Support direct syslog logging

Add the possibility to log directly into the syslog, instead of using php's log system.
author: Thibault "bui" Koechlin 2019-08-31 15:32:36 +0200
committer: jvoisin 2019-08-31 13:32:36 +0000
commit: 504f02992ace82a5520bc0ca43d9562c077a06e4 (patch)
tree: 94934cf269abe7a8dbdf0a8bdb4ddb1d51cb4f30
parent: f7e25b29c1cd5273675dbb3d6883c40377d8315d (diff)
9 files changed, 77 insertions, 1 deletions
diff --git a/doc/source/config.rst b/doc/source/config.rst
index 89e063f..4be8db7 100644
--- a/doc/source/config.rst
+++ b/doc/source/config.rst
@@ -81,6 +81,24 @@ This configuration variable contains parameters that are used by multiple featur
 - ``cookie_env_var``: A environment variable used as part of cookies encryption.
  See the :ref:`relevant documentation <config_cookie-encryption>`
+log_media
+^^^^^^^^^
+This configuration variable allows to specify how logs should be written,
+either via ``php`` or ``syslog``.
+::
+  sp.log_media("php");
+  sp.log_media("syslog");
+The default value for ``sp.log_media`` is ``php``, to respect the `principle of
+least astonishment
+<https://en.wikipedia.org/wiki/Principle_of_least_astonishment>`__. But since
+it's `possible to modify php's logging system via php
+<https://www.php.net/manual/en/errorfunc.configuration.php>`__, it's
+heavily recommended to use the ``syslog`` option instead.
 Bugclass-killer features
 ------------------------
diff --git a/src/php_snuffleupagus.h b/src/php_snuffleupagus.h
index 43131fe..1c45653 100644
--- a/src/php_snuffleupagus.h
+++ b/src/php_snuffleupagus.h
@@ -22,6 +22,7 @@
 #include <sys/socket.h>
 #include <sys/types.h>
 #include <sys/wait.h>
+#include <sys/syslog.h>
 #include "SAPI.h"
 #include "ext/session/php_session.h"
diff --git a/src/sp_config.c b/src/sp_config.c
index 25223f2..69730e3 100644
--- a/src/sp_config.c
+++ b/src/sp_config.c
@@ -9,6 +9,7 @@ size_t sp_line_no;
 sp_config_tokens const sp_func[] = {
    {.func = parse_unserialize, .token = SP_TOKEN_UNSERIALIZE_HMAC},
    {.func = parse_random, .token = SP_TOKEN_HARDEN_RANDOM},
+    {.func = parse_log_media, .token = SP_TOKEN_LOG_MEDIA},
    {.func = parse_disabled_functions, .token = SP_TOKEN_DISABLE_FUNC},
    {.func = parse_readonly_exec, .token = SP_TOKEN_READONLY_EXEC},
    {.func = parse_global_strict, .token = SP_TOKEN_GLOBAL_STRICT},
diff --git a/src/sp_config.h b/src/sp_config.h
index 9d58359..b06e8be 100644
--- a/src/sp_config.h
+++ b/src/sp_config.h
@@ -28,6 +28,8 @@ typedef enum {
  SP_PHP_TYPE_REFERENCE = IS_REFERENCE
 } sp_php_type;
+typedef enum { SP_ZEND = 0, SP_SYSLOG = 1 } sp_log_media;
 typedef struct {
  int ip_version;
  union {
@@ -175,6 +177,7 @@ typedef struct {
  sp_config_wrapper *config_wrapper;
  sp_config_session *config_session;
  bool hook_execute;
+  char log_media;
  HashTable *config_disabled_functions;
  HashTable *config_disabled_functions_hooked;
@@ -260,6 +263,7 @@ typedef struct {
 // Global configuration options
 #define SP_TOKEN_ENCRYPTION_KEY ".secret_key("
 #define SP_TOKEN_ENV_VAR ".cookie_env_var("
+#define SP_TOKEN_LOG_MEDIA ".log_media("
 // upload_validator
 #define SP_TOKEN_UPLOAD_SCRIPT ".script("
diff --git a/src/sp_config_keywords.c b/src/sp_config_keywords.c
index abb3110..aebe45c 100644
--- a/src/sp_config_keywords.c
+++ b/src/sp_config_keywords.c
@@ -83,6 +83,25 @@ int parse_random(char *line) {
                      NULL);
 }
+int parse_log_media(char *line) {
+  size_t consumed = 0;
+  zend_string *value =
+      get_param(&consumed, line, SP_TYPE_STR, SP_TOKEN_LOG_MEDIA);
+  if (value) {
+    if (!strcmp(ZSTR_VAL(value), "php")) {
+      SNUFFLEUPAGUS_G(config).log_media = SP_ZEND;
+      return 0;
+    } else if (!strcmp(ZSTR_VAL(value), "syslog")) {
+      SNUFFLEUPAGUS_G(config).log_media = SP_SYSLOG;
+      return 0;
+    }
+  }
+  sp_log_err("config", "%s) only supports 'syslog' or 'php', on line %zu",
+             SP_TOKEN_LOG_MEDIA, sp_line_no);
+  return -1;
+}
 int parse_sloppy_comparison(char *line) {
  return parse_enable(line, &(SNUFFLEUPAGUS_G(config).config_sloppy->enable),
                      NULL);
diff --git a/src/sp_config_keywords.h b/src/sp_config_keywords.h
index ab58456..a279cc9 100644
--- a/src/sp_config_keywords.h
+++ b/src/sp_config_keywords.h
@@ -17,5 +17,6 @@ int parse_eval_whitelist(char *line);
 int parse_session(char *line);
 int parse_sloppy_comparison(char *line);
 int parse_wrapper_whitelist(char *line);
+int parse_log_media(char *line);
 #endif  // __SP_CONFIG_KEYWORDS_H
diff --git a/src/sp_utils.c b/src/sp_utils.c
index 7641808..5ddf0b9 100644
--- a/src/sp_utils.c
+++ b/src/sp_utils.c
@@ -15,7 +15,24 @@ void sp_log_msg(char const* feature, int type, const char* fmt, ...) {
  vspprintf(&msg, 0, fmt, args);
  va_end(args);
-  zend_error(type, "[snuffleupagus][%s] %s", feature, msg);
+  switch (SNUFFLEUPAGUS_G(config).log_media) {
+    case SP_SYSLOG:
+      openlog(PHP_SNUFFLEUPAGUS_EXTNAME, LOG_PID, LOG_AUTH);
+      const char* error_filename = zend_get_executed_filename();
+      int syslog_level = SP_LOG_DROP ? LOG_ERR : LOG_INFO;
+      int error_lineno = zend_get_executed_lineno(TSRMLS_C);
+      syslog(syslog_level, "[%s] %s in %s on line %d", feature, msg,
+             error_filename, error_lineno);
+      closelog();
+      if (type == SP_LOG_DROP) {
+        zend_bailout();
+      }
+      break;
+    case SP_ZEND:
+    default:
+      zend_error(type, "[snuffleupagus][%s] %s", feature, msg);
+      break;
+  }
 }
 int compute_hash(const char* const filename, char* file_hash) {
diff --git a/src/tests/broken_configuration/broken_conf_invalid_log_media.phpt b/src/tests/broken_configuration/broken_conf_invalid_log_media.phpt
new file mode 100644
index 0000000..bcf7c01
--- /dev/null
+++ b/src/tests/broken_configuration/broken_conf_invalid_log_media.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Broken configuration filename with improper log media
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/broken_conf_invalid_log_media.ini
+--FILE--
+--EXPECTF--
+PHP Fatal error:  [snuffleupagus][config] .log_media() only supports 'syslog' or 'php', on line 1 in Unknown on line 0
+Fatal error: [snuffleupagus][config] .log_media() only supports 'syslog' or 'php', on line 1 in Unknown on line 0
+Fatal error: [snuffleupagus][config] Invalid configuration file in Unknown on line 0
+Could not startup.
diff --git a/src/tests/broken_configuration/config/broken_conf_invalid_log_media.ini b/src/tests/broken_configuration/config/broken_conf_invalid_log_media.ini
new file mode 100644
index 0000000..9e7cea0
--- /dev/null
+++ b/src/tests/broken_configuration/config/broken_conf_invalid_log_media.ini
@@ -0,0 +1 @@
+sp.log_media("pouet");
author	Thibault "bui" Koechlin	2019-08-31 15:32:36 +0200
committer	jvoisin	2019-08-31 13:32:36 +0000
commit	504f02992ace82a5520bc0ca43d9562c077a06e4 (patch)
tree	94934cf269abe7a8dbdf0a8bdb4ddb1d51cb4f30
parent	f7e25b29c1cd5273675dbb3d6883c40377d8315d (diff)

diff --git a/doc/source/config.rst b/doc/source/config.rst index 89e063f..4be8db7 100644 --- a/doc/source/config.rst +++ b/doc/source/config.rst
@@ -81,6 +81,24 @@ This configuration variable contains parameters that are used by multiple featur
81	- ``cookie_env_var``: A environment variable used as part of cookies encryption.	81	- ``cookie_env_var``: A environment variable used as part of cookies encryption.
82	See the :ref:`relevant documentation <config_cookie-encryption>`	82	See the :ref:`relevant documentation <config_cookie-encryption>`
83		83
		84	log_media
		85	^^^^^^^^^
		86
		87	This configuration variable allows to specify how logs should be written,
		88	either via ``php`` or ``syslog``.
		89
		90	::
		91
		92	sp.log_media("php");
		93	sp.log_media("syslog");
		94
		95	The default value for ``sp.log_media`` is ``php``, to respect the `principle of
		96	least astonishment
		97	<https://en.wikipedia.org/wiki/Principle_of_least_astonishment>`__. But since
		98	it's `possible to modify php's logging system via php
		99	<https://www.php.net/manual/en/errorfunc.configuration.php>`__, it's
		100	heavily recommended to use the ``syslog`` option instead.
		101
84		102
85	Bugclass-killer features	103	Bugclass-killer features
86	------------------------	104	------------------------


diff --git a/src/php_snuffleupagus.h b/src/php_snuffleupagus.h index 43131fe..1c45653 100644 --- a/src/php_snuffleupagus.h +++ b/src/php_snuffleupagus.h
@@ -22,6 +22,7 @@
22	#include <sys/socket.h>	22	#include <sys/socket.h>
23	#include <sys/types.h>	23	#include <sys/types.h>
24	#include <sys/wait.h>	24	#include <sys/wait.h>
		25	#include <sys/syslog.h>
25		26
26	#include "SAPI.h"	27	#include "SAPI.h"
27	#include "ext/session/php_session.h"	28	#include "ext/session/php_session.h"


diff --git a/src/sp_config.c b/src/sp_config.c index 25223f2..69730e3 100644 --- a/src/sp_config.c +++ b/src/sp_config.c
@@ -9,6 +9,7 @@ size_t sp_line_no;
9	sp_config_tokens const sp_func[] = {	9	sp_config_tokens const sp_func[] = {
10	{.func = parse_unserialize, .token = SP_TOKEN_UNSERIALIZE_HMAC},	10	{.func = parse_unserialize, .token = SP_TOKEN_UNSERIALIZE_HMAC},
11	{.func = parse_random, .token = SP_TOKEN_HARDEN_RANDOM},	11	{.func = parse_random, .token = SP_TOKEN_HARDEN_RANDOM},
		12	{.func = parse_log_media, .token = SP_TOKEN_LOG_MEDIA},
12	{.func = parse_disabled_functions, .token = SP_TOKEN_DISABLE_FUNC},	13	{.func = parse_disabled_functions, .token = SP_TOKEN_DISABLE_FUNC},
13	{.func = parse_readonly_exec, .token = SP_TOKEN_READONLY_EXEC},	14	{.func = parse_readonly_exec, .token = SP_TOKEN_READONLY_EXEC},
14	{.func = parse_global_strict, .token = SP_TOKEN_GLOBAL_STRICT},	15	{.func = parse_global_strict, .token = SP_TOKEN_GLOBAL_STRICT},


diff --git a/src/sp_config.h b/src/sp_config.h index 9d58359..b06e8be 100644 --- a/src/sp_config.h +++ b/src/sp_config.h
@@ -28,6 +28,8 @@ typedef enum {
28	SP_PHP_TYPE_REFERENCE = IS_REFERENCE	28	SP_PHP_TYPE_REFERENCE = IS_REFERENCE
29	} sp_php_type;	29	} sp_php_type;
30		30
		31	typedef enum { SP_ZEND = 0, SP_SYSLOG = 1 } sp_log_media;
		32
31	typedef struct {	33	typedef struct {
32	int ip_version;	34	int ip_version;
33	union {	35	union {
@@ -175,6 +177,7 @@ typedef struct {
175	sp_config_wrapper *config_wrapper;	177	sp_config_wrapper *config_wrapper;
176	sp_config_session *config_session;	178	sp_config_session *config_session;
177	bool hook_execute;	179	bool hook_execute;
		180	char log_media;
178		181
179	HashTable *config_disabled_functions;	182	HashTable *config_disabled_functions;
180	HashTable *config_disabled_functions_hooked;	183	HashTable *config_disabled_functions_hooked;
@@ -260,6 +263,7 @@ typedef struct {
260	// Global configuration options	263	// Global configuration options
261	#define SP_TOKEN_ENCRYPTION_KEY ".secret_key("	264	#define SP_TOKEN_ENCRYPTION_KEY ".secret_key("
262	#define SP_TOKEN_ENV_VAR ".cookie_env_var("	265	#define SP_TOKEN_ENV_VAR ".cookie_env_var("
		266	#define SP_TOKEN_LOG_MEDIA ".log_media("
263		267
264	// upload_validator	268	// upload_validator
265	#define SP_TOKEN_UPLOAD_SCRIPT ".script("	269	#define SP_TOKEN_UPLOAD_SCRIPT ".script("


diff --git a/src/sp_config_keywords.c b/src/sp_config_keywords.c index abb3110..aebe45c 100644 --- a/src/sp_config_keywords.c +++ b/src/sp_config_keywords.c
@@ -83,6 +83,25 @@ int parse_random(char *line) {
83	NULL);	83	NULL);
84	}	84	}
85		85
		86	int parse_log_media(char *line) {
		87	size_t consumed = 0;
		88	zend_string *value =
		89	get_param(&consumed, line, SP_TYPE_STR, SP_TOKEN_LOG_MEDIA);
		90
		91	if (value) {
		92	if (!strcmp(ZSTR_VAL(value), "php")) {
		93	SNUFFLEUPAGUS_G(config).log_media = SP_ZEND;
		94	return 0;
		95	} else if (!strcmp(ZSTR_VAL(value), "syslog")) {
		96	SNUFFLEUPAGUS_G(config).log_media = SP_SYSLOG;
		97	return 0;
		98	}
		99	}
		100	sp_log_err("config", "%s) only supports 'syslog' or 'php', on line %zu",
		101	SP_TOKEN_LOG_MEDIA, sp_line_no);
		102	return -1;
		103	}
		104
86	int parse_sloppy_comparison(char *line) {	105	int parse_sloppy_comparison(char *line) {
87	return parse_enable(line, &(SNUFFLEUPAGUS_G(config).config_sloppy->enable),	106	return parse_enable(line, &(SNUFFLEUPAGUS_G(config).config_sloppy->enable),
88	NULL);	107	NULL);


diff --git a/src/sp_config_keywords.h b/src/sp_config_keywords.h index ab58456..a279cc9 100644 --- a/src/sp_config_keywords.h +++ b/src/sp_config_keywords.h
@@ -17,5 +17,6 @@ int parse_eval_whitelist(char *line);
17	int parse_session(char *line);	17	int parse_session(char *line);
18	int parse_sloppy_comparison(char *line);	18	int parse_sloppy_comparison(char *line);
19	int parse_wrapper_whitelist(char *line);	19	int parse_wrapper_whitelist(char *line);
		20	int parse_log_media(char *line);
20		21
21	#endif // __SP_CONFIG_KEYWORDS_H	22	#endif // __SP_CONFIG_KEYWORDS_H


diff --git a/src/sp_utils.c b/src/sp_utils.c index 7641808..5ddf0b9 100644 --- a/src/sp_utils.c +++ b/src/sp_utils.c
@@ -15,7 +15,24 @@ void sp_log_msg(char const* feature, int type, const char* fmt, ...) {
15	vspprintf(&msg, 0, fmt, args);	15	vspprintf(&msg, 0, fmt, args);
16	va_end(args);	16	va_end(args);
17		17
18	zend_error(type, "[snuffleupagus][%s] %s", feature, msg);	18	switch (SNUFFLEUPAGUS_G(config).log_media) {
		19	case SP_SYSLOG:
		20	openlog(PHP_SNUFFLEUPAGUS_EXTNAME, LOG_PID, LOG_AUTH);
		21	const char* error_filename = zend_get_executed_filename();
		22	int syslog_level = SP_LOG_DROP ? LOG_ERR : LOG_INFO;
		23	int error_lineno = zend_get_executed_lineno(TSRMLS_C);
		24	syslog(syslog_level, "[%s] %s in %s on line %d", feature, msg,
		25	error_filename, error_lineno);
		26	closelog();
		27	if (type == SP_LOG_DROP) {
		28	zend_bailout();
		29	}
		30	break;
		31	case SP_ZEND:
		32	default:
		33	zend_error(type, "[snuffleupagus][%s] %s", feature, msg);
		34	break;
		35	}
19	}	36	}
20		37
21	int compute_hash(const char* const filename, char* file_hash) {	38	int compute_hash(const char* const filename, char* file_hash) {


diff --git a/src/tests/broken_configuration/broken_conf_invalid_log_media.phpt b/src/tests/broken_configuration/broken_conf_invalid_log_media.phpt new file mode 100644 index 0000000..bcf7c01 --- /dev/null +++ b/src/tests/broken_configuration/broken_conf_invalid_log_media.phpt
@@ -0,0 +1,14 @@
		1	--TEST--
		2	Broken configuration filename with improper log media
		3	--SKIPIF--
		4	<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
		5	--INI--
		6	sp.configuration_file={PWD}/config/broken_conf_invalid_log_media.ini
		7	--FILE--
		8	--EXPECTF--
		9	PHP Fatal error: [snuffleupagus][config] .log_media() only supports 'syslog' or 'php', on line 1 in Unknown on line 0
		10
		11	Fatal error: [snuffleupagus][config] .log_media() only supports 'syslog' or 'php', on line 1 in Unknown on line 0
		12
		13	Fatal error: [snuffleupagus][config] Invalid configuration file in Unknown on line 0
		14	Could not startup.


diff --git a/src/tests/broken_configuration/config/broken_conf_invalid_log_media.ini b/src/tests/broken_configuration/config/broken_conf_invalid_log_media.ini new file mode 100644 index 0000000..9e7cea0 --- /dev/null +++ b/src/tests/broken_configuration/config/broken_conf_invalid_log_media.ini
@@ -0,0 +1 @@
			sp.log_media("pouet");