diff options
| author | jvoisin | 2022-03-20 18:20:45 +0100 |
|---|---|---|
| committer | jvoisin | 2022-03-20 18:20:45 +0100 |
| commit | 81dd7f2ef07af306fe83d7755cbac4529aa9fc8d (patch) | |
| tree | 32cc44c6231b30db5ac7b15699297863460784aa /src/sp_config.h | |
| parent | 83b01942dfc80474cc05e09aeef4b44307a7120b (diff) | |
| parent | c38df1077a6c1dfbca1baca049214d053e2e7684 (diff) | |
Merge remote-tracking branch 'sektioneins/master'
Diffstat (limited to 'src/sp_config.h')
| -rw-r--r-- | src/sp_config.h | 248 |
1 files changed, 131 insertions, 117 deletions
diff --git a/src/sp_config.h b/src/sp_config.h index e7b1473..6d48240 100644 --- a/src/sp_config.h +++ b/src/sp_config.h | |||
| @@ -5,15 +5,6 @@ | |||
| 5 | #include <netinet/in.h> | 5 | #include <netinet/in.h> |
| 6 | #include <sys/socket.h> | 6 | #include <sys/socket.h> |
| 7 | 7 | ||
| 8 | extern size_t sp_line_no; | ||
| 9 | |||
| 10 | typedef enum { | ||
| 11 | SP_TYPE_STR = 0, | ||
| 12 | SP_TYPE_REGEXP, | ||
| 13 | SP_TYPE_INT, | ||
| 14 | SP_TYPE_EMPTY | ||
| 15 | } sp_type; | ||
| 16 | |||
| 17 | typedef enum { | 8 | typedef enum { |
| 18 | SP_PHP_TYPE_UNDEF = IS_UNDEF, | 9 | SP_PHP_TYPE_UNDEF = IS_UNDEF, |
| 19 | SP_PHP_TYPE_NULL = IS_NULL, | 10 | SP_PHP_TYPE_NULL = IS_NULL, |
| @@ -30,6 +21,8 @@ typedef enum { | |||
| 30 | 21 | ||
| 31 | typedef enum { SP_ZEND = 0, SP_SYSLOG = 1 } sp_log_media; | 22 | typedef enum { SP_ZEND = 0, SP_SYSLOG = 1 } sp_log_media; |
| 32 | 23 | ||
| 24 | typedef enum { SP_UNSET = 0, SP_READONLY = 1, SP_READWRITE = -1 } sp_ini_permission; | ||
| 25 | |||
| 33 | typedef struct { | 26 | typedef struct { |
| 34 | int ip_version; | 27 | int ip_version; |
| 35 | union { | 28 | union { |
| @@ -40,11 +33,6 @@ typedef struct { | |||
| 40 | } sp_cidr; | 33 | } sp_cidr; |
| 41 | 34 | ||
| 42 | typedef struct { | 35 | typedef struct { |
| 43 | zend_string *encryption_key; | ||
| 44 | zend_string *cookies_env_var; | ||
| 45 | } sp_config_global; | ||
| 46 | |||
| 47 | typedef struct { | ||
| 48 | bool enable; | 36 | bool enable; |
| 49 | bool simulation; | 37 | bool simulation; |
| 50 | zend_string *dump; | 38 | zend_string *dump; |
| @@ -69,13 +57,13 @@ typedef struct { | |||
| 69 | 57 | ||
| 70 | typedef struct { | 58 | typedef struct { |
| 71 | bool enable; | 59 | bool enable; |
| 72 | } sp_config_disable_xxe; | 60 | } sp_config_xxe_protection; |
| 73 | 61 | ||
| 74 | typedef struct { | 62 | typedef struct { |
| 75 | enum samesite_type { strict = 1, lax = 2 } samesite; | 63 | enum samesite_type { strict = 1, lax = 2 } samesite; |
| 76 | bool encrypt; | 64 | bool encrypt; |
| 77 | zend_string *name; | 65 | zend_string *name; |
| 78 | sp_pcre *name_r; | 66 | sp_regexp *name_r; |
| 79 | bool simulation; | 67 | bool simulation; |
| 80 | } sp_cookie; | 68 | } sp_cookie; |
| 81 | 69 | ||
| @@ -88,6 +76,8 @@ typedef struct { | |||
| 88 | typedef struct { | 76 | typedef struct { |
| 89 | bool encrypt; | 77 | bool encrypt; |
| 90 | bool simulation; | 78 | bool simulation; |
| 79 | u_long sid_min_length; | ||
| 80 | u_long sid_max_length; | ||
| 91 | } sp_config_session; | 81 | } sp_config_session; |
| 92 | 82 | ||
| 93 | typedef struct { | 83 | typedef struct { |
| @@ -101,37 +91,37 @@ typedef struct { | |||
| 101 | zend_string *textual_representation; | 91 | zend_string *textual_representation; |
| 102 | 92 | ||
| 103 | zend_string *filename; | 93 | zend_string *filename; |
| 104 | sp_pcre *r_filename; | 94 | sp_regexp *r_filename; |
| 105 | 95 | ||
| 106 | zend_string *function; | 96 | zend_string *function; |
| 107 | sp_pcre *r_function; | 97 | sp_regexp *r_function; |
| 108 | sp_list_node *functions_list; | 98 | sp_list_node *functions_list; |
| 109 | 99 | ||
| 110 | zend_string *hash; | 100 | zend_string *hash; |
| 111 | int simulation; | 101 | int simulation; |
| 112 | 102 | ||
| 113 | sp_tree *param; | 103 | sp_tree *param; |
| 114 | sp_pcre *r_param; | 104 | sp_regexp *r_param; |
| 115 | sp_php_type param_type; | 105 | sp_php_type param_type; |
| 116 | int pos; | 106 | int pos; |
| 117 | unsigned int line; | 107 | unsigned int line; |
| 118 | 108 | ||
| 119 | sp_pcre *r_ret; | 109 | sp_regexp *r_ret; |
| 120 | zend_string *ret; | 110 | zend_string *ret; |
| 121 | sp_php_type ret_type; | 111 | sp_php_type ret_type; |
| 122 | 112 | ||
| 123 | sp_pcre *r_value; | 113 | sp_regexp *r_value; |
| 124 | zend_string *value; | 114 | zend_string *value; |
| 125 | 115 | ||
| 126 | sp_pcre *r_key; | 116 | sp_regexp *r_key; |
| 127 | zend_string *key; | 117 | zend_string *key; |
| 128 | 118 | ||
| 129 | zend_string *dump; | 119 | zend_string *dump; |
| 130 | zend_string *alias; | 120 | zend_string *alias; |
| 131 | bool param_is_array; | 121 | bool param_is_array; |
| 132 | bool var_is_array; | 122 | bool var_is_array; |
| 133 | sp_list_node *param_array_keys; | 123 | // sp_list_node *param_array_keys; |
| 134 | sp_list_node *var_array_keys; | 124 | // sp_list_node *var_array_keys; |
| 135 | 125 | ||
| 136 | bool allow; | 126 | bool allow; |
| 137 | 127 | ||
| @@ -163,125 +153,149 @@ typedef struct { | |||
| 163 | } sp_config_upload_validation; | 153 | } sp_config_upload_validation; |
| 164 | 154 | ||
| 165 | typedef struct { | 155 | typedef struct { |
| 166 | sp_config_random *config_random; | 156 | zend_string *key; |
| 167 | sp_config_sloppy *config_sloppy; | 157 | sp_ini_permission access; |
| 168 | sp_config_unserialize *config_unserialize; | 158 | zend_string *min; |
| 169 | sp_config_readonly_exec *config_readonly_exec; | 159 | zend_string *max; |
| 170 | sp_config_upload_validation *config_upload_validation; | 160 | sp_regexp *regexp; |
| 171 | sp_config_cookie *config_cookie; | 161 | zend_string *msg; |
| 172 | sp_config_global *config_snuffleupagus; | 162 | zend_string *set; |
| 173 | sp_config_auto_cookie_secure *config_auto_cookie_secure; | 163 | bool allow_null; |
| 174 | sp_config_global_strict *config_global_strict; | 164 | bool simulation; |
| 175 | sp_config_disable_xxe *config_disable_xxe; | 165 | bool drop; |
| 176 | sp_config_eval *config_eval; | 166 | PHP_INI_MH((*orig_onmodify)); |
| 177 | sp_config_wrapper *config_wrapper; | 167 | } sp_ini_entry; |
| 178 | sp_config_session *config_session; | 168 | |
| 179 | bool hook_execute; | 169 | typedef struct { |
| 180 | char log_media; | 170 | bool enable; |
| 171 | bool simulation; | ||
| 172 | bool policy_readonly; | ||
| 173 | bool policy_silent_ro; | ||
| 174 | bool policy_silent_fail; | ||
| 175 | bool policy_drop; | ||
| 176 | HashTable *entries; // ht of sp_ini_entry | ||
| 177 | } sp_config_ini; | ||
| 181 | 178 | ||
| 182 | HashTable *config_disabled_functions; | 179 | #define SP_PARSE_FN_(fname, kwvar) int fname(char *token, sp_parsed_keyword *kwvar, void *retval) |
| 183 | HashTable *config_disabled_functions_hooked; | 180 | #define SP_PARSE_FN(fname) SP_PARSE_FN_(fname, parsed_rule) |
| 184 | HashTable *config_disabled_functions_ret; | 181 | #define SP_PARSEKW_FN(fname) SP_PARSE_FN_(fname, kw) |
| 185 | HashTable *config_disabled_functions_ret_hooked; | ||
| 186 | sp_config_disabled_functions *config_disabled_functions_reg; | ||
| 187 | sp_config_disabled_functions *config_disabled_functions_reg_ret; | ||
| 188 | } sp_config; | ||
| 189 | 182 | ||
| 190 | typedef struct { | 183 | typedef struct { |
| 191 | int (*func)(char *, char *, void *); | 184 | SP_PARSE_FN((*func)); |
| 192 | char *token; | 185 | char *token; |
| 193 | void *retval; | 186 | void *retval; |
| 194 | } sp_config_functions; | 187 | } sp_config_keyword; |
| 195 | 188 | ||
| 196 | typedef struct { | 189 | #define SP_PARSER_SUCCESS 0 |
| 197 | int (*func)(char *); | 190 | #define SP_PARSER_ERROR -1 |
| 198 | char *token; | 191 | #define SP_PARSER_STOP 1 |
| 199 | } sp_config_tokens; | ||
| 200 | 192 | ||
| 201 | #define SP_TOKEN_BASE "sp" | 193 | // #define SP_TOKEN_BASE "sp" |
| 202 | 194 | ||
| 203 | #define SP_TOKEN_AUTO_COOKIE_SECURE ".auto_cookie_secure" | 195 | #define SP_TOKEN_AUTO_COOKIE_SECURE "auto_cookie_secure" |
| 204 | #define SP_TOKEN_COOKIE_ENCRYPTION ".cookie" | 196 | #define SP_TOKEN_COOKIE_ENCRYPTION "cookie" |
| 205 | #define SP_TOKEN_SESSION_ENCRYPTION ".session" | 197 | #define SP_TOKEN_SESSION_ENCRYPTION "session" |
| 206 | #define SP_TOKEN_DISABLE_FUNC ".disable_function" | 198 | #define SP_TOKEN_DISABLE_FUNC "disable_function" |
| 207 | #define SP_TOKEN_GLOBAL ".global" | 199 | #define SP_TOKEN_GLOBAL "global" |
| 208 | #define SP_TOKEN_GLOBAL_STRICT ".global_strict" | 200 | #define SP_TOKEN_GLOBAL_STRICT "global_strict" |
| 209 | #define SP_TOKEN_HARDEN_RANDOM ".harden_random" | 201 | #define SP_TOKEN_HARDEN_RANDOM "harden_random" |
| 210 | #define SP_TOKEN_READONLY_EXEC ".readonly_exec" | 202 | #define SP_TOKEN_READONLY_EXEC "readonly_exec" |
| 211 | #define SP_TOKEN_UNSERIALIZE_HMAC ".unserialize_hmac" | 203 | #define SP_TOKEN_UNSERIALIZE_HMAC "unserialize_hmac" |
| 212 | #define SP_TOKEN_UPLOAD_VALIDATION ".upload_validation" | 204 | #define SP_TOKEN_UPLOAD_VALIDATION "upload_validation" |
| 213 | #define SP_TOKEN_DISABLE_XXE ".disable_xxe" | 205 | #define SP_TOKEN_XXE_PROTECTION "xxe_protection" |
| 214 | #define SP_TOKEN_EVAL_BLACKLIST ".eval_blacklist" | 206 | #define SP_TOKEN_EVAL_BLACKLIST "eval_blacklist" |
| 215 | #define SP_TOKEN_EVAL_WHITELIST ".eval_whitelist" | 207 | #define SP_TOKEN_EVAL_WHITELIST "eval_whitelist" |
| 216 | #define SP_TOKEN_SLOPPY_COMPARISON ".sloppy_comparison" | 208 | #define SP_TOKEN_SLOPPY_COMPARISON "sloppy_comparison" |
| 217 | #define SP_TOKEN_ALLOW_WRAPPERS ".wrappers_whitelist" | 209 | #define SP_TOKEN_ALLOW_WRAPPERS "wrappers_whitelist" |
| 210 | #define SP_TOKEN_INI_PROTECTION "ini_protection" | ||
| 211 | #define SP_TOKEN_INI "ini" | ||
| 218 | 212 | ||
| 219 | // common tokens | 213 | // common tokens |
| 220 | #define SP_TOKEN_ENABLE ".enable(" | 214 | #define SP_TOKEN_ENABLE "enable" |
| 221 | #define SP_TOKEN_DISABLE ".disable(" | 215 | #define SP_TOKEN_DISABLE "disable" |
| 222 | #define SP_TOKEN_SIMULATION ".simulation(" | 216 | #define SP_TOKEN_SIMULATION "simulation" |
| 223 | #define SP_TOKEN_TRUE "1" | 217 | #define SP_TOKEN_SIM "sim" |
| 224 | #define SP_TOKEN_FALSE "0" | 218 | // #define SP_TOKEN_TRUE "1" |
| 225 | #define SP_TOKEN_DUMP ".dump(" | 219 | // #define SP_TOKEN_FALSE "0" |
| 226 | #define SP_TOKEN_ALIAS ".alias(" | 220 | #define SP_TOKEN_DUMP "dump" |
| 227 | #define SP_TOKEN_ALLOW ".allow(" | 221 | #define SP_TOKEN_ALIAS "alias" |
| 228 | #define SP_TOKEN_DROP ".drop(" | 222 | #define SP_TOKEN_ALLOW "allow" |
| 229 | 223 | #define SP_TOKEN_DROP "drop" | |
| 230 | #define SP_TOKEN_END_PARAM ')' | ||
| 231 | 224 | ||
| 232 | // disable_function | 225 | // disable_function |
| 233 | #define SP_TOKEN_CIDR ".cidr(" | 226 | #define SP_TOKEN_CIDR "cidr" |
| 234 | #define SP_TOKEN_FILENAME ".filename(" | 227 | #define SP_TOKEN_FILENAME "filename" |
| 235 | #define SP_TOKEN_FILENAME_REGEXP ".filename_r(" | 228 | #define SP_TOKEN_FILENAME_REGEXP "filename_r" |
| 236 | #define SP_TOKEN_FUNCTION ".function(" | 229 | #define SP_TOKEN_FUNCTION "function" |
| 237 | #define SP_TOKEN_FUNCTION_REGEXP ".function_r(" | 230 | #define SP_TOKEN_FUNCTION_REGEXP "function_r" |
| 238 | #define SP_TOKEN_HASH ".hash(" | 231 | #define SP_TOKEN_HASH "hash" |
| 239 | #define SP_TOKEN_LOCAL_VAR ".var(" | 232 | #define SP_TOKEN_LOCAL_VAR "var" |
| 240 | #define SP_TOKEN_PARAM ".param(" | 233 | #define SP_TOKEN_PARAM "param" |
| 241 | #define SP_TOKEN_PARAM_REGEXP ".param_r(" | 234 | #define SP_TOKEN_PARAM_REGEXP "param_r" |
| 242 | #define SP_TOKEN_PARAM_TYPE ".param_type(" | 235 | #define SP_TOKEN_PARAM_TYPE "param_type" |
| 243 | #define SP_TOKEN_RET ".ret(" | 236 | #define SP_TOKEN_RET "ret" |
| 244 | #define SP_TOKEN_RET_REGEXP ".ret_r(" | 237 | #define SP_TOKEN_RET_REGEXP "ret_r" |
| 245 | #define SP_TOKEN_RET_TYPE ".ret_type(" | 238 | #define SP_TOKEN_RET_TYPE "ret_type" |
| 246 | #define SP_TOKEN_VALUE ".value(" | 239 | #define SP_TOKEN_VALUE "value" |
| 247 | #define SP_TOKEN_VALUE_REGEXP ".value_r(" | 240 | #define SP_TOKEN_VALUE_REGEXP "value_r" |
| 248 | #define SP_TOKEN_KEY ".key(" | 241 | #define SP_TOKEN_KEY "key" |
| 249 | #define SP_TOKEN_KEY_REGEXP ".key_r(" | 242 | #define SP_TOKEN_KEY_REGEXP "key_r" |
| 250 | #define SP_TOKEN_VALUE_ARG_POS ".pos(" | 243 | #define SP_TOKEN_VALUE_ARG_POS "pos" |
| 251 | #define SP_TOKEN_LINE_NUMBER ".line(" | 244 | #define SP_TOKEN_LINE_NUMBER "line" |
| 252 | 245 | ||
| 253 | // cookies encryption | 246 | // cookies encryption |
| 254 | #define SP_TOKEN_NAME ".name(" | 247 | #define SP_TOKEN_NAME "name" |
| 255 | #define SP_TOKEN_NAME_REGEXP ".name_r(" | 248 | #define SP_TOKEN_NAME_REGEXP "name_r" |
| 256 | 249 | ||
| 257 | // cookies samesite | 250 | // cookies samesite |
| 258 | #define SP_TOKEN_SAMESITE ".samesite(" | 251 | #define SP_TOKEN_SAMESITE "samesite" |
| 259 | #define SP_TOKEN_ENCRYPT ".encrypt(" | 252 | #define SP_TOKEN_ENCRYPT "encrypt" |
| 260 | #define SP_TOKEN_SAMESITE_LAX "Lax" | 253 | #define SP_TOKEN_SAMESITE_LAX "Lax" |
| 261 | #define SP_TOKEN_SAMESITE_STRICT "Strict" | 254 | #define SP_TOKEN_SAMESITE_STRICT "Strict" |
| 262 | 255 | ||
| 263 | // Global configuration options | 256 | // Global configuration options |
| 264 | #define SP_TOKEN_ENCRYPTION_KEY ".secret_key(" | 257 | #define SP_TOKEN_ENCRYPTION_KEY "secret_key" |
| 265 | #define SP_TOKEN_ENV_VAR ".cookie_env_var(" | 258 | #define SP_TOKEN_ENV_VAR "cookie_env_var" |
| 266 | #define SP_TOKEN_LOG_MEDIA ".log_media(" | 259 | #define SP_TOKEN_LOG_MEDIA "log_media" |
| 260 | #define SP_TOKEN_MAX_EXECUTION_DEPTH "max_execution_depth" | ||
| 261 | #define SP_TOKEN_SERVER_ENCODE "server_encode" | ||
| 262 | #define SP_TOKEN_SERVER_STRIP "server_strip" | ||
| 263 | #define SP_TOKEN_SID_MIN_LENGTH "sid_min_length" | ||
| 264 | #define SP_TOKEN_SID_MAX_LENGTH "sid_max_length" | ||
| 265 | #define SP_TOKEN_SHOW_OLD_PHP_WARNING "show_old_php_warning" | ||
| 267 | 266 | ||
| 268 | // upload_validator | 267 | // upload_validator |
| 269 | #define SP_TOKEN_UPLOAD_SCRIPT ".script(" | 268 | #define SP_TOKEN_UPLOAD_SCRIPT "script" |
| 269 | |||
| 270 | #define SP_TOKEN_LIST "list" | ||
| 271 | |||
| 272 | zend_result sp_process_rule(sp_parsed_keyword *parsed_rule, sp_config_keyword *config_keywords); | ||
| 273 | |||
| 274 | zend_result sp_parse_config(const char *filename); | ||
| 270 | 275 | ||
| 271 | #define SP_TOKEN_LIST ".list(" | 276 | #define SP_PARSE_CHECK_ARG_EXISTS(value) \ |
| 277 | if (!value) { \ | ||
| 278 | sp_log_err("config", "Missing argument to keyword '%s' - it should be '%s(\"...\")' on line %zu", token, token, kw->lineno); \ | ||
| 279 | return SP_PARSER_ERROR; \ | ||
| 280 | } | ||
| 272 | 281 | ||
| 273 | int sp_parse_config(const char *); | 282 | #define SP_PARSE_ARG(value) \ |
| 274 | int parse_array(sp_disabled_function *); | 283 | zend_string *value = sp_get_arg_string(kw); \ |
| 284 | SP_PARSE_CHECK_ARG_EXISTS(value); | ||
| 275 | 285 | ||
| 276 | int parse_str(char *restrict, char *restrict, void *); | 286 | SP_PARSEKW_FN(parse_str); |
| 277 | int parse_regexp(char *restrict, char *restrict, void *); | 287 | SP_PARSEKW_FN(parse_regexp); |
| 278 | int parse_empty(char *restrict, char *restrict, void *); | 288 | SP_PARSEKW_FN(parse_empty); |
| 279 | int parse_cidr(char *restrict, char *restrict, void *); | 289 | SP_PARSEKW_FN(parse_int); |
| 280 | int parse_php_type(char *restrict, char *restrict, void *); | 290 | SP_PARSEKW_FN(parse_ulong); |
| 281 | int parse_list(char *restrict, char *restrict, void *); | 291 | SP_PARSEKW_FN(parse_php_type); |
| 292 | SP_PARSEKW_FN(parse_cidr); | ||
| 293 | SP_PARSEKW_FN(parse_list); | ||
| 282 | 294 | ||
| 283 | // cleanup | 295 | // cleanup |
| 284 | void sp_disabled_function_list_free(sp_list_node *); | 296 | void sp_free_disabled_function(void *data); |
| 285 | void sp_cookie_list_free(sp_list_node *); | 297 | void sp_free_cookie(void *data); |
| 298 | void sp_free_zstr(void *data); | ||
| 299 | void sp_free_ini_entry(void *data); | ||
| 286 | 300 | ||
| 287 | #endif /* SP_CONFIG_H */ | 301 | #endif /* SP_CONFIG_H */ |