Implement anti csrf measures

This is done by using the "samesite" cookie attribute.
author: xXx-caillou-xXx 2017-11-24 14:03:37 +0100
committer: jvoisin 2017-11-24 14:03:37 +0100
commit: 5a224ee0c92d1639395d6a0c629316ae64226125 (patch)
tree: 8925d27e2bbfa877e9fb1fc20868fbef3d009b04 /src/snuffleupagus.c
parent: 79304a29661476dc75bba07c5a83133122bbcb5c (diff)
1 files changed, 7 insertions, 8 deletions
diff --git a/src/snuffleupagus.c b/src/snuffleupagus.c
index e453587..9467a5d 100644
--- a/src/snuffleupagus.c
+++ b/src/snuffleupagus.c
@@ -71,14 +71,13 @@ PHP_GINIT_FUNCTION(snuffleupagus) {
  SP_INIT(snuffleupagus_globals->config.config_upload_validation);
  SP_INIT(snuffleupagus_globals->config.config_disabled_functions);
  SP_INIT(snuffleupagus_globals->config.config_disabled_functions_ret);
-  SP_INIT(snuffleupagus_globals->config.config_cookie_encryption);
+  SP_INIT(snuffleupagus_globals->config.config_cookie);
  SP_INIT(snuffleupagus_globals->config.config_disabled_constructs);
  snuffleupagus_globals->config.config_disabled_constructs->construct_include = sp_list_new();
  snuffleupagus_globals->config.config_disabled_functions->disabled_functions = sp_list_new();
  snuffleupagus_globals->config.config_disabled_functions_ret->disabled_functions = sp_list_new();
+  SP_INIT_HT(snuffleupagus_globals->config.config_cookie->cookies);
-  SP_INIT_HT(snuffleupagus_globals->config.config_cookie_encryption->names);
 #undef SP_INIT
 #undef SP_INIT_HT
@@ -96,7 +95,7 @@ PHP_MSHUTDOWN_FUNCTION(snuffleupagus) {
  pefree(SNUFFLEUPAGUS_G(F), 1);
  FREE_HT(disabled_functions_hook);
-  FREE_HT(config.config_cookie_encryption->names);
+  FREE_HT(config.config_cookie->cookies);
 #undef FREE_HT
@@ -108,7 +107,6 @@ PHP_MSHUTDOWN_FUNCTION(snuffleupagus) {
  pefree(SNUFFLEUPAGUS_G(config.config_snuffleupagus), 1);
  pefree(SNUFFLEUPAGUS_G(config.config_disable_xxe), 1);
  pefree(SNUFFLEUPAGUS_G(config.config_upload_validation), 1);
-  pefree(SNUFFLEUPAGUS_G(config.config_cookie_encryption), 1);
 #define FREE_LST(L) \
  do { \
@@ -126,6 +124,7 @@ PHP_MSHUTDOWN_FUNCTION(snuffleupagus) {
  pefree(SNUFFLEUPAGUS_G(config.config_disabled_functions), 1);
  pefree(SNUFFLEUPAGUS_G(config.config_disabled_functions_ret), 1);
  pefree(SNUFFLEUPAGUS_G(config.config_disabled_constructs), 1);
+  pefree(SNUFFLEUPAGUS_G(config.config_cookie), 1);
  UNREGISTER_INI_ENTRIES();
@@ -137,9 +136,9 @@ PHP_RINIT_FUNCTION(snuffleupagus) {
  ZEND_TSRMLS_CACHE_UPDATE();
 #endif
  if (NULL != SNUFFLEUPAGUS_G(config).config_snuffleupagus->encryption_key) {
-    if (NULL != SNUFFLEUPAGUS_G(config).config_cookie_encryption->names) {
+    if (NULL != SNUFFLEUPAGUS_G(config).config_cookie->cookies) {
      zend_hash_apply_with_arguments(
-          Z_ARRVAL(PG(http_globals)[TRACK_VARS_COOKIE]), decrypt_cookie, 0);
+          Z_ARRVAL(PG(http_globals)[TRACK_VARS_COOKIE]), decrypt_cookie, 0);
    }
  }
  return SUCCESS;
@@ -190,8 +189,8 @@ static PHP_INI_MH(OnUpdateConfiguration) {
    if (SNUFFLEUPAGUS_G(config).config_unserialize->enable) {
      hook_serialize();
    }
-    hook_cookies();
  }
+  hook_cookies();
  if (true == SNUFFLEUPAGUS_G(config).config_global_strict->enable) {
    if (!zend_get_extension(PHP_SNUFFLEUPAGUS_EXTNAME)) {
author	xXx-caillou-xXx	2017-11-24 14:03:37 +0100
committer	jvoisin	2017-11-24 14:03:37 +0100
commit	5a224ee0c92d1639395d6a0c629316ae64226125 (patch)
tree	8925d27e2bbfa877e9fb1fc20868fbef3d009b04 /src/snuffleupagus.c
parent	79304a29661476dc75bba07c5a83133122bbcb5c (diff)

diff --git a/src/snuffleupagus.c b/src/snuffleupagus.c index e453587..9467a5d 100644 --- a/src/snuffleupagus.c +++ b/src/snuffleupagus.c
@@ -71,14 +71,13 @@ PHP_GINIT_FUNCTION(snuffleupagus) {
71	SP_INIT(snuffleupagus_globals->config.config_upload_validation);	71	SP_INIT(snuffleupagus_globals->config.config_upload_validation);
72	SP_INIT(snuffleupagus_globals->config.config_disabled_functions);	72	SP_INIT(snuffleupagus_globals->config.config_disabled_functions);
73	SP_INIT(snuffleupagus_globals->config.config_disabled_functions_ret);	73	SP_INIT(snuffleupagus_globals->config.config_disabled_functions_ret);
74	SP_INIT(snuffleupagus_globals->config.config_cookie_encryption);	74	SP_INIT(snuffleupagus_globals->config.config_cookie);
75	SP_INIT(snuffleupagus_globals->config.config_disabled_constructs);	75	SP_INIT(snuffleupagus_globals->config.config_disabled_constructs);
76		76
77	snuffleupagus_globals->config.config_disabled_constructs->construct_include = sp_list_new();	77	snuffleupagus_globals->config.config_disabled_constructs->construct_include = sp_list_new();
78	snuffleupagus_globals->config.config_disabled_functions->disabled_functions = sp_list_new();	78	snuffleupagus_globals->config.config_disabled_functions->disabled_functions = sp_list_new();
79	snuffleupagus_globals->config.config_disabled_functions_ret->disabled_functions = sp_list_new();	79	snuffleupagus_globals->config.config_disabled_functions_ret->disabled_functions = sp_list_new();
80		80	SP_INIT_HT(snuffleupagus_globals->config.config_cookie->cookies);
81	SP_INIT_HT(snuffleupagus_globals->config.config_cookie_encryption->names);
82		81
83	#undef SP_INIT	82	#undef SP_INIT
84	#undef SP_INIT_HT	83	#undef SP_INIT_HT
@@ -96,7 +95,7 @@ PHP_MSHUTDOWN_FUNCTION(snuffleupagus) {
96	pefree(SNUFFLEUPAGUS_G(F), 1);	95	pefree(SNUFFLEUPAGUS_G(F), 1);
97		96
98	FREE_HT(disabled_functions_hook);	97	FREE_HT(disabled_functions_hook);
99	FREE_HT(config.config_cookie_encryption->names);	98	FREE_HT(config.config_cookie->cookies);
100		99
101	#undef FREE_HT	100	#undef FREE_HT
102		101
@@ -108,7 +107,6 @@ PHP_MSHUTDOWN_FUNCTION(snuffleupagus) {
108	pefree(SNUFFLEUPAGUS_G(config.config_snuffleupagus), 1);	107	pefree(SNUFFLEUPAGUS_G(config.config_snuffleupagus), 1);
109	pefree(SNUFFLEUPAGUS_G(config.config_disable_xxe), 1);	108	pefree(SNUFFLEUPAGUS_G(config.config_disable_xxe), 1);
110	pefree(SNUFFLEUPAGUS_G(config.config_upload_validation), 1);	109	pefree(SNUFFLEUPAGUS_G(config.config_upload_validation), 1);
111	pefree(SNUFFLEUPAGUS_G(config.config_cookie_encryption), 1);
112		110
113	#define FREE_LST(L) \	111	#define FREE_LST(L) \
114	do { \	112	do { \
@@ -126,6 +124,7 @@ PHP_MSHUTDOWN_FUNCTION(snuffleupagus) {
126	pefree(SNUFFLEUPAGUS_G(config.config_disabled_functions), 1);	124	pefree(SNUFFLEUPAGUS_G(config.config_disabled_functions), 1);
127	pefree(SNUFFLEUPAGUS_G(config.config_disabled_functions_ret), 1);	125	pefree(SNUFFLEUPAGUS_G(config.config_disabled_functions_ret), 1);
128	pefree(SNUFFLEUPAGUS_G(config.config_disabled_constructs), 1);	126	pefree(SNUFFLEUPAGUS_G(config.config_disabled_constructs), 1);
		127	pefree(SNUFFLEUPAGUS_G(config.config_cookie), 1);
129		128
130	UNREGISTER_INI_ENTRIES();	129	UNREGISTER_INI_ENTRIES();
131		130
@@ -137,9 +136,9 @@ PHP_RINIT_FUNCTION(snuffleupagus) {
137	ZEND_TSRMLS_CACHE_UPDATE();	136	ZEND_TSRMLS_CACHE_UPDATE();
138	#endif	137	#endif
139	if (NULL != SNUFFLEUPAGUS_G(config).config_snuffleupagus->encryption_key) {	138	if (NULL != SNUFFLEUPAGUS_G(config).config_snuffleupagus->encryption_key) {
140	if (NULL != SNUFFLEUPAGUS_G(config).config_cookie_encryption->names) {	139	if (NULL != SNUFFLEUPAGUS_G(config).config_cookie->cookies) {
141	zend_hash_apply_with_arguments(	140	zend_hash_apply_with_arguments(
142	Z_ARRVAL(PG(http_globals)[TRACK_VARS_COOKIE]), decrypt_cookie, 0);	141	Z_ARRVAL(PG(http_globals)[TRACK_VARS_COOKIE]), decrypt_cookie, 0);
143	}	142	}
144	}	143	}
145	return SUCCESS;	144	return SUCCESS;
@@ -190,8 +189,8 @@ static PHP_INI_MH(OnUpdateConfiguration) {
190	if (SNUFFLEUPAGUS_G(config).config_unserialize->enable) {	189	if (SNUFFLEUPAGUS_G(config).config_unserialize->enable) {
191	hook_serialize();	190	hook_serialize();
192	}	191	}
193	hook_cookies();
194	}	192	}
		193	hook_cookies();
195		194
196	if (true == SNUFFLEUPAGUS_G(config).config_global_strict->enable) {	195	if (true == SNUFFLEUPAGUS_G(config).config_global_strict->enable) {
197	if (!zend_get_extension(PHP_SNUFFLEUPAGUS_EXTNAME)) {	196	if (!zend_get_extension(PHP_SNUFFLEUPAGUS_EXTNAME)) {