ported server.strip and server.encode features from suhosin

author: Ben Fuhrmannek 2021-09-16 11:32:41 +0200
committer: Ben Fuhrmannek 2021-09-16 11:32:41 +0200
commit: 6e07cdb870513270a3c08abc7ecdca64ad2af400 (patch)
tree: f9784435101f85d9ff0776c205421a7916b5854e /src/sp_ifilter.c
parent: 31d6a3cddd18cef447698ba2beaa7b5d9ab9dd94 (diff)
1 files changed, 103 insertions, 0 deletions
diff --git a/src/sp_ifilter.c b/src/sp_ifilter.c
new file mode 100644
index 0000000..171138f
--- /dev/null
+++ b/src/sp_ifilter.c
@@ -0,0 +1,103 @@
+#include "php_snuffleupagus.h"
+static void (*orig_register_server_variables)(zval *track_vars_array) = NULL;
+static const unsigned char sp_hexchars[] = "0123456789ABCDEF";
+static const char sp_is_dangerous_char[256] = {
+        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 1, 0, 0,
+        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+        0, 0, 1, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0,
+        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0,
+        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+        1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+};
+static void sp_server_strip(HashTable *svars, char *key, int keylen) {
+  zval *value = zend_hash_str_find(svars, key, keylen);
+  if (!value || Z_TYPE_P(value) != IS_STRING) { return; }
+  zend_string *tmp_zstr = Z_STR_P(value);
+  char *tmp = ZSTR_VAL(tmp_zstr);
+  char *tmpend = tmp + ZSTR_LEN(tmp_zstr);
+  for (char *p = tmp; p < tmpend; p++) {
+    if (sp_is_dangerous_char[(int)*p]) {
+      *p = '_';
+    }
+  }
+}
+static void sp_server_encode(HashTable *svars, char *key, int keylen) {
+  zval *value = zend_hash_str_find(svars, key, keylen);
+  if (!value || Z_TYPE_P(value) != IS_STRING) { return; }
+  
+  zend_string *tmp_zstr = Z_STR_P(value);
+  char *tmp = ZSTR_VAL(tmp_zstr);
+  char *tmpend = tmp + ZSTR_LEN(tmp_zstr);
+  int extra = 0;
+  
+  for (char *p = tmp; p < tmpend; p++) {
+    extra += sp_is_dangerous_char[(int)*p] * 2;
+  }
+  if (!extra) { return; }
+  zend_string *new_zstr = zend_string_alloc(ZSTR_LEN(tmp_zstr) + extra, 0);
+  char *n = ZSTR_VAL(new_zstr);
+  for (char *p = tmp; p < tmpend; p++, n++) {
+    if (sp_is_dangerous_char[(int)*p]) {
+      *n++ = '%';
+      *n++ = sp_hexchars[*p >> 4];
+      *n = sp_hexchars[*p & 15];
+    } else {
+      *n = *p;
+    }
+  }
+  ZSTR_VAL(new_zstr)[ZSTR_LEN(new_zstr)] = 0;
+  Z_STR_P(value) = new_zstr;
+  zend_string_release_ex(tmp_zstr, 0);
+}
+static void sp_register_server_variables(zval *track_vars_array) {
+  orig_register_server_variables(track_vars_array);
+  HashTable *svars;
+  svars = Z_ARRVAL_P(track_vars_array);
+  if (SNUFFLEUPAGUS_G(config).server_encode) {
+    sp_server_encode(svars, ZEND_STRL("REQUEST_URI"));
+    sp_server_encode(svars, ZEND_STRL("QUERY_STRING"));
+  }
+  if (SNUFFLEUPAGUS_G(config).server_strip) {
+    sp_server_strip(svars, ZEND_STRL("PHP_SELF"));
+    sp_server_strip(svars, ZEND_STRL("HTTP_HOST"));
+    sp_server_strip(svars, ZEND_STRL("HTTP_USER_AGENT"));
+    // for cgi + fpm
+    sp_server_strip(svars, ZEND_STRL("PATH_INFO"));
+    sp_server_strip(svars, ZEND_STRL("PATH_TRANSLATED"));
+    sp_server_strip(svars, ZEND_STRL("ORIG_PATH_TRANSLATED"));
+    sp_server_strip(svars, ZEND_STRL("ORIG_PATH_INFO"));
+  }
+}
+void sp_hook_register_server_variables()
+{
+  if (sapi_module.register_server_variables) {
+    orig_register_server_variables = sapi_module.register_server_variables;
+    sapi_module.register_server_variables = sp_register_server_variables;
+  }
+}
author	Ben Fuhrmannek	2021-09-16 11:32:41 +0200
committer	Ben Fuhrmannek	2021-09-16 11:32:41 +0200
commit	6e07cdb870513270a3c08abc7ecdca64ad2af400 (patch)
tree	f9784435101f85d9ff0776c205421a7916b5854e /src/sp_ifilter.c
parent	31d6a3cddd18cef447698ba2beaa7b5d9ab9dd94 (diff)

diff --git a/src/sp_ifilter.c b/src/sp_ifilter.c new file mode 100644 index 0000000..171138f --- /dev/null +++ b/src/sp_ifilter.c
@@ -0,0 +1,103 @@
	1	#include "php_snuffleupagus.h"
	2
	3	static void (orig_register_server_variables)(zval track_vars_array) = NULL;
	4
	5	static const unsigned char sp_hexchars[] = "0123456789ABCDEF";
	6
	7	static const char sp_is_dangerous_char[256] = {
	8	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 1, 0, 0,
	9	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
	10	0, 0, 1, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0,
	11	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0,
	12	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
	13	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
	14	1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
	15	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
	16	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
	17	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
	18	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
	19	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
	20	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
	21	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
	22	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
	23	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
	24	};
	25
	26	static void sp_server_strip(HashTable svars, char key, int keylen) {
	27	zval *value = zend_hash_str_find(svars, key, keylen);
	28	if (!value \|\| Z_TYPE_P(value) != IS_STRING) { return; }
	29
	30	zend_string *tmp_zstr = Z_STR_P(value);
	31	char *tmp = ZSTR_VAL(tmp_zstr);
	32	char *tmpend = tmp + ZSTR_LEN(tmp_zstr);
	33
	34	for (char *p = tmp; p < tmpend; p++) {
	35	if (sp_is_dangerous_char[(int)*p]) {
	36	*p = '_';
	37	}
	38	}
	39	}
	40
	41	static void sp_server_encode(HashTable svars, char key, int keylen) {
	42	zval *value = zend_hash_str_find(svars, key, keylen);
	43	if (!value \|\| Z_TYPE_P(value) != IS_STRING) { return; }
	44
	45	zend_string *tmp_zstr = Z_STR_P(value);
	46	char *tmp = ZSTR_VAL(tmp_zstr);
	47	char *tmpend = tmp + ZSTR_LEN(tmp_zstr);
	48	int extra = 0;
	49
	50	for (char *p = tmp; p < tmpend; p++) {
	51	extra += sp_is_dangerous_char[(int)p] 2;
	52	}
	53	if (!extra) { return; }
	54
	55	zend_string *new_zstr = zend_string_alloc(ZSTR_LEN(tmp_zstr) + extra, 0);
	56	char *n = ZSTR_VAL(new_zstr);
	57	for (char *p = tmp; p < tmpend; p++, n++) {
	58	if (sp_is_dangerous_char[(int)*p]) {
	59	*n++ = '%';
	60	n++ = sp_hexchars[p >> 4];
	61	n = sp_hexchars[p & 15];
	62	} else {
	63	n = p;
	64	}
	65	}
	66	ZSTR_VAL(new_zstr)[ZSTR_LEN(new_zstr)] = 0;
	67	Z_STR_P(value) = new_zstr;
	68
	69	zend_string_release_ex(tmp_zstr, 0);
	70	}
	71
	72	static void sp_register_server_variables(zval *track_vars_array) {
	73	orig_register_server_variables(track_vars_array);
	74
	75	HashTable *svars;
	76	svars = Z_ARRVAL_P(track_vars_array);
	77
	78
	79	if (SNUFFLEUPAGUS_G(config).server_encode) {
	80	sp_server_encode(svars, ZEND_STRL("REQUEST_URI"));
	81	sp_server_encode(svars, ZEND_STRL("QUERY_STRING"));
	82	}
	83
	84	if (SNUFFLEUPAGUS_G(config).server_strip) {
	85	sp_server_strip(svars, ZEND_STRL("PHP_SELF"));
	86	sp_server_strip(svars, ZEND_STRL("HTTP_HOST"));
	87	sp_server_strip(svars, ZEND_STRL("HTTP_USER_AGENT"));
	88
	89	// for cgi + fpm
	90	sp_server_strip(svars, ZEND_STRL("PATH_INFO"));
	91	sp_server_strip(svars, ZEND_STRL("PATH_TRANSLATED"));
	92	sp_server_strip(svars, ZEND_STRL("ORIG_PATH_TRANSLATED"));
	93	sp_server_strip(svars, ZEND_STRL("ORIG_PATH_INFO"));
	94	}
	95	}
	96
	97	void sp_hook_register_server_variables()
	98	{
	99	if (sapi_module.register_server_variables) {
	100	orig_register_server_variables = sapi_module.register_server_variables;
	101	sapi_module.register_server_variables = sp_register_server_variables;
	102	}
	103	}