1; } if (!already_scanned) { - if (suhosin_input_filter(arg, var, val, val_len, new_val_len TSRMLS_CC)==0) { + if (suhosin_input_filter(arg, var, val, val_len, new_val_len)==0) { SUHOSIN_G(abort_request)=1; return 0; } @@ -308,7 +307,7 @@ unsigned int suhosin_input_filter_wrapper(int arg, char *var, char **val, unsign } } if (old_input_filter) { - return old_input_filter(arg, var, val, val_len, new_val_len TSRMLS_CC); + return old_input_filter(arg, var, val, val_len, new_val_len); } else { return 1; } @@ -316,7 +315,7 @@ unsigned int suhosin_input_filter_wrapper(int arg, char *var, char **val, unsign /* {{{ suhosin_input_filter */ -unsigned int suhosin_input_filter(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC) +unsigned int suhosin_input_filter(int arg, char *var, char **val, size_t val_len, size_t *new_val_len) { char *index, *prev_index = NULL; unsigned int var_len, total_len, depth = 0; @@ -329,61 +328,61 @@ unsigned int suhosin_input_filter(int arg, char *var, char **val, unsigned int v } /* Drop this variable if the limit was reached */ - switch (arg) { - case PARSE_GET: - SUHOSIN_G(att_get_vars)++; - SUHOSIN_G(att_request_variables)++; - if (SUHOSIN_G(no_more_get_variables)) { - return 0; - } - break; - case PARSE_POST: - SUHOSIN_G(att_post_vars)++; - SUHOSIN_G(att_request_variables)++; - if (SUHOSIN_G(no_more_post_variables)) { - return 0; - } - break; - case PARSE_COOKIE: - SUHOSIN_G(att_cookie_vars)++; - SUHOSIN_G(att_request_variables)++; - if (SUHOSIN_G(no_more_cookie_variables)) { - return 0; - } - break; - default: /* we do not want to protect parse_str() and friends */ - if (new_val_len) { - *new_val_len = val_len; - } - return 1; - } - - /* Drop this variable if the limit is now reached */ switch (arg) { - case PARSE_GET: + case PARSE_GET: + SUHOSIN_G(att_get_vars)++; + SUHOSIN_G(att_request_variables)++; + if (SUHOSIN_G(no_more_get_variables)) { + return 0; + } + break; + case PARSE_POST: + SUHOSIN_G(att_post_vars)++; + SUHOSIN_G(att_request_variables)++; + if (SUHOSIN_G(no_more_post_variables)) { + return 0; + } + break; + case PARSE_COOKIE: + SUHOSIN_G(att_cookie_vars)++; + SUHOSIN_G(att_request_variables)++; + if (SUHOSIN_G(no_more_cookie_variables)) { + return 0; + } + break; + default: /* we do not want to protect parse_str() and friends */ + if (new_val_len) { + *new_val_len = val_len; + } + return 1; + } + + /* Drop this variable if the limit is now reached */ + switch (arg) { + case PARSE_GET: if (SUHOSIN_G(max_get_vars) && SUHOSIN_G(max_get_vars) <= SUHOSIN_G(cur_get_vars)) { suhosin_log(S_VARS, "configured GET variable limit exceeded - dropped variable '%s' - all further GET variables are dropped", var); if (!SUHOSIN_G(simulation)) { - SUHOSIN_G(no_more_get_variables) = 1; + SUHOSIN_G(no_more_get_variables) = 1; return 0; } } break; - case PARSE_COOKIE: + case PARSE_COOKIE: if (SUHOSIN_G(max_cookie_vars) && SUHOSIN_G(max_cookie_vars) <= SUHOSIN_G(cur_cookie_vars)) { suhosin_log(S_VARS, "configured COOKIE variable limit exceeded - dropped variable '%s' - all further COOKIE variables are dropped", var); if (!SUHOSIN_G(simulation)) { - SUHOSIN_G(no_more_cookie_variables) = 1; + SUHOSIN_G(no_more_cookie_variables) = 1; return 0; } } break; - case PARSE_POST: + case PARSE_POST: if (SUHOSIN_G(max_post_vars) && SUHOSIN_G(max_post_vars) <= SUHOSIN_G(cur_post_vars)) { suhosin_log(S_VARS, "configured POST variable limit exceeded - dropped variable '%s' - all further POST variables are dropped", var); if (!SUHOSIN_G(simulation)) { - SUHOSIN_G(no_more_post_variables) = 1; - return 0; + SUHOSIN_G(no_more_post_variables) = 1; + return 0; } } break; @@ -398,30 +397,30 @@ unsigned int suhosin_input_filter(int arg, char *var, char **val, unsigned int v } } switch (arg) { - case PARSE_GET: - if (SUHOSIN_G(disallow_get_ws)) { - suhosin_log(S_VARS, "GET variable name begins with disallowed whitespace - dropped variable '%s'", var); - if (!SUHOSIN_G(simulation)) { - return 0; - } - } - break; - case PARSE_POST: - if (SUHOSIN_G(disallow_post_ws)) { - suhosin_log(S_VARS, "POST variable name begins with disallowed whitespace - dropped variable '%s'", var); - if (!SUHOSIN_G(simulation)) { - return 0; - } - } - break; - case PARSE_COOKIE: - if (SUHOSIN_G(disallow_cookie_ws)) { - suhosin_log(S_VARS, "COOKIE variable name begins with disallowed whitespace - dropped variable '%s'", var); - if (!SUHOSIN_G(simulation)) { - return 0; - } - } - break; + case PARSE_GET: + if (SUHOSIN_G(disallow_get_ws)) { + suhosin_log(S_VARS, "GET variable name begins with disallowed whitespace - dropped variable '%s'", var); + if (!SUHOSIN_G(simulation)) { + return 0; + } + } + break; + case PARSE_POST: + if (SUHOSIN_G(disallow_post_ws)) { + suhosin_log(S_VARS, "POST variable name begins with disallowed whitespace - dropped variable '%s'", var); + if (!SUHOSIN_G(simulation)) { + return 0; + } + } + break; + case PARSE_COOKIE: + if (SUHOSIN_G(disallow_cookie_ws)) { + suhosin_log(S_VARS, "COOKIE variable name begins with disallowed whitespace - dropped variable '%s'", var); + if (!SUHOSIN_G(simulation)) { + return 0; + } + } + break; } } @@ -433,7 +432,7 @@ unsigned int suhosin_input_filter(int arg, char *var, char **val, unsigned int v } } switch (arg) { - case PARSE_GET: + case PARSE_GET: if (SUHOSIN_G(max_get_value_length) && SUHOSIN_G(max_get_value_length) < val_len) { suhosin_log(S_VARS, "configured GET variable value length limit exceeded - dropped variable '%s'", var); if (!SUHOSIN_G(simulation)) { @@ -441,7 +440,7 @@ unsigned int suhosin_input_filter(int arg, char *var, char **val, unsigned int v } } break; - case PARSE_COOKIE: + case PARSE_COOKIE: if (SUHOSIN_G(max_cookie_value_length) && SUHOSIN_G(max_cookie_value_length) < val_len) { suhosin_log(S_VARS, "configured COOKIE variable value length limit exceeded - dropped variable '%s'", var); if (!SUHOSIN_G(simulation)) { @@ -449,7 +448,7 @@ unsigned int suhosin_input_filter(int arg, char *var, char **val, unsigned int v } } break; - case PARSE_POST: + case PARSE_POST: if (SUHOSIN_G(max_post_value_length) && SUHOSIN_G(max_post_value_length) < val_len) { suhosin_log(S_VARS, "configured POST variable value length limit exceeded - dropped variable '%s'", var); if (!SUHOSIN_G(simulation)) { @@ -481,7 +480,7 @@ unsigned int suhosin_input_filter(int arg, char *var, char **val, unsigned int v } } switch (arg) { - case PARSE_GET: + case PARSE_GET: if (SUHOSIN_G(max_get_name_length) && SUHOSIN_G(max_get_name_length) < var_len) { suhosin_log(S_VARS, "configured GET variable name length limit exceeded - dropped variable '%s'", var); if (!SUHOSIN_G(simulation)) { @@ -495,7 +494,7 @@ unsigned int suhosin_input_filter(int arg, char *var, char **val, unsigned int v } } break; - case PARSE_COOKIE: + case PARSE_COOKIE: if (SUHOSIN_G(max_cookie_name_length) && SUHOSIN_G(max_cookie_name_length) < var_len) { suhosin_log(S_VARS, "configured COOKIE variable name length limit exceeded - dropped variable '%s'", var); if (!SUHOSIN_G(simulation)) { @@ -509,7 +508,7 @@ unsigned int suhosin_input_filter(int arg, char *var, char **val, unsigned int v } } break; - case PARSE_POST: + case PARSE_POST: if (SUHOSIN_G(max_post_name_length) && SUHOSIN_G(max_post_name_length) < var_len) { suhosin_log(S_VARS, "configured POST variable name length limit exceeded - dropped variable '%s'", var); if (!SUHOSIN_G(simulation)) { @@ -551,7 +550,7 @@ unsigned int suhosin_input_filter(int arg, char *var, char **val, unsigned int v } } switch (arg) { - case PARSE_GET: + case PARSE_GET: if (SUHOSIN_G(max_get_array_index_length) && SUHOSIN_G(max_get_array_index_length) < index_length) { suhosin_log(S_VARS, "configured GET variable array index length limit exceeded - dropped variable '%s'", var); if (!SUHOSIN_G(simulation)) { @@ -559,7 +558,7 @@ unsigned int suhosin_input_filter(int arg, char *var, char **val, unsigned int v } } break; - case PARSE_COOKIE: + case PARSE_COOKIE: if (SUHOSIN_G(max_cookie_array_index_length) && SUHOSIN_G(max_cookie_array_index_length) < index_length) { suhosin_log(S_VARS, "configured COOKIE variable array index length limit exceeded - dropped variable '%s'", var); if (!SUHOSIN_G(simulation)) { @@ -567,7 +566,7 @@ unsigned int suhosin_input_filter(int arg, char *var, char **val, unsigned int v } } break; - case PARSE_POST: + case PARSE_POST: if (SUHOSIN_G(max_post_array_index_length) && SUHOSIN_G(max_post_array_index_length) < index_length) { suhosin_log(S_VARS, "configured POST variable array index length limit exceeded - dropped variable '%s'", var); if (!SUHOSIN_G(simulation)) { @@ -605,7 +604,7 @@ unsigned int suhosin_input_filter(int arg, char *var, char **val, unsigned int v } } switch (arg) { - case PARSE_GET: + case PARSE_GET: if (SUHOSIN_G(max_get_array_depth) && SUHOSIN_G(max_get_array_depth) < depth) { suhosin_log(S_VARS, "configured GET variable array depth limit exceeded - dropped variable '%s'", var); if (!SUHOSIN_G(simulation)) { @@ -613,7 +612,7 @@ unsigned int suhosin_input_filter(int arg, char *var, char **val, unsigned int v } } break; - case PARSE_COOKIE: + case PARSE_COOKIE: if (SUHOSIN_G(max_cookie_array_depth) && SUHOSIN_G(max_cookie_array_depth) < depth) { suhosin_log(S_VARS, "configured COOKIE variable array depth limit exceeded - dropped variable '%s'", var); if (!SUHOSIN_G(simulation)) { @@ -621,7 +620,7 @@ unsigned int suhosin_input_filter(int arg, char *var, char **val, unsigned int v } } break; - case PARSE_POST: + case PARSE_POST: if (SUHOSIN_G(max_post_array_depth) && SUHOSIN_G(max_post_array_depth) < depth) { suhosin_log(S_VARS, "configured POST variable array depth limit exceeded - dropped variable '%s'", var); if (!SUHOSIN_G(simulation)) { @@ -642,7 +641,7 @@ unsigned int suhosin_input_filter(int arg, char *var, char **val, unsigned int v } } switch (arg) { - case PARSE_GET: + case PARSE_GET: if (SUHOSIN_G(disallow_get_nul)) { suhosin_log(S_VARS, "ASCII-NUL chars not allowed within GET variables - dropped variable '%s'", var); if (!SUHOSIN_G(simulation)) { @@ -650,7 +649,7 @@ unsigned int suhosin_input_filter(int arg, char *var, char **val, unsigned int v } } break; - case PARSE_COOKIE: + case PARSE_COOKIE: if (SUHOSIN_G(disallow_cookie_nul)) { suhosin_log(S_VARS, "ASCII-NUL chars not allowed within COOKIE variables - dropped variable '%s'", var); if (!SUHOSIN_G(simulation)) { @@ -658,7 +657,7 @@ unsigned int suhosin_input_filter(int arg, char *var, char **val, unsigned int v } } break; - case PARSE_POST: + case PARSE_POST: if (SUHOSIN_G(disallow_post_nul)) { suhosin_log(S_VARS, "ASCII-NUL chars not allowed within POST variables - dropped variable '%s'", var); if (!SUHOSIN_G(simulation)) { @@ -681,13 +680,13 @@ unsigned int suhosin_input_filter(int arg, char *var, char **val, unsigned int v /* Okay let PHP register this variable */ SUHOSIN_G(cur_request_variables)++; switch (arg) { - case PARSE_GET: + case PARSE_GET: SUHOSIN_G(cur_get_vars)++; break; - case PARSE_COOKIE: + case PARSE_COOKIE: SUHOSIN_G(cur_cookie_vars)++; break; - case PARSE_POST: + case PARSE_POST: SUHOSIN_G(cur_post_vars)++; break; } @@ -722,5 +721,3 @@ void suhosin_hook_register_server_variables() * vim600: noet sw=4 ts=4 fdm=marker * vim<600: noet sw=4 ts=4 */ - - diff --git a/memory_limit.c b/memory_limit.c index fa1683e..5b8b438 100644 --- a/memory_limit.c +++ b/memory_limit.c @@ -3,7 +3,7 @@ | Suhosin Version 1 | +----------------------------------------------------------------------+ | Copyright (c) 2006-2007 The Hardened-PHP Project | - | Copyright (c) 2007-2015 SektionEins GmbH | + | Copyright (c) 2007-2016 SektionEins GmbH | +----------------------------------------------------------------------+ | This source file is subject to version 3.01 of the PHP license, | | that is bundled with this package in the file LICENSE, and is | @@ -13,7 +13,7 @@ | obtain it through the world-wide-web, please send a note to | | license@php.net so we can mail you a copy immediately. | +----------------------------------------------------------------------+ - | Author: Stefan Esser | + | Author: Stefan Esser and others | +----------------------------------------------------------------------+ */ /* @@ -79,7 +79,7 @@ void suhosin_hook_memory_limit() zend_ini_entry *ini_entry; /* check if we are compiled against memory_limit */ - if ((ini_entry=zend_hash_str_find_ptr(EG(ini_directives), "memory_limit", sizeof("memory_limit")-1))) { + if ((ini_entry=zend_hash_str_find_ptr(EG(ini_directives), ZEND_STRL("memory_limit")))) { /* replace OnUpdateMemoryLimit handler */ ini_entry->on_modify = suhosin_OnChangeMemoryLimit; } @@ -95,4 +95,3 @@ void suhosin_hook_memory_limit() * vim600: noet sw=4 ts=4 fdm=marker * vim<600: noet sw=4 ts=4 */ - diff --git a/php_suhosin7.h b/php_suhosin7.h index 805701e..b12e49c 100644 --- a/php_suhosin7.h +++ b/php_suhosin7.h @@ -24,7 +24,11 @@ extern zend_module_entry suhosin7_module_entry; #define phpext_suhosin7_ptr &suhosin7_module_entry -#define SUHOSIN7_EXT_VERSION "0.10.0" +#define SUHOSIN7_EXT_VERSION "0.10.0dev" + +#if PHP_VERSION_ID < 70000 | PHP_VERSION_ID >= 70100 +#error Suhosin7 works with PHP 7.0 only! Looking for Suhosin for PHP 5.x? Take a look at https://www.suhosin.org/ +#endif #ifdef PHP_WIN32 # define PHP_SUHOSIN7_API __declspec(dllexport) @@ -38,17 +42,115 @@ extern zend_module_entry suhosin7_module_entry; #include "TSRM.h" #endif +/* -------------- */ + +#define SUHOSIN_LOG "/tmp/suhosin_log.txt" + +#ifdef PHP_WIN32 +#define SDEBUG +#else + +#ifdef SUHOSIN_DEBUG +#define SDEBUG(msg...) \ + {FILE *f;f=fopen(SUHOSIN_LOG, "a+");if(f){fprintf(f,"[%u] ",getpid());fprintf(f, msg);fprintf(f,"\n");fclose(f);}} +#else +#define SDEBUG(msg...) +#endif +#endif + +/* -------------- */ + #define BYTE unsigned char /* 8 bits */ #define WORD unsigned int /* 32 bits */ +// PHP_MINIT_FUNCTION(suhosin); +// PHP_MSHUTDOWN_FUNCTION(suhosin); +// PHP_RINIT_FUNCTION(suhosin); +// PHP_RSHUTDOWN_FUNCTION(suhosin); +// PHP_MINFO_FUNCTION(suhosin); + +#include "ext/standard/basic_functions.h" + +static inline int suhosin_is_protected_varname(char *var, int var_len) +{ + switch (var_len) { + case 18: + if (memcmp(var, "HTTP_RAW_POST_DATA", 18)==0) goto protected_varname; + break; + case 17: + if (memcmp(var, "HTTP_SESSION_VARS", 17)==0) goto protected_varname; + break; + case 16: + if (memcmp(var, "HTTP_SERVER_VARS", 16)==0) goto protected_varname; + if (memcmp(var, "HTTP_COOKIE_VARS", 16)==0) goto protected_varname; + break; + case 15: + if (memcmp(var, "HTTP_POST_FILES", 15)==0) goto protected_varname; + break; + case 14: + if (memcmp(var, "HTTP_POST_VARS", 14)==0) goto protected_varname; + break; + case 13: + if (memcmp(var, "HTTP_GET_VARS", 13)==0) goto protected_varname; + if (memcmp(var, "HTTP_ENV_VARS", 13)==0) goto protected_varname; + break; + case 8: + if (memcmp(var, "_SESSION", 8)==0) goto protected_varname; + if (memcmp(var, "_REQUEST", 8)==0) goto protected_varname; + break; + case 7: + if (memcmp(var, "GLOBALS", 7)==0) goto protected_varname; + if (memcmp(var, "_COOKIE", 7)==0) goto protected_varname; + if (memcmp(var, "_SERVER", 7)==0) goto protected_varname; + break; + case 6: + if (memcmp(var, "_FILES", 6)==0) goto protected_varname; + break; + case 5: + if (memcmp(var, "_POST", 5)==0) goto protected_varname; + break; + case 4: + if (memcmp(var, "_ENV", 4)==0) goto protected_varname; + if (memcmp(var, "_GET", 4)==0) goto protected_varname; + break; + } + + return 0; +protected_varname: + return 1; +} + + + ZEND_BEGIN_MODULE_GLOBALS(suhosin7) zend_long global_value; char *global_string; zend_bool protectkey; zend_bool simulation; + zend_bool stealth; zend_bool already_scanned; zend_bool abort_request; + char *filter_action; + + + zend_bool executor_allow_symlink; + long max_execution_depth; + long executor_include_max_traversal; + zend_bool executor_include_allow_writable_files; + + + HashTable *include_whitelist; + HashTable *include_blacklist; + + HashTable *func_whitelist; + HashTable *func_blacklist; + HashTable *eval_whitelist; + HashTable *eval_blacklist; + + zend_bool executor_disable_eval; + zend_bool executor_disable_emod; + /* request variables */ zend_long max_request_variables; @@ -108,7 +210,7 @@ ZEND_BEGIN_MODULE_GLOBALS(suhosin7) zend_bool upload_allow_utf8; #endif char *upload_verification_script; - + zend_bool no_more_variables; zend_bool no_more_get_variables; zend_bool no_more_post_variables; @@ -119,9 +221,14 @@ ZEND_BEGIN_MODULE_GLOBALS(suhosin7) WORD fkey[120]; WORD rkey[120]; -/* memory_limit */ - zend_long memory_limit; - zend_long hard_memory_limit; + zend_bool session_encrypt; + char* session_cryptkey; + zend_bool session_cryptua; + zend_bool session_cryptdocroot; + long session_cryptraddr; + long session_checkraddr; + + long session_max_id_length; char* decrypted_cookie; char* raw_cookie; @@ -133,6 +240,85 @@ ZEND_BEGIN_MODULE_GLOBALS(suhosin7) long cookie_checkraddr; HashTable *cookie_plainlist; HashTable *cookie_cryptlist; + + zend_bool coredump; + zend_bool apc_bug_workaround; + zend_bool do_not_scan; + + zend_bool server_encode; + zend_bool server_strip; + + zend_bool disable_display_errors; + + php_uint32 r_state[625]; + php_uint32 *r_next; + int r_left; + zend_bool srand_ignore; + zend_bool mt_srand_ignore; + php_uint32 mt_state[625]; + php_uint32 *mt_next; + int mt_left; + + char *seedingkey; + zend_bool reseed_every_request; + + zend_bool r_is_seeded; + zend_bool mt_is_seeded; + + +/* memory_limit */ + zend_long memory_limit; + zend_long hard_memory_limit; + + + + + /* PERDIR Handling */ + char *perdir; + zend_bool log_perdir; + zend_bool exec_perdir; + zend_bool get_perdir; + zend_bool post_perdir; + zend_bool cookie_perdir; + zend_bool request_perdir; + zend_bool upload_perdir; + zend_bool sql_perdir; + zend_bool misc_perdir; + + /* log */ + zend_bool log_use_x_forwarded_for; + long log_syslog; + long log_syslog_facility; + long log_syslog_priority; + long log_script; + long log_sapi; + long log_stdout; + char *log_scriptname; + long log_phpscript; + char *log_phpscriptname; + zend_bool log_phpscript_is_safe; + long log_file; + char *log_filename; + zend_bool log_file_time; + + /* header handler */ + zend_bool allow_multiheader; + + /* mailprotect */ + long mailprotect; + + /* sqlprotect */ + zend_bool sql_bailout_on_error; + char *sql_user_prefix; + char *sql_user_postfix; + char *sql_user_match; + long sql_comment; + long sql_opencomment; + long sql_union; + long sql_mselect; + + int (*old_php_body_write)(const char *str, unsigned int str_length TSRMLS_DC); + ZEND_END_MODULE_GLOBALS(suhosin7) /* Always refer to the globals in your function as SUHOSIN7_G(variable). @@ -141,6 +327,10 @@ ZEND_END_MODULE_GLOBALS(suhosin7) */ #define SUHOSIN7_G(v) ZEND_MODULE_GLOBALS_ACCESSOR(suhosin7, v) +#ifdef SUHOSIN_DEBUG +#define SUHOSIN_G(v) SUHOSIN7_G(v) +#endif + #if defined(ZTS) && defined(COMPILE_DL_SUHOSIN7) ZEND_TSRMLS_CACHE_EXTERN(); #endif diff --git a/sha256.c b/sha256.c index bf938c4..2ab5a0e 100644 --- a/sha256.c +++ b/sha256.c @@ -93,7 +93,7 @@ static PHP_FUNCTION(suhosin_sha256_file) suhosin_SHA256Init(&context); - while ((n = php_stream_read(stream, buf, sizeof(buf))) > 0) { + while ((n = php_stream_read(stream, (char*)buf, sizeof(buf))) > 0) { suhosin_SHA256Update(&context, buf, n); } @@ -394,7 +394,7 @@ static zend_function_entry suhosin_sha256_functions[] = { void suhosin_hook_sha256(TSRMLS_D) { /* check if we already have sha256 support */ - if (zend_hash_str_find(CG(function_table), "sha256", sizeof("sha256"))) { + if (zend_hash_str_find(CG(function_table), ZEND_STRL("sha256"))) { return; } diff --git a/suhosin7.c b/suhosin7.c index ebea5ab..4aa755d 100644 --- a/suhosin7.c +++ b/suhosin7.c @@ -34,15 +34,344 @@ ZEND_DECLARE_MODULE_GLOBALS(suhosin7) /* True global resources - no need for thread safety here */ -static int le_suhosin7; +// static int le_suhosin7; + +/* ------------------------------------------------------------------------ */ +/* PERDIR CHECKS */ +#define PERDIR_CHECK(lower) \ + if (!SUHOSIN_G(lower ## _perdir) && stage == ZEND_INI_STAGE_HTACCESS) { \ + return FAILURE; \ + } + +#define LOG_PERDIR_CHECK() PERDIR_CHECK(log) +#define EXEC_PERDIR_CHECK() PERDIR_CHECK(exec) +#define MISC_PERDIR_CHECK() PERDIR_CHECK(misc) +#define GET_PERDIR_CHECK() PERDIR_CHECK(get) +#define POST_PERDIR_CHECK() PERDIR_CHECK(post) +#define COOKIE_PERDIR_CHECK() PERDIR_CHECK(cookie) +#define REQUEST_PERDIR_CHECK() PERDIR_CHECK(request) +#define UPLOAD_PERDIR_CHECK() PERDIR_CHECK(upload) +#define SQL_PERDIR_CHECK() PERDIR_CHECK(sql) + +#define dohandler(handler, name, lower) \ + static ZEND_INI_MH(OnUpdate ## name ## handler) \ + { \ + PERDIR_CHECK(lower) \ + return OnUpdate ## handler (entry, new_value, mh_arg1, mh_arg2, mh_arg3, stage); \ + } \ + +#define dohandlers(name, lower) \ + dohandler(Bool, name, lower) \ + dohandler(String, name, lower) \ + dohandler(Long, name, lower) \ + +dohandlers(Log, log) +dohandlers(Exec, exec) +dohandlers(Misc, misc) +dohandlers(Get, get) +dohandlers(Post, post) +dohandlers(Cookie, cookie) +dohandlers(Request, request) +dohandlers(Upload, upload) +dohandlers(SQL, sql) + + +/* ------------------------------------------------------------------------ */ +#define PERDIR_CASE(l, U, name) \ + case l: \ + case U: \ + SUHOSIN7_G(name ## _perdir) = 1; \ + break; + +static ZEND_INI_MH(OnUpdateSuhosin_perdir) +{ + char *tmp; + + if (SUHOSIN_G(perdir)) { + pefree(SUHOSIN_G(perdir), 1); + } + SUHOSIN_G(perdir) = NULL; + + /* Initialize the perdir flags */ + SUHOSIN_G(log_perdir) = 0; + SUHOSIN_G(exec_perdir) = 0; + SUHOSIN_G(misc_perdir) = 0; + SUHOSIN_G(get_perdir) = 0; + SUHOSIN_G(post_perdir) = 0; + SUHOSIN_G(cookie_perdir) = 0; + SUHOSIN_G(request_perdir) = 0; + SUHOSIN_G(upload_perdir) = 0; + SUHOSIN_G(sql_perdir) = 0; + + if (new_value == NULL) { + return SUCCESS; + } + + tmp = SUHOSIN_G(perdir) = pestrdup(ZSTR_VAL(new_value), 1); + + /* trim the whitespace */ + while (isspace(*tmp)) tmp++; + + /* should we deactivate perdir completely? */ + if (*tmp == 0 || *tmp == '0') { + return SUCCESS; + } + + /* no deactivation so check the flags */ + while (*tmp) { + switch (*tmp) { + PERDIR_CASE('l', 'L', log) + PERDIR_CASE('e', 'E', exec) + PERDIR_CASE('g', 'G', get) + PERDIR_CASE('c', 'C', cookie) + PERDIR_CASE('p', 'P', post) + PERDIR_CASE('r', 'R', request) + PERDIR_CASE('s', 'S', sql) + PERDIR_CASE('u', 'U', upload) + PERDIR_CASE('m', 'M', misc) + } + tmp++; + } + return SUCCESS; +} + +static void parse_list(HashTable **ht, char *list, zend_bool lc) +{ + char *s = NULL, *e, *val; + // unsigned long dummy = 1; + + if (list == NULL) { +list_destroy: + if (*ht) { + zend_hash_destroy(*ht); + pefree(*ht, 1); + } + *ht = NULL; + return; + } + while (*list == ' ' || *list == '\t') list++; + if (*list == 0) { + goto list_destroy; + } + + *ht = pemalloc(sizeof(HashTable), 1); + zend_hash_init(*ht, 5, NULL, NULL, 1); + + val = estrndup(list, strlen(list)); + if (lc) { + zend_str_tolower(val, strlen(list)); + } + + e = val; + + while (*e) { + switch (*e) { + case ' ': + case ',': + if (s) { + *e = '\0'; + zend_hash_str_add_empty_element(*ht, s, e-s); + // zend_hash_str_add(*ht, s, e-s, &dummy, sizeof(unsigned long), NULL); + s = NULL; + } + break; + default: + if (!s) { + s = e; + } + break; + } + e++; + } + if (s) { + // zend_hash_str_add(*ht, s, e-s, &dummy, sizeof(unsigned long), NULL); + zend_hash_str_add_empty_element(*ht, s, e-s); + } + efree(val); + +} + +#define S7_INI_MH_EXECLIST(name) \ +static ZEND_INI_MH(OnUpdateSuhosin_ ## name) \ +{ \ + EXEC_PERDIR_CHECK(); \ + parse_list(&SUHOSIN_G(name), ZSTR_VAL(new_value), 1); \ + return SUCCESS; \ +} +S7_INI_MH_EXECLIST(include_whitelist) +S7_INI_MH_EXECLIST(include_blacklist) +S7_INI_MH_EXECLIST(eval_whitelist) +S7_INI_MH_EXECLIST(eval_blacklist) +S7_INI_MH_EXECLIST(func_whitelist) +S7_INI_MH_EXECLIST(func_blacklist) + +static ZEND_INI_MH(OnUpdateSuhosin_cookie_cryptlist) +{ + COOKIE_PERDIR_CHECK(); + parse_list(&SUHOSIN_G(cookie_cryptlist), ZSTR_VAL(new_value), 0); + return SUCCESS; +} + +static ZEND_INI_MH(OnUpdateSuhosin_cookie_plainlist) +{ + COOKIE_PERDIR_CHECK(); + parse_list(&SUHOSIN_G(cookie_plainlist), ZSTR_VAL(new_value), 0); + return SUCCESS; +} + +/* ------------------------------------------------------------------------ */ + +#define STD_S7_INI_ENTRY(name, default_value, modifiable, on_modify, property_name) \ + STD_PHP_INI_ENTRY(name, default_value, modifiable, on_modify, property_name, zend_suhosin7_globals, suhosin7_globals) +#define STD_S7_INI_BOOLEAN(name, default_value, modifiable, on_modify, property_name) \ + STD_PHP_INI_BOOLEAN(name, default_value, modifiable, on_modify, property_name, zend_suhosin7_globals, suhosin7_globals) +// #define STD_S7_INI_LIST(name, modifiable, ) /* {{{ PHP_INI */ PHP_INI_BEGIN() - STD_ZEND_INI_BOOLEAN("suhosin.protectkey", "1", ZEND_INI_SYSTEM, OnUpdateBool, protectkey, zend_suhosin7_globals, suhosin7_globals) - STD_ZEND_INI_BOOLEAN("suhosin.cookie.cryptkey", "1", ZEND_INI_SYSTEM, OnUpdateBool, protectkey, zend_suhosin7_globals, suhosin7_globals) - STD_PHP_INI_ENTRY("suhosin.global_value", "42", PHP_INI_ALL, OnUpdateLong, global_value, zend_suhosin7_globals, suhosin7_globals) - STD_PHP_INI_ENTRY("suhosin.global_string", "foobar", PHP_INI_ALL, OnUpdateString, global_string, zend_suhosin7_globals, suhosin7_globals) + // STD_S7_INI_BOOLEAN("suhosin.protectkey", "1", PHP_INI_SYSTEM, OnUpdateBool, protectkey, zend_suhosin7_globals, suhosin7_globals) + // STD_S7_INI_BOOLEAN("suhosin.cookie.cryptkey", "1", PHP_INI_SYSTEM, OnUpdateBool, protectkey, zend_suhosin7_globals, suhosin7_globals) + // STD_S7_INI_ENTRY("suhosin.global_value", "42", PHP_INI_ALL, OnUpdateLong, global_value, zend_suhosin7_globals, suhosin7_globals) + // STD_S7_INI_ENTRY("suhosin.global_string", "foobar", PHP_INI_ALL, OnUpdateString, global_string, zend_suhosin7_globals, suhosin7_globals) + + PHP_INI_ENTRY("suhosin.perdir", "0", PHP_INI_SYSTEM, OnUpdateSuhosin_perdir) + // PHP_INI_ENTRY("suhosin.log.syslog", NULL, PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateSuhosin_log_syslog) + // PHP_INI_ENTRY("suhosin.log.syslog.facility", NULL, PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateSuhosin_log_syslog_facility) + // PHP_INI_ENTRY("suhosin.log.syslog.priority", NULL, PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateSuhosin_log_syslog_priority) + // PHP_INI_ENTRY("suhosin.log.sapi", "0", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateSuhosin_log_sapi) + // PHP_INI_ENTRY("suhosin.log.stdout", "0", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateSuhosin_log_stdout) + // PHP_INI_ENTRY("suhosin.log.script", "0", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateSuhosin_log_script) + // PHP_INI_ENTRY("suhosin.log.script.name", NULL, PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateSuhosin_log_scriptname) + // STD_S7_INI_BOOLEAN("suhosin.log.use-x-forwarded-for", "0", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateLogBool, log_use_x_forwarded_for) + // PHP_INI_ENTRY("suhosin.log.phpscript", "0", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateSuhosin_log_phpscript) + // STD_S7_INI_ENTRY("suhosin.log.phpscript.name", NULL, PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateLogString, log_phpscriptname) + // PHP_INI_ENTRY("suhosin.log.file", "0", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateSuhosin_log_file) + // STD_S7_INI_ENTRY("suhosin.log.file.name", NULL, PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateLogString, log_filename) + // STD_S7_INI_BOOLEAN("suhosin.log.file.time", "1", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateLogBool, log_file_time) + // STD_S7_INI_BOOLEAN("suhosin.log.phpscript.is_safe", "0", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateLogBool, log_phpscript_is_safe) + + // STD_S7_INI_ENTRY("suhosin.executor.include.max_traversal", "0", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateExecLong, executor_include_max_traversal) + PHP_INI_ENTRY("suhosin.executor.include.whitelist", NULL, PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateSuhosin_include_whitelist) + PHP_INI_ENTRY("suhosin.executor.include.blacklist", NULL, PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateSuhosin_include_blacklist) + // STD_S7_INI_BOOLEAN("suhosin.executor.include.allow_writable_files", "1", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateExecBool, executor_include_allow_writable_files) + PHP_INI_ENTRY("suhosin.executor.eval.whitelist", NULL, PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateSuhosin_eval_whitelist) + PHP_INI_ENTRY("suhosin.executor.eval.blacklist", NULL, PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateSuhosin_eval_blacklist) + PHP_INI_ENTRY("suhosin.executor.func.whitelist", NULL, PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateSuhosin_func_whitelist) + PHP_INI_ENTRY("suhosin.executor.func.blacklist", NULL, PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateSuhosin_func_blacklist) + // STD_S7_INI_BOOLEAN("suhosin.executor.disable_eval", "0", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateExecBool, executor_disable_eval) + // STD_S7_INI_BOOLEAN("suhosin.executor.disable_emodifier", "0", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateExecBool, executor_disable_emod) + // + // STD_S7_INI_BOOLEAN("suhosin.executor.allow_symlink", "0", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateExecBool, executor_allow_symlink) + // STD_S7_INI_ENTRY("suhosin.executor.max_depth", "750", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateExecLong, max_execution_depth) + // + // + // STD_S7_INI_BOOLEAN("suhosin.multiheader", "0", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateMiscBool, allow_multiheader) + // STD_S7_INI_ENTRY("suhosin.mail.protect", "0", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateMiscLong, mailprotect) + // STD_S7_INI_ENTRY("suhosin.memory_limit", "0", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateMiscLong, memory_limit) + // STD_S7_INI_BOOLEAN("suhosin.simulation", "0", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateMiscBool, simulation) + // STD_S7_INI_ENTRY("suhosin.filter.action", NULL, PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateMiscString, filter_action) + // + // STD_S7_INI_BOOLEAN("suhosin.protectkey", "1", PHP_INI_SYSTEM, OnUpdateBool, protectkey) + // STD_S7_INI_BOOLEAN("suhosin.coredump", "0", PHP_INI_SYSTEM, OnUpdateBool, coredump) + // STD_S7_INI_BOOLEAN("suhosin.stealth", "1", PHP_INI_SYSTEM, OnUpdateBool, stealth) + // STD_S7_INI_BOOLEAN("suhosin.apc_bug_workaround", "0", PHP_INI_SYSTEM, OnUpdateBool, apc_bug_workaround) + // STD_S7_INI_BOOLEAN("suhosin.disable.display_errors", "0", PHP_INI_SYSTEM, OnUpdate_disable_display_errors, disable_display_errors) + + + // + // STD_S7_INI_ENTRY("suhosin.request.max_vars", "1000", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestLong, max_request_variables) + // STD_S7_INI_ENTRY("suhosin.request.max_varname_length", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestLong, max_varname_length) + // STD_S7_INI_ENTRY("suhosin.request.max_value_length", "1000000", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestLong, max_value_length) + // STD_S7_INI_ENTRY("suhosin.request.max_array_depth", "50", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestLong, max_array_depth) + // STD_S7_INI_ENTRY("suhosin.request.max_totalname_length", "256", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestLong, max_totalname_length) + // STD_S7_INI_ENTRY("suhosin.request.max_array_index_length", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestLong, max_array_index_length) + // STD_S7_INI_ENTRY("suhosin.request.array_index_whitelist", "", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestString, array_index_whitelist) + // STD_S7_INI_ENTRY("suhosin.request.array_index_blacklist", "'\"+<>;()", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestString, array_index_blacklist) + // STD_S7_INI_ENTRY("suhosin.request.disallow_nul", "1", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestBool, disallow_nul) + // STD_S7_INI_ENTRY("suhosin.request.disallow_ws", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateRequestBool, disallow_ws) + // + // STD_S7_INI_ENTRY("suhosin.cookie.max_vars", "100", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateCookieLong, max_cookie_vars) + // STD_S7_INI_ENTRY("suhosin.cookie.max_name_length", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateCookieLong, max_cookie_name_length) + // STD_S7_INI_ENTRY("suhosin.cookie.max_totalname_length", "256", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateCookieLong, max_cookie_totalname_length) + // STD_S7_INI_ENTRY("suhosin.cookie.max_value_length", "10000", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateCookieLong, max_cookie_value_length) + // STD_S7_INI_ENTRY("suhosin.cookie.max_array_depth", "50", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateCookieLong, max_cookie_array_depth) + // STD_S7_INI_ENTRY("suhosin.cookie.max_array_index_length", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateCookieLong, max_cookie_array_index_length) + // STD_S7_INI_ENTRY("suhosin.cookie.disallow_nul", "1", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateCookieBool, disallow_cookie_nul) + // STD_S7_INI_ENTRY("suhosin.cookie.disallow_ws", "1", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateCookieBool, disallow_cookie_ws) + // + // STD_S7_INI_ENTRY("suhosin.get.max_vars", "100", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateGetLong, max_get_vars) + // STD_S7_INI_ENTRY("suhosin.get.max_name_length", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateGetLong, max_get_name_length) + // STD_S7_INI_ENTRY("suhosin.get.max_totalname_length", "256", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateGetLong, max_get_totalname_length) + // STD_S7_INI_ENTRY("suhosin.get.max_value_length", "512", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateGetLong, max_get_value_length) + // STD_S7_INI_ENTRY("suhosin.get.max_array_depth", "50", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateGetLong, max_get_array_depth) + // STD_S7_INI_ENTRY("suhosin.get.max_array_index_length", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateGetLong, max_get_array_index_length) + // STD_S7_INI_ENTRY("suhosin.get.disallow_nul", "1", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateGetBool, disallow_get_nul) + // STD_S7_INI_ENTRY("suhosin.get.disallow_ws", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateGetBool, disallow_get_ws) + // + // STD_S7_INI_ENTRY("suhosin.post.max_vars", "1000", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdatePostLong, max_post_vars) + // STD_S7_INI_ENTRY("suhosin.post.max_name_length", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdatePostLong, max_post_name_length) + // STD_S7_INI_ENTRY("suhosin.post.max_totalname_length", "256", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdatePostLong, max_post_totalname_length) + // STD_S7_INI_ENTRY("suhosin.post.max_value_length", "1000000", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdatePostLong, max_post_value_length) + // STD_S7_INI_ENTRY("suhosin.post.max_array_depth", "50", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdatePostLong, max_post_array_depth) + // STD_S7_INI_ENTRY("suhosin.post.max_array_index_length", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdatePostLong, max_post_array_index_length) + // STD_S7_INI_ENTRY("suhosin.post.disallow_nul", "1", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdatePostBool, disallow_post_nul) + // STD_S7_INI_ENTRY("suhosin.post.disallow_ws", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdatePostBool, disallow_post_ws) + // + // STD_S7_INI_ENTRY("suhosin.upload.max_uploads", "25", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadLong, upload_limit) + // STD_S7_INI_ENTRY("suhosin.upload.max_newlines", "100", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadLong, upload_max_newlines) + // STD_S7_INI_ENTRY("suhosin.upload.disallow_elf", "1", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadBool, upload_disallow_elf) + // STD_S7_INI_ENTRY("suhosin.upload.disallow_binary", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadBool, upload_disallow_binary) + // STD_S7_INI_ENTRY("suhosin.upload.remove_binary", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadBool, upload_remove_binary) +#ifdef SUHOSIN_EXPERIMENTAL + // STD_S7_INI_BOOLEAN("suhosin.upload.allow_utf8", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadBool, upload_allow_utf8) +#endif + // STD_S7_INI_ENTRY("suhosin.upload.verification_script", NULL, PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateUploadString, upload_verification_script) + + + // STD_S7_INI_BOOLEAN("suhosin.sql.bailout_on_error", "0", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateSQLBool, sql_bailout_on_error) + // STD_S7_INI_ENTRY("suhosin.sql.user_prefix", NULL, PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateSQLString, sql_user_prefix) + // STD_S7_INI_ENTRY("suhosin.sql.user_postfix", NULL, PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateSQLString, sql_user_postfix) + // STD_S7_INI_ENTRY("suhosin.sql.user_match", NULL, PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateSQLString, sql_user_match) + // STD_S7_INI_ENTRY("suhosin.sql.comment", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateSQLLong, sql_comment) + // STD_S7_INI_ENTRY("suhosin.sql.opencomment", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateSQLLong, sql_opencomment) + // STD_S7_INI_ENTRY("suhosin.sql.multiselect", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateSQLLong, sql_mselect) + // STD_S7_INI_ENTRY("suhosin.sql.union", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateSQLLong, sql_union) + +#ifdef HAVE_PHP_SESSION + // STD_S7_INI_BOOLEAN("suhosin.session.encrypt", "1", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateMiscBool, session_encrypt) + // STD_S7_INI_ENTRY("suhosin.session.cryptkey", "", PHP_INI_ALL, OnUpdateMiscString, session_cryptkey) + // STD_S7_INI_BOOLEAN("suhosin.session.cryptua", "0", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateMiscBool, session_cryptua) + // STD_S7_INI_BOOLEAN("suhosin.session.cryptdocroot", "1", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateMiscBool, session_cryptdocroot) + // STD_S7_INI_ENTRY("suhosin.session.cryptraddr", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateMiscLong, session_cryptraddr) + // STD_S7_INI_ENTRY("suhosin.session.checkraddr", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateMiscLong, session_checkraddr) + // STD_S7_INI_ENTRY("suhosin.session.max_id_length", "128", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateMiscLong, session_max_id_length) +#else /* HAVE_PHP_SESSION */ +#warning BUILDING SUHOSIN WITHOUT SESSION SUPPORT. THIS IS A BAD IDEA! +#ifndef SUHOSIN_WITHOUT_SESSION +#error Please recompile with -DSUHOSIN_WITHOUT_SESSION if you really know what you are doing. +#endif +#endif /* HAVE_PHP_SESSION */ + + + // STD_S7_INI_BOOLEAN("suhosin.cookie.encrypt", "0", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateCookieBool, cookie_encrypt) + // STD_S7_INI_ENTRY("suhosin.cookie.cryptkey", "", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateCookieString, cookie_cryptkey) + // STD_S7_INI_BOOLEAN("suhosin.cookie.cryptua", "1", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateCookieBool, cookie_cryptua) + // STD_S7_INI_BOOLEAN("suhosin.cookie.cryptdocroot", "1", PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateCookieBool, cookie_cryptdocroot) + // STD_S7_INI_ENTRY("suhosin.cookie.cryptraddr", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateCookieLong, cookie_cryptraddr) + // STD_S7_INI_ENTRY("suhosin.cookie.checkraddr", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateCookieLong, cookie_checkraddr) + PHP_INI_ENTRY("suhosin.cookie.cryptlist", NULL, PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateSuhosin_cookie_cryptlist) + PHP_INI_ENTRY("suhosin.cookie.plainlist", NULL, PHP_INI_PERDIR|PHP_INI_SYSTEM, OnUpdateSuhosin_cookie_plainlist) + // + // STD_S7_INI_BOOLEAN("suhosin.server.encode", "1", PHP_INI_SYSTEM, OnUpdateBool, server_encode) + // STD_S7_INI_BOOLEAN("suhosin.server.strip", "1", PHP_INI_SYSTEM, OnUpdateBool, server_strip) + // + // STD_S7_INI_ENTRY("suhosin.rand.seedingkey", "", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateMiscString, seedingkey) + // STD_S7_INI_BOOLEAN("suhosin.rand.reseed_every_request", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateMiscBool, reseed_every_request) + // STD_S7_INI_BOOLEAN("suhosin.srand.ignore", "1", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateMiscBool, srand_ignore) + // STD_S7_INI_BOOLEAN("suhosin.mt_srand.ignore", "1", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateMiscBool, mt_srand_ignore) + + PHP_INI_END() /* }}} */ @@ -61,6 +390,24 @@ static void php_suhosin7_init_globals(zend_suhosin7_globals *suhosin7_globals) */ PHP_MINIT_FUNCTION(suhosin7) { + SDEBUG("(MINIT)"); + ZEND_INIT_MODULE_GLOBALS(suhosin7, php_suhosin7_init_globals, NULL); + + /* only register constants if they have not previously been registered by a patched PHP */ + // if (zend_hash_str_exists(EG(zend_constants), "S_MEMORY", sizeof("S_MEMORY"))==0) { + REGISTER_MAIN_LONG_CONSTANT("S_MEMORY", S_MEMORY, CONST_PERSISTENT | CONST_CS); + REGISTER_MAIN_LONG_CONSTANT("S_VARS", S_VARS, CONST_PERSISTENT | CONST_CS); + REGISTER_MAIN_LONG_CONSTANT("S_FILES", S_FILES, CONST_PERSISTENT | CONST_CS); + REGISTER_MAIN_LONG_CONSTANT("S_INCLUDE", S_INCLUDE, CONST_PERSISTENT | CONST_CS); + REGISTER_MAIN_LONG_CONSTANT("S_SQL", S_SQL, CONST_PERSISTENT | CONST_CS); + REGISTER_MAIN_LONG_CONSTANT("S_EXECUTOR", S_EXECUTOR, CONST_PERSISTENT | CONST_CS); + REGISTER_MAIN_LONG_CONSTANT("S_MAIL", S_MAIL, CONST_PERSISTENT | CONST_CS); + REGISTER_MAIN_LONG_CONSTANT("S_SESSION", S_SESSION, CONST_PERSISTENT | CONST_CS); + REGISTER_MAIN_LONG_CONSTANT("S_MISC", S_MISC, CONST_PERSISTENT | CONST_CS); + REGISTER_MAIN_LONG_CONSTANT("S_INTERNAL", S_INTERNAL, CONST_PERSISTENT | CONST_CS); + REGISTER_MAIN_LONG_CONSTANT("S_ALL", S_ALL, CONST_PERSISTENT | CONST_CS); + // } + REGISTER_INI_ENTRIES(); return SUCCESS; } @@ -70,6 +417,7 @@ PHP_MINIT_FUNCTION(suhosin7) */ PHP_MSHUTDOWN_FUNCTION(suhosin7) { + SDEBUG("(MSHUTDOWN)"); UNREGISTER_INI_ENTRIES(); return SUCCESS; } @@ -80,6 +428,7 @@ PHP_MSHUTDOWN_FUNCTION(suhosin7) */ PHP_RINIT_FUNCTION(suhosin7) { + SDEBUG("(RINIT)"); #if defined(COMPILE_DL_SUHOSIN7) && defined(ZTS) ZEND_TSRMLS_CACHE_UPDATE(); #endif @@ -92,15 +441,17 @@ PHP_RINIT_FUNCTION(suhosin7) */ PHP_RSHUTDOWN_FUNCTION(suhosin7) { + SDEBUG("(RSHUTDOWN)"); + return SUCCESS; } /* }}} */ -/* {{{ suhosin_ini_displayer(zend_ini_entry *ini_entry, int type) +/* {{{ suhosin_ini_displayer(PHP_INI_ENTRY *ini_entry, int type) */ -static void suhosin_ini_displayer(zend_ini_entry *ini_entry, int type) +static void suhosin_ini_displayer(php_ini_entry *ini_entry, int type) { - PHPWRITE("[ protected ]", strlen("[ protected ]")); + PHPWRITE("[ protected ]", strlen("[ protected ]")); } /* }}} */ @@ -126,42 +477,42 @@ PHP_MINFO_FUNCTION(suhosin7) PUTS(!sapi_module.phpinfo_as_text?"

":"\n\n"); if (sapi_module.phpinfo_as_text) { PUTS("Copyright (c) 2006-2007 Hardened-PHP Project\n"); - PUTS("Copyright (c) 2007-2015 SektionEins GmbH\n"); + PUTS("Copyright (c) 2007-2016 SektionEins GmbH\n"); } else { PUTS("Copyright (c) 2006-2007 Hardened-PHP Project
\n"); - PUTS("Copyright (c) 2007-2015 SektionEins GmbH\n"); + PUTS("Copyright (c) 2007-2016 SektionEins GmbH\n"); } php_info_print_box_end(); - if (SUHOSIN7_G(protectkey)) { - zend_ini_entry *i; - - if ((i=zend_hash_str_find_ptr(EG(ini_directives), "suhosin.cookie.cryptkey", sizeof("suhosin.cookie.cryptkey")-1))) { - i->displayer = suhosin_ini_displayer; - } - if ((i=zend_hash_str_find_ptr(EG(ini_directives), "suhosin.session.cryptkey", sizeof("suhosin.session.cryptkey")-1))) { - i->displayer = suhosin_ini_displayer; - } - if ((i=zend_hash_str_find_ptr(EG(ini_directives), "suhosin.rand.seedingkey", sizeof("suhosin.rand.seedingkey")-1))) { - i->displayer = suhosin_ini_displayer; - } - } - + if (SUHOSIN7_G(protectkey)) { + php_ini_entry *i; + + if ((i=zend_hash_str_find_ptr(EG(ini_directives), ZEND_STRL("suhosin.cookie.cryptkey")))) { + i->displayer = suhosin_ini_displayer; + } + if ((i=zend_hash_str_find_ptr(EG(ini_directives), ZEND_STRL("suhosin.session.cryptkey")))) { + i->displayer = suhosin_ini_displayer; + } + if ((i=zend_hash_str_find_ptr(EG(ini_directives), ZEND_STRL("suhosin.rand.seedingkey")))) { + i->displayer = suhosin_ini_displayer; + } + } + DISPLAY_INI_ENTRIES(); - if (SUHOSIN7_G(protectkey)) { - zend_ini_entry *i; + if (SUHOSIN7_G(protectkey)) { + php_ini_entry *i; - if ((i=zend_hash_str_find_ptr(EG(ini_directives), "suhosin.cookie.cryptkey", sizeof("suhosin.cookie.cryptkey")))) { - i->displayer = NULL; - } - if ((i=zend_hash_str_find_ptr(EG(ini_directives), "suhosin.session.cryptkey", sizeof("suhosin.session.cryptkey")-1))) { - i->displayer = NULL; - } - if ((i=zend_hash_str_find_ptr(EG(ini_directives), "suhosin.rand.seedingkey", sizeof("suhosin.rand.seedingkey")-1))) { - i->displayer = NULL; - } - } + if ((i=zend_hash_str_find_ptr(EG(ini_directives), ZEND_STRL("suhosin.cookie.cryptkey")))) { + i->displayer = NULL; + } + if ((i=zend_hash_str_find_ptr(EG(ini_directives), ZEND_STRL("suhosin.session.cryptkey")))) { + i->displayer = NULL; + } + if ((i=zend_hash_str_find_ptr(EG(ini_directives), ZEND_STRL("suhosin.rand.seedingkey")))) { + i->displayer = NULL; + } + } } /* }}} */ diff --git a/treat_data.c b/treat_data.c index 86fcd9f..dc31b17 100644 --- a/treat_data.c +++ b/treat_data.c @@ -97,11 +97,11 @@ SAPI_TREAT_DATA_FUNC(suhosin_treat_data) } else if (arg == PARSE_COOKIE) { /* Cookie data */ c_var = SG(request_info).cookie_data; if (c_var && *c_var) { - if (SUHOSIN7_G(cookie_encrypt)) { - res = (char *) estrdup(suhosin_cookie_decryptor()); - } else { + // if (SUHOSIN7_G(cookie_encrypt)) { + // res = (char *) estrdup(suhosin_cookie_decryptor()); + // } else { res = (char *) estrdup(c_var); - } + // } free_buffer = 1; } else { free_buffer = 0; @@ -211,4 +211,3 @@ void suhosin_hook_treat_data() * vim600: noet sw=4 ts=4 fdm=marker * vim<600: noet sw=4 ts=4 */ - -- cgit v1.3