Merge pull request #429 from sektioneins/master

fixes+features 07/2022

7 files changed, 107 insertions, 45 deletions

diff --git a/.gitignore b/.gitignore
index e4986e9..c47ec1c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,50 +6,53 @@ tags
 .deps
 .libs
 *.lo
-src/tests/*.diff
-src/tests/*.exp
-src/tests/*.log
-src/tests/*.out
-src/tests/*.sh
-src/tests/*.php
+*~
 
-src/tests/*/*.diff
-src/tests/*/*.exp
-src/tests/*/*.log
-src/tests/*/*.out
-src/tests/*/*.sh
-src/tests/*/*.php
-src/tests/*/phpt.*
+/src/tests/**/*.diff
+/src/tests/**/*.exp
+/src/tests/**/*.log
+/src/tests/**/*.out
+/src/tests/**/*.sh
+/src/tests/**/*.php
+/src/tests/**/phpt.*
 
-.vscode/
 
 # generated by re2c or copied from cached version
-src/sp_config_scanner.c
+/src/sp_config_scanner.c
 # Files generated by phpize, configure and make
-src/autom4te.cache
-src/build
-src/modules
-src/acinclude.m4
-src/aclocal.m4
-src/config.guess
-src/config.h
-src/config.h.in
-src/config.log
-src/config.nice
-src/config.status
-src/config.sub
-src/configure
-src/configure.in
-src/install-sh
-src/*.la
-src/ltmain.sh
-src/libtool
-src/Makefile
-src/Makefile.fragments
-src/Makefile.global
-src/Makefile.objects
-src/missing
-src/mkinstalldirs
-src/run-tests.php
-src/*.dep
-doc/build/
+/src/autom4te.cache
+/src/build
+/src/modules
+/src/acinclude.m4
+/src/aclocal.m4
+/src/config.guess
+/src/config.h
+/src/config.h.in
+/src/config.log
+/src/config.nice
+/src/config.status
+/src/config.sub
+/src/configure
+/src/configure.in
+/src/configure.ac
+/src/install-sh
+/src/*.la
+/src/ltmain.sh
+/src/libtool
+/src/Makefile
+/src/Makefile.fragments
+/src/Makefile.global
+/src/Makefile.objects
+/src/missing
+/src/mkinstalldirs
+/src/run-tests.php
+/src/*.dep
+/doc/build/
+
+## development artifacts
+/*.sh
+/src/*.sh
+/src-*/
+/src/quicktest/
+/.vscode/
+
diff --git a/Makefile b/Makefile
index 51c6cc9..6d5b004 100644
--- a/Makefile
+++ b/Makefile
@@ -12,6 +12,7 @@ release:  ## compile with releases flags
         cd $(SRC); phpize
         cd $(SRC); ./configure --enable-snuffleupagus
         make -C $(SRC)
+        strip $(SRC)/.libs/snuffleupagus.so
 
 install: release  ## compile and install snuffleupagus
         make -C $(SRC) install
diff --git a/doc/source/config.rst b/doc/source/config.rst
index d7f7f24..ac8aef1 100644
--- a/doc/source/config.rst
+++ b/doc/source/config.rst
@@ -78,7 +78,7 @@ Miscellaneous
 conditions
 ^^^^^^^^^^
 
-It's possible to use conditions to have configuration portables accross
+It's possible to use conditions to have configuration portable across
 several setups.
 
 ::
@@ -88,6 +88,30 @@ several setups.
     # some other rules
   @end_condition;
 
+Conditions accept variables and the special function ``extension_loadod()``.
+
+::
+  @condition extension_loaded("sqlite3");
+  sp.ini.key("sqlite3.extension_dir").ro();
+  @end_condition;
+
+Conditions cannot be nested, but arithmetic and logical operations can be applied.
+
+::
+  @condition extension_loaded("session") && PHP_VERSION_ID <= 80200;
+  set whitelist "my_fun,cos"
+  sp.eval_whitelist.list(whitelist).simulation().dump("/tmp/dump_result/");
+  @end_condition;
+
+variables
+^^^^^^^^^
+
+You may set a configuration variable using the ``set`` keyword (or ``@set``) and use it instead of arguments.
+
+::
+  @set CMD "ls"
+  sp.disable_function.function("system").pos("0").value(CMD).allow();
+
 global
 ^^^^^^
 
diff --git a/src/config.m4 b/src/config.m4
index 1958979..619dcbd 100644
--- a/src/config.m4
+++ b/src/config.m4
@@ -31,6 +31,8 @@ CFLAGS="$CFLAGS -fstack-protector-strong"
 
 LDFLAGS="$LDFLAGS `pcre2-config --libs8`"
 
+AX_CHECK_COMPILE_FLAG([-Wl,-z,relro,-z,now], [LDFLAGS="$LDFLAGS -Wl,-z,relro,-z,now"], {}, [-Werror])
+
 if test "$PHP_DEBUG" = "yes"; then
   AC_DEFINE(SP_DEBUG, 1, [Enable SP debug messages])
   CFLAGS="$CFLAGS -g -ggdb -O0"
diff --git a/src/snuffleupagus.c b/src/snuffleupagus.c
index 1f5b660..30f6b3d 100644
--- a/src/snuffleupagus.c
+++ b/src/snuffleupagus.c
@@ -265,7 +265,7 @@ static void add_df_to_arr(zval *arr, sp_disabled_function const *const df) {
   if (df->functions_list && df->functions_list->data) {
     zval arr_fl;
     array_init(&arr_fl);
-    for (sp_list_node *p = df->functions_list; p; p = p->next) { add_next_index_str(&arr_fl, p->data); }
+    for (sp_list_node *p = df->functions_list; p; p = p->next) { add_next_index_string(&arr_fl, (char*)p->data); }
     add_assoc_zval(&arr_df, "function_list", &arr_fl);
   } else {
     add_assoc_null(&arr_df, "function_list");
@@ -283,6 +283,7 @@ static void add_df_to_arr(zval *arr, sp_disabled_function const *const df) {
   add_assoc_long(&arr_df, SP_TOKEN_LINE_NUMBER, df->line);
   ADD_ASSOC_ZSTR(&arr_df, SP_TOKEN_RET, df->ret);
   ADD_ASSOC_REGEXP(&arr_df, SP_TOKEN_RET_REGEXP, df->r_ret);
+  add_assoc_long(&arr_df, SP_TOKEN_RET_TYPE, df->ret_type);
   ADD_ASSOC_ZSTR(&arr_df, SP_TOKEN_VALUE, df->value);
   ADD_ASSOC_REGEXP(&arr_df, SP_TOKEN_VALUE_REGEXP, df->r_value);
   ADD_ASSOC_ZSTR(&arr_df, SP_TOKEN_KEY, df->key);
@@ -495,6 +496,7 @@ static PHP_INI_MH(OnUpdateConfiguration) {
 
   // set some defaults
   SPCFG(show_old_php_warning) = true;
+  SPCFG(readonly_exec).extended_checks = true;
 
   char *str = new_value->val;
 
diff --git a/src/sp_config_keywords.c b/src/sp_config_keywords.c
index ea4e1cd..fa26635 100644
--- a/src/sp_config_keywords.c
+++ b/src/sp_config_keywords.c
@@ -228,9 +228,32 @@ SP_PARSE_FN(parse_cookie) {
         ZSTR_VAL(samesite), parsed_rule->lineno);
       goto err;
     }
+    zend_string_release(samesite);
+    samesite = NULL;
   }
 
-  SPCFG(cookie).cookies = sp_list_insert(SPCFG(cookie).cookies, cookie);
+  // find other cookie entry with identical name or name_r
+  sp_cookie *entry = NULL;
+  sp_list_node *pList = NULL;
+  for (pList = SPCFG(cookie).cookies; pList; pList = pList->next) {
+    entry = pList->data;
+    if (!entry) { continue; }
+    if ((entry->name && cookie->name && sp_zend_string_equals(entry->name, cookie->name)) ||
+        (entry->name_r && cookie->name_r && sp_zend_string_equals(entry->name_r->pattern, cookie->name_r->pattern))) {
+          break;
+        }
+  }
+  if (pList && entry) {
+    // override cookie settings if set
+    if (cookie->samesite) { entry->samesite = cookie->samesite; }
+    if (cookie->encrypt) { entry->encrypt = cookie->encrypt; }
+    if (cookie->simulation) { entry->simulation = cookie->simulation; }
+    sp_free_cookie(cookie);
+    pefree(cookie, 1);
+    cookie = NULL;
+  } else {
+    SPCFG(cookie).cookies = sp_list_insert(SPCFG(cookie).cookies, cookie);
+  }
 
   return SP_PARSER_STOP;
 
@@ -492,6 +515,11 @@ SP_PARSE_FN(parse_ini_entry) {
     goto err;
   }
 
+  if (zend_hash_find_ptr(SPCFG(ini).entries, entry->key)) {
+    sp_log_err("config", "duplicate INI key '%s' on line %zu", ZSTR_VAL(entry->key), parsed_rule->lineno);
+    goto err;
+  }
+
   if (ro && rw) {
     sp_log_err("config", "rule cannot be both read-write and read-only on line %zu", parsed_rule->lineno);
     goto err;
diff --git a/src/sp_execute.c b/src/sp_execute.c
index 81614f3..b4e5c6c 100644
--- a/src/sp_execute.c
+++ b/src/sp_execute.c
@@ -1,4 +1,5 @@
 #include "php_snuffleupagus.h"
+#include "ext/standard/php_string.h"
 
 static void (*orig_execute_ex)(zend_execute_data *execute_data) = NULL;
 static void (*orig_zend_execute_internal)(zend_execute_data *execute_data,
@@ -40,6 +41,7 @@ ZEND_COLD static inline void terminate_if_writable(char const* const filename) {
   php_dirname(dirname, strlen(dirname));
   if (0 == access(dirname, W_OK)) {
     errmsg = "Attempted execution of a file in a writable directory";
+
     efree(dirname);
     goto violation;
   }