removed upload script x-bit check at load time, thus allowing root-user to execute test cases

author: Ben Fuhrmannek 2021-12-20 18:00:34 +0100
committer: Ben Fuhrmannek 2021-12-20 18:00:34 +0100
commit: 2863344b21977bb5b1df276b2f17e2ac9572e42a (patch)
tree: 99ffdbc157c5b48246c62b008d1aa9791229370f
parent: 6f50404217f9c6cc25654f6edd527c1d1f3286e4 (diff)
2 files changed, 4 insertions, 6 deletions
diff --git a/src/sp_config_keywords.c b/src/sp_config_keywords.c
index cbe4966..138da75 100644
--- a/src/sp_config_keywords.c
+++ b/src/sp_config_keywords.c
@@ -429,9 +429,6 @@ SP_PARSE_FN(parse_upload_validation) {
  } else if (-1 == access(ZSTR_VAL(cfg->script), F_OK)) {
    sp_log_err("config", "The `script` (%s) doesn't exist on line %zu", ZSTR_VAL(cfg->script), parsed_rule->lineno);
    return SP_PARSER_ERROR;
-  } else if (-1 == access(ZSTR_VAL(cfg->script), X_OK)) {
-    sp_log_err("config", "The `script` (%s) isn't executable on line %zu", ZSTR_VAL(cfg->script), parsed_rule->lineno);
-    return SP_PARSER_ERROR;
  }
  return SP_PARSER_STOP;
diff --git a/src/tests/upload_validation/upload_validation_no_exec.phpt b/src/tests/upload_validation/upload_validation_no_exec.phpt
index b198bda..ff3dc14 100644
--- a/src/tests/upload_validation/upload_validation_no_exec.phpt
+++ b/src/tests/upload_validation/upload_validation_no_exec.phpt
@@ -4,6 +4,7 @@ Upload a file, validation script not executable
 file_uploads=1
 sp.configuration_file={PWD}/config/upload_validation_non_exec.ini
 output_buffering=off
+expose_php=0
 --POST_RAW--
 Content-Type: multipart/form-data; boundary=blabla
 --blabla
@@ -14,6 +15,6 @@ Content-Disposition: form-data; name="test"; filename="test.php"
 var_dump($_FILES);
 ?>
 --EXPECTF--
-Fatal error: [snuffleupagus][0.0.0.0][config][log] Invalid configuration file in Unknown on line 0
+Warning: [snuffleupagus][0.0.0.0][upload_validation][log] Could not call '%s' : Permission denied %s
+%a
-Fatal error: [snuffleupagus][0.0.0.0][config][log] The `script` (tests/data/upload_no_exec.sh) isn't executable on line 1 in Unknown on line 0
+Fatal error: [snuffleupagus][0.0.0.0][upload_validation][drop] The upload %s was rejected. in Unknown on line 0
author	Ben Fuhrmannek	2021-12-20 18:00:34 +0100
committer	Ben Fuhrmannek	2021-12-20 18:00:34 +0100
commit	2863344b21977bb5b1df276b2f17e2ac9572e42a (patch)
tree	99ffdbc157c5b48246c62b008d1aa9791229370f
parent	6f50404217f9c6cc25654f6edd527c1d1f3286e4 (diff)

diff --git a/src/sp_config_keywords.c b/src/sp_config_keywords.c index cbe4966..138da75 100644 --- a/src/sp_config_keywords.c +++ b/src/sp_config_keywords.c
@@ -429,9 +429,6 @@ SP_PARSE_FN(parse_upload_validation) {
429	} else if (-1 == access(ZSTR_VAL(cfg->script), F_OK)) {	429	} else if (-1 == access(ZSTR_VAL(cfg->script), F_OK)) {
430	sp_log_err("config", "The `script` (%s) doesn't exist on line %zu", ZSTR_VAL(cfg->script), parsed_rule->lineno);	430	sp_log_err("config", "The `script` (%s) doesn't exist on line %zu", ZSTR_VAL(cfg->script), parsed_rule->lineno);
431	return SP_PARSER_ERROR;	431	return SP_PARSER_ERROR;
432	} else if (-1 == access(ZSTR_VAL(cfg->script), X_OK)) {
433	sp_log_err("config", "The `script` (%s) isn't executable on line %zu", ZSTR_VAL(cfg->script), parsed_rule->lineno);
434	return SP_PARSER_ERROR;
435	}	432	}
436		433
437	return SP_PARSER_STOP;	434	return SP_PARSER_STOP;


diff --git a/src/tests/upload_validation/upload_validation_no_exec.phpt b/src/tests/upload_validation/upload_validation_no_exec.phpt index b198bda..ff3dc14 100644 --- a/src/tests/upload_validation/upload_validation_no_exec.phpt +++ b/src/tests/upload_validation/upload_validation_no_exec.phpt
@@ -4,6 +4,7 @@ Upload a file, validation script not executable
4	file_uploads=1	4	file_uploads=1
5	sp.configuration_file={PWD}/config/upload_validation_non_exec.ini	5	sp.configuration_file={PWD}/config/upload_validation_non_exec.ini
6	output_buffering=off	6	output_buffering=off
		7	expose_php=0
7	--POST_RAW--	8	--POST_RAW--
8	Content-Type: multipart/form-data; boundary=blabla	9	Content-Type: multipart/form-data; boundary=blabla
9	--blabla	10	--blabla
@@ -14,6 +15,6 @@ Content-Disposition: form-data; name="test"; filename="test.php"
14	var_dump($_FILES);	15	var_dump($_FILES);
15	?>	16	?>
16	--EXPECTF--	17	--EXPECTF--
17	Fatal error: [snuffleupagus][0.0.0.0][config][log] Invalid configuration file in Unknown on line 0	18	Warning: [snuffleupagus][0.0.0.0][upload_validation][log] Could not call '%s' : Permission denied %s
18		19	%a
19	Fatal error: [snuffleupagus][0.0.0.0][config][log] The `script` (tests/data/upload_no_exec.sh) isn't executable on line 1 in Unknown on line 0	20	Fatal error: [snuffleupagus][0.0.0.0][upload_validation][drop] The upload %s was rejected. in Unknown on line 0