Add an ugly hack to our parser to make the writing of configuration rules more obvious.

author: jvoisin 2018-01-12 16:05:19 +0100
committer: jvoisin 2018-01-12 16:57:42 +0100
commit: bbee5f1baec132f8b47ae80303ce22f7d7787cd8 (patch)
tree: 25a99787d40ec1e84310340d8df9809b9fa16dc8
parent: 44255b8dbf5c98c8d110c2e3918298ee6978b93c (diff)
9 files changed, 36 insertions, 25 deletions
diff --git a/doc/source/config.rst b/doc/source/config.rst
index 9244668..e0df244 100644
--- a/doc/source/config.rst
+++ b/doc/source/config.rst
@@ -276,7 +276,7 @@ In the situation where you have a call to ``system()`` that lacks proper user-in
 ::
   
  # Allow `id.php` to restrict system() calls to `id`
-  sp.disable_function.function("system").filename("id.php").param("$cmd").value("id").allow();
+  sp.disable_function.function("system").filename("id.php").param("cmd").value("id").allow();
  sp.disable_function.function("system").filename("id.php").drop()
 Of course, this is a trivial example,  a lot can be achieved with this feature, as you will see below.
@@ -387,9 +387,9 @@ The following rules will:
 ::
-  sp.disable_function.function("system").param("$cmd").value("id").allow();
+  sp.disable_function.function("system").param("cmd").value("id").allow();
-  sp.disable_function.function("system").param("$cmd").value_r("^ping").drop().simulation();
+  sp.disable_function.function("system").param("cmd").value_r("^ping").drop().simulation();
-  sp.disable_function.function("system").param("$cmd").drop();
+  sp.disable_function.function("system").param("cmd").drop();
 Miscellaneous examples
 """"""""""""""""""""""
diff --git a/src/sp_config_keywords.c b/src/sp_config_keywords.c
index c5cc950..dad538c 100644
--- a/src/sp_config_keywords.c
+++ b/src/sp_config_keywords.c
@@ -336,7 +336,18 @@ int parse_disabled_functions(char *line) {
  }
  if (param) {
-    df->param = parse_var(param);
+    if (strlen(param) > 0) {
+                        /* This is an ugly hack. We're prefixing with a `$` because otherwise
+                         * the parser treats this as a constant.
+                         * FIXME: Remote this, and improve our (weird) parser. */
+      char *new = pecalloc(strlen(param) + 2, 1, 1);
+      new[0] = '$';
+      memcpy(new + 1, param, strlen(param));
+      df->param = parse_var(new);
+      free(new);
+    } else {
+      df->param = parse_var(param);
+    }
    if (!df->param) {
      sp_log_err("config", "Invalid value '%s' for `param` on line %zu.", param,
                 sp_line_no);
diff --git a/src/tests/config/config_disabled_functions_name_type.ini b/src/tests/config/config_disabled_functions_name_type.ini
index c25b92c..25bdf98 100644
--- a/src/tests/config/config_disabled_functions_name_type.ini
+++ b/src/tests/config/config_disabled_functions_name_type.ini
@@ -1 +1 @@
-sp.disable_function.function_r("^strcmp$").param("$str1").param_type("array").drop();
+sp.disable_function.function_r("^strcmp$").param("str1").param_type("array").drop();
diff --git a/src/tests/config/config_disabled_functions_nul_byte.ini b/src/tests/config/config_disabled_functions_nul_byte.ini
index e664cba..9ead077 100644
--- a/src/tests/config/config_disabled_functions_nul_byte.ini
+++ b/src/tests/config/config_disabled_functions_nul_byte.ini
@@ -1 +1 @@
-sp.disable_function.function("system").param("$command").value_r("id").drop();
+sp.disable_function.function("system").param("command").value_r("id").drop();
diff --git a/src/tests/config/config_disabled_functions_param.ini b/src/tests/config/config_disabled_functions_param.ini
index dc1c949..87f1b3c 100644
--- a/src/tests/config/config_disabled_functions_param.ini
+++ b/src/tests/config/config_disabled_functions_param.ini
@@ -1,6 +1,6 @@
-sp.disable_function.function("system").param("$command").value_r("^id$").alias("1").drop();
+sp.disable_function.function("system").param("command").value_r("^id$").alias("1").drop();
-sp.disable_function.function("array_sum").param("$array").value_r("^8$").alias("2").drop();
+sp.disable_function.function("array_sum").param("array").value_r("^8$").alias("2").drop();
-sp.disable_function.function("shell_exec").param("$cmd").value("id").alias("3").drop();
+sp.disable_function.function("shell_exec").param("cmd").value("id").alias("3").drop();
-sp.disable_function.function("shell_exec").param("$cmd").value("bla").alias("4").drop();
+sp.disable_function.function("shell_exec").param("cmd").value("bla").alias("4").drop();
-sp.disable_function.function("strcmp").param("$str1").value("bla").alias("5").drop().simulation();
+sp.disable_function.function("strcmp").param("str1").value("bla").alias("5").drop().simulation();
-sp.disable_function.function("strncmp").param("$str1").value("bla").drop().simulation();
+sp.disable_function.function("strncmp").param("str1").value("bla").drop().simulation();
diff --git a/src/tests/config/config_disabled_functions_param_allow.ini b/src/tests/config/config_disabled_functions_param_allow.ini
index 27d919a..8e139e4 100644
--- a/src/tests/config/config_disabled_functions_param_allow.ini
+++ b/src/tests/config/config_disabled_functions_param_allow.ini
@@ -1,3 +1,3 @@
-sp.disable_function.function("system").param("$command").value("echo win").filename("/test.php").drop();
+sp.disable_function.function("system").param("command").value("echo win").filename("/test.php").drop();
-sp.disable_function.function("system").param("$command").value("echo win").allow();
+sp.disable_function.function("system").param("command").value("echo win").allow();
 sp.disable_function.function("system").drop();
diff --git a/src/tests/config/config_disabled_functions_param_array.ini b/src/tests/config/config_disabled_functions_param_array.ini
index 6fe0615..f676d76 100644
--- a/src/tests/config/config_disabled_functions_param_array.ini
+++ b/src/tests/config/config_disabled_functions_param_array.ini
@@ -1,7 +1,7 @@
-sp.disable_function.function("foo").param("$arr[a]").value("abcd").alias("1").drop();
+sp.disable_function.function("foo").param("arr[a]").value("abcd").alias("1").drop();
-sp.disable_function.function("foo").param("$arr[bla]").value("abcdef").alias("2").drop();
+sp.disable_function.function("foo").param("arr[bla]").value("abcdef").alias("2").drop();
-sp.disable_function.function("foo").param("$arr[test]").alias("3").drop();
+sp.disable_function.function("foo").param("arr[test]").alias("3").drop();
-sp.disable_function.function("foo").param("$arr[test2][foo]").value("aaa").alias("4").drop();
+sp.disable_function.function("foo").param("arr[test2][foo]").value("aaa").alias("4").drop();
-sp.disable_function.function("foo").param("$arr[test2][bar]").key("lol").alias("5").drop();
+sp.disable_function.function("foo").param("arr[test2][bar]").key("lol").alias("5").drop();
-sp.disable_function.function("foo").param("$arr[test2][bar]").key("123").alias("6").drop();
+sp.disable_function.function("foo").param("arr[test2][bar]").key("123").alias("6").drop();
-sp.disable_function.function("foo").param("$qwe[a]").value("abcd").alias("7").drop();
+sp.disable_function.function("foo").param("qwe[a]").value("abcd").alias("7").drop();
diff --git a/src/tests/config/config_disabled_functions_param_int.ini b/src/tests/config/config_disabled_functions_param_int.ini
index 2a7d962..1c93c2f 100644
--- a/src/tests/config/config_disabled_functions_param_int.ini
+++ b/src/tests/config/config_disabled_functions_param_int.ini
@@ -1,2 +1,2 @@
-sp.disable_function.function("foobar").param("$id").value("42").drop();
+sp.disable_function.function("foobar").param("id").value("42").drop();
-sp.disable_function.function("foobar").param("$id").value_r("^1337").drop();
+sp.disable_function.function("foobar").param("id").value_r("^1337").drop();
diff --git a/src/tests/config/config_disabled_functions_param_runtime.ini b/src/tests/config/config_disabled_functions_param_runtime.ini
index e9d44a2..e7a011f 100644
--- a/src/tests/config/config_disabled_functions_param_runtime.ini
+++ b/src/tests/config/config_disabled_functions_param_runtime.ini
@@ -1 +1 @@
-sp.disable_function.function("test").param("$param").value_r("1337").drop();
+sp.disable_function.function("test").param("param").value_r("1337").drop();
author	jvoisin	2018-01-12 16:05:19 +0100
committer	jvoisin	2018-01-12 16:57:42 +0100
commit	bbee5f1baec132f8b47ae80303ce22f7d7787cd8 (patch)
tree	25a99787d40ec1e84310340d8df9809b9fa16dc8
parent	44255b8dbf5c98c8d110c2e3918298ee6978b93c (diff)

diff --git a/doc/source/config.rst b/doc/source/config.rst index 9244668..e0df244 100644 --- a/doc/source/config.rst +++ b/doc/source/config.rst
@@ -276,7 +276,7 @@ In the situation where you have a call to ``system()`` that lacks proper user-in
276	::	276	::
277		277
278	# Allow `id.php` to restrict system() calls to `id`	278	# Allow `id.php` to restrict system() calls to `id`
279	sp.disable_function.function("system").filename("id.php").param("$cmd").value("id").allow();	279	sp.disable_function.function("system").filename("id.php").param("cmd").value("id").allow();
280	sp.disable_function.function("system").filename("id.php").drop()	280	sp.disable_function.function("system").filename("id.php").drop()
281		281
282	Of course, this is a trivial example, a lot can be achieved with this feature, as you will see below.	282	Of course, this is a trivial example, a lot can be achieved with this feature, as you will see below.
@@ -387,9 +387,9 @@ The following rules will:
387		387
388	::	388	::
389		389
390	sp.disable_function.function("system").param("$cmd").value("id").allow();	390	sp.disable_function.function("system").param("cmd").value("id").allow();
391	sp.disable_function.function("system").param("$cmd").value_r("^ping").drop().simulation();	391	sp.disable_function.function("system").param("cmd").value_r("^ping").drop().simulation();
392	sp.disable_function.function("system").param("$cmd").drop();	392	sp.disable_function.function("system").param("cmd").drop();
393		393
394	Miscellaneous examples	394	Miscellaneous examples
395	""""""""""""""""""""""	395	""""""""""""""""""""""


diff --git a/src/sp_config_keywords.c b/src/sp_config_keywords.c index c5cc950..dad538c 100644 --- a/src/sp_config_keywords.c +++ b/src/sp_config_keywords.c
@@ -336,7 +336,18 @@ int parse_disabled_functions(char *line) {
336	}	336	}
337		337
338	if (param) {	338	if (param) {
339	df->param = parse_var(param);	339	if (strlen(param) > 0) {
		340	/* This is an ugly hack. We're prefixing with a `$` because otherwise
		341	* the parser treats this as a constant.
		342	* FIXME: Remote this, and improve our (weird) parser. */
		343	char *new = pecalloc(strlen(param) + 2, 1, 1);
		344	new[0] = '$';
		345	memcpy(new + 1, param, strlen(param));
		346	df->param = parse_var(new);
		347	free(new);
		348	} else {
		349	df->param = parse_var(param);
		350	}
340	if (!df->param) {	351	if (!df->param) {
341	sp_log_err("config", "Invalid value '%s' for `param` on line %zu.", param,	352	sp_log_err("config", "Invalid value '%s' for `param` on line %zu.", param,
342	sp_line_no);	353	sp_line_no);


diff --git a/src/tests/config/config_disabled_functions_name_type.ini b/src/tests/config/config_disabled_functions_name_type.ini index c25b92c..25bdf98 100644 --- a/src/tests/config/config_disabled_functions_name_type.ini +++ b/src/tests/config/config_disabled_functions_name_type.ini
@@ -1 +1 @@
	sp.disable_function.function_r("^strcmp$").param("$str1").param_type("array").drop();		sp.disable_function.function_r("^strcmp$").param("str1").param_type("array").drop();


diff --git a/src/tests/config/config_disabled_functions_nul_byte.ini b/src/tests/config/config_disabled_functions_nul_byte.ini index e664cba..9ead077 100644 --- a/src/tests/config/config_disabled_functions_nul_byte.ini +++ b/src/tests/config/config_disabled_functions_nul_byte.ini
@@ -1 +1 @@
	sp.disable_function.function("system").param("$command").value_r("id").drop();		sp.disable_function.function("system").param("command").value_r("id").drop();


diff --git a/src/tests/config/config_disabled_functions_param.ini b/src/tests/config/config_disabled_functions_param.ini index dc1c949..87f1b3c 100644 --- a/src/tests/config/config_disabled_functions_param.ini +++ b/src/tests/config/config_disabled_functions_param.ini
@@ -1,6 +1,6 @@
1	sp.disable_function.function("system").param("$command").value_r("^id$").alias("1").drop();	1	sp.disable_function.function("system").param("command").value_r("^id$").alias("1").drop();
2	sp.disable_function.function("array_sum").param("$array").value_r("^8$").alias("2").drop();	2	sp.disable_function.function("array_sum").param("array").value_r("^8$").alias("2").drop();
3	sp.disable_function.function("shell_exec").param("$cmd").value("id").alias("3").drop();	3	sp.disable_function.function("shell_exec").param("cmd").value("id").alias("3").drop();
4	sp.disable_function.function("shell_exec").param("$cmd").value("bla").alias("4").drop();	4	sp.disable_function.function("shell_exec").param("cmd").value("bla").alias("4").drop();
5	sp.disable_function.function("strcmp").param("$str1").value("bla").alias("5").drop().simulation();	5	sp.disable_function.function("strcmp").param("str1").value("bla").alias("5").drop().simulation();
6	sp.disable_function.function("strncmp").param("$str1").value("bla").drop().simulation();	6	sp.disable_function.function("strncmp").param("str1").value("bla").drop().simulation();


diff --git a/src/tests/config/config_disabled_functions_param_allow.ini b/src/tests/config/config_disabled_functions_param_allow.ini index 27d919a..8e139e4 100644 --- a/src/tests/config/config_disabled_functions_param_allow.ini +++ b/src/tests/config/config_disabled_functions_param_allow.ini
@@ -1,3 +1,3 @@
1	sp.disable_function.function("system").param("$command").value("echo win").filename("/test.php").drop();	1	sp.disable_function.function("system").param("command").value("echo win").filename("/test.php").drop();
2	sp.disable_function.function("system").param("$command").value("echo win").allow();	2	sp.disable_function.function("system").param("command").value("echo win").allow();
3	sp.disable_function.function("system").drop();	3	sp.disable_function.function("system").drop();


diff --git a/src/tests/config/config_disabled_functions_param_array.ini b/src/tests/config/config_disabled_functions_param_array.ini index 6fe0615..f676d76 100644 --- a/src/tests/config/config_disabled_functions_param_array.ini +++ b/src/tests/config/config_disabled_functions_param_array.ini
@@ -1,7 +1,7 @@
1	sp.disable_function.function("foo").param("$arr[a]").value("abcd").alias("1").drop();	1	sp.disable_function.function("foo").param("arr[a]").value("abcd").alias("1").drop();
2	sp.disable_function.function("foo").param("$arr[bla]").value("abcdef").alias("2").drop();	2	sp.disable_function.function("foo").param("arr[bla]").value("abcdef").alias("2").drop();
3	sp.disable_function.function("foo").param("$arr[test]").alias("3").drop();	3	sp.disable_function.function("foo").param("arr[test]").alias("3").drop();
4	sp.disable_function.function("foo").param("$arr[test2][foo]").value("aaa").alias("4").drop();	4	sp.disable_function.function("foo").param("arr[test2][foo]").value("aaa").alias("4").drop();
5	sp.disable_function.function("foo").param("$arr[test2][bar]").key("lol").alias("5").drop();	5	sp.disable_function.function("foo").param("arr[test2][bar]").key("lol").alias("5").drop();
6	sp.disable_function.function("foo").param("$arr[test2][bar]").key("123").alias("6").drop();	6	sp.disable_function.function("foo").param("arr[test2][bar]").key("123").alias("6").drop();
7	sp.disable_function.function("foo").param("$qwe[a]").value("abcd").alias("7").drop();	7	sp.disable_function.function("foo").param("qwe[a]").value("abcd").alias("7").drop();


diff --git a/src/tests/config/config_disabled_functions_param_int.ini b/src/tests/config/config_disabled_functions_param_int.ini index 2a7d962..1c93c2f 100644 --- a/src/tests/config/config_disabled_functions_param_int.ini +++ b/src/tests/config/config_disabled_functions_param_int.ini
@@ -1,2 +1,2 @@
1	sp.disable_function.function("foobar").param("$id").value("42").drop();	1	sp.disable_function.function("foobar").param("id").value("42").drop();
2	sp.disable_function.function("foobar").param("$id").value_r("^1337").drop();	2	sp.disable_function.function("foobar").param("id").value_r("^1337").drop();


diff --git a/src/tests/config/config_disabled_functions_param_runtime.ini b/src/tests/config/config_disabled_functions_param_runtime.ini index e9d44a2..e7a011f 100644 --- a/src/tests/config/config_disabled_functions_param_runtime.ini +++ b/src/tests/config/config_disabled_functions_param_runtime.ini
@@ -1 +1 @@
	sp.disable_function.function("test").param("$param").value_r("1337").drop();		sp.disable_function.function("test").param("param").value_r("1337").drop();