diff options
| author | jvoisin | 2023-02-01 21:12:58 +0100 |
|---|---|---|
| committer | jvoisin | 2023-02-02 13:17:22 +0100 |
| commit | 2dcf2a2d7578d1e43ee7e3fa69386ccc5afebbf0 (patch) | |
| tree | a1b4b74396e89f66ccb9f54fe878ba607c103aec /src | |
| parent | f4d3c01bd196400548f5712223171007563ab834 (diff) | |
Url encode functions arguments when logging them
Diffstat (limited to '')
8 files changed, 17 insertions, 21 deletions
diff --git a/src/sp_utils.c b/src/sp_utils.c index 1bac1ae..eeebcc4 100644 --- a/src/sp_utils.c +++ b/src/sp_utils.c | |||
| @@ -232,16 +232,6 @@ static char* zend_string_to_char(const zend_string* zs) { | |||
| 232 | return copy; | 232 | return copy; |
| 233 | } | 233 | } |
| 234 | 234 | ||
| 235 | static void sp_sanitize_charstring(char* c, size_t maxlen) | ||
| 236 | { | ||
| 237 | for (size_t i = 0; i < maxlen - 1; i++) { | ||
| 238 | if (c[i] < 32 || c[i] > 126) { | ||
| 239 | c[i] = '*'; | ||
| 240 | } | ||
| 241 | } | ||
| 242 | c[maxlen] = 0; | ||
| 243 | } | ||
| 244 | |||
| 245 | const zend_string* sp_zval_to_zend_string(const zval* zv) { | 235 | const zend_string* sp_zval_to_zend_string(const zval* zv) { |
| 246 | switch (Z_TYPE_P(zv)) { | 236 | switch (Z_TYPE_P(zv)) { |
| 247 | case IS_LONG: { | 237 | case IS_LONG: { |
| @@ -300,8 +290,11 @@ void sp_log_disable(const char* restrict path, const char* restrict arg_name, | |||
| 300 | if (arg_name) { | 290 | if (arg_name) { |
| 301 | char* char_repr = NULL; | 291 | char* char_repr = NULL; |
| 302 | if (arg_value) { | 292 | if (arg_value) { |
| 303 | char_repr = zend_string_to_char(arg_value); | 293 | zend_string *arg_value_dup = zend_string_init(ZSTR_VAL(arg_value), ZSTR_LEN(arg_value), 0); |
| 304 | sp_sanitize_charstring(char_repr, MIN(ZSTR_LEN(arg_value), (size_t)SPCFG(log_max_len))); | 294 | arg_value_dup = php_raw_url_encode(ZSTR_VAL(arg_value_dup), ZSTR_LEN(arg_value_dup)); |
| 295 | char_repr = zend_string_to_char(arg_value_dup); | ||
| 296 | size_t max_len = MIN(ZSTR_LEN(arg_value_dup), (size_t)SPCFG(log_max_len)); | ||
| 297 | char_repr[max_len] = '\0'; | ||
| 305 | } | 298 | } |
| 306 | if (alias) { | 299 | if (alias) { |
| 307 | sp_log_auto( | 300 | sp_log_auto( |
| @@ -341,8 +334,11 @@ void sp_log_disable_ret(const char* restrict path, | |||
| 341 | sp_log_request(dump, config_node->textual_representation); | 334 | sp_log_request(dump, config_node->textual_representation); |
| 342 | } | 335 | } |
| 343 | if (ret_value) { | 336 | if (ret_value) { |
| 344 | char_repr = zend_string_to_char(ret_value); | 337 | zend_string *ret_value_dup = zend_string_init(ZSTR_VAL(ret_value), ZSTR_LEN(ret_value), 0); |
| 345 | sp_sanitize_charstring(char_repr, MIN(ZSTR_LEN(ret_value), (size_t)SPCFG(log_max_len))); | 338 | ret_value_dup = php_raw_url_encode(ZSTR_VAL(ret_value_dup), ZSTR_LEN(ret_value_dup)); |
| 339 | char_repr = zend_string_to_char(ret_value_dup); | ||
| 340 | size_t max_len = MIN(ZSTR_LEN(ret_value_dup), (size_t)SPCFG(log_max_len)); | ||
| 341 | char_repr[max_len] = '\0'; | ||
| 346 | } | 342 | } |
| 347 | if (alias) { | 343 | if (alias) { |
| 348 | sp_log_auto( | 344 | sp_log_auto( |
diff --git a/src/tests/disable_function/disabled_functions_eval_param.phpt b/src/tests/disable_function/disabled_functions_eval_param.phpt index 4f3f1ef..7d0487a 100644 --- a/src/tests/disable_function/disabled_functions_eval_param.phpt +++ b/src/tests/disable_function/disabled_functions_eval_param.phpt | |||
| @@ -11,4 +11,4 @@ eval('$var = 1337 + 1337;'); | |||
| 11 | print("Variable: $var\n"); | 11 | print("Variable: $var\n"); |
| 12 | ?> | 12 | ?> |
| 13 | --EXPECTF-- | 13 | --EXPECTF-- |
| 14 | Fatal error: [snuffleupagus][0.0.0.0][disabled_function][drop] Aborted execution on call of the function 'eval', because its argument 'code' content ($var = 1337 + 1337;) matched a rule in %s/tests/disable_function/disabled_functions_eval_param.php(3) : eval()'d code on line 1 | 14 | Fatal error: [snuffleupagus][0.0.0.0][disabled_function][drop] Aborted execution on call of the function 'eval', because its argument 'code' content (%24var%20%3D%201337%20%2B%201337%3B) matched a rule in %s/tests/disable_function/disabled_functions_eval_param.php(3) : eval()'d code on line 1 |
diff --git a/src/tests/disable_function/disabled_functions_include_once.phpt b/src/tests/disable_function/disabled_functions_include_once.phpt index 8b1bec8..91d9497 100644 --- a/src/tests/disable_function/disabled_functions_include_once.phpt +++ b/src/tests/disable_function/disabled_functions_include_once.phpt | |||
| @@ -21,6 +21,6 @@ echo "1337\n"; | |||
| 21 | --EXPECTF-- | 21 | --EXPECTF-- |
| 22 | BLA | 22 | BLA |
| 23 | 23 | ||
| 24 | Warning: [snuffleupagus][0.0.0.0][disabled_function][simulation] Aborted execution on call of the function 'include_once', because its argument 'inclusion path' content (%a/test.sim) matched a rule in %a/disabled_functions_include_once.php on line %d | 24 | Warning: [snuffleupagus][0.0.0.0][disabled_function][simulation] Aborted execution on call of the function 'include_once', because its argument 'inclusion path' content (%a%2Ftest.sim) matched a rule in %a/disabled_functions_include_once.php on line %d |
| 25 | MEH | 25 | MEH |
| 26 | 1337 | 26 | 1337 |
diff --git a/src/tests/disable_function/disabled_functions_include_simulation.phpt b/src/tests/disable_function/disabled_functions_include_simulation.phpt index cf2c693..c2bd48b 100644 --- a/src/tests/disable_function/disabled_functions_include_simulation.phpt +++ b/src/tests/disable_function/disabled_functions_include_simulation.phpt | |||
| @@ -21,6 +21,6 @@ echo "1337\n"; | |||
| 21 | --EXPECTF-- | 21 | --EXPECTF-- |
| 22 | BLA | 22 | BLA |
| 23 | 23 | ||
| 24 | Warning: [snuffleupagus][0.0.0.0][disabled_function][simulation] Aborted execution on call of the function 'include', because its argument 'inclusion path' content (%a/test.sim) matched a rule in %a/disabled_functions_include_simulation.php on line %d | 24 | Warning: [snuffleupagus][0.0.0.0][disabled_function][simulation] Aborted execution on call of the function 'include', because its argument 'inclusion path' content (%a%2Ftest.sim) matched a rule in %a/disabled_functions_include_simulation.php on line %d |
| 25 | MEH | 25 | MEH |
| 26 | 1337 | 26 | 1337 |
diff --git a/src/tests/disable_function/disabled_functions_nul_byte.phpt b/src/tests/disable_function/disabled_functions_nul_byte.phpt index 62f4ab5..991794d 100644 --- a/src/tests/disable_function/disabled_functions_nul_byte.phpt +++ b/src/tests/disable_function/disabled_functions_nul_byte.phpt | |||
| @@ -11,4 +11,4 @@ system("id"); | |||
| 11 | 11 | ||
| 12 | ?> | 12 | ?> |
| 13 | --EXPECTF-- | 13 | --EXPECTF-- |
| 14 | Fatal error: [snuffleupagus][0.0.0.0][disabled_function][drop] Aborted execution on call of the function 'system', because its argument '$command' content (0id) matched a rule in %a/disabled_functions_nul_byte.php on line 2 | 14 | Fatal error: [snuffleupagus][0.0.0.0][disabled_function][drop] Aborted execution on call of the function 'system', because its argument '$command' content (%s0id) matched a rule in %a/disabled_functions_nul_byte.php on line 2 |
diff --git a/src/tests/disable_function/disabled_functions_require.phpt b/src/tests/disable_function/disabled_functions_require.phpt index bf59b58..a759a33 100644 --- a/src/tests/disable_function/disabled_functions_require.phpt +++ b/src/tests/disable_function/disabled_functions_require.phpt | |||
| @@ -20,4 +20,4 @@ echo "1337"; | |||
| 20 | ?> | 20 | ?> |
| 21 | --EXPECTF-- | 21 | --EXPECTF-- |
| 22 | BLA | 22 | BLA |
| 23 | Fatal error: [snuffleupagus][0.0.0.0][disabled_function][drop] Aborted execution on call of the function 'require', because its argument 'inclusion path' content (%a/test.meh) matched a rule in %a/disabled_functions_require.php on line %d | 23 | Fatal error: [snuffleupagus][0.0.0.0][disabled_function][drop] Aborted execution on call of the function 'require', because its argument 'inclusion path' content (%a%2Ftest.meh) matched a rule in %a/disabled_functions_require.php on line %d |
diff --git a/src/tests/disable_function/disabled_functions_require_once.phpt b/src/tests/disable_function/disabled_functions_require_once.phpt index 81049ef..62b8d4c 100644 --- a/src/tests/disable_function/disabled_functions_require_once.phpt +++ b/src/tests/disable_function/disabled_functions_require_once.phpt | |||
| @@ -19,4 +19,4 @@ echo "1337"; | |||
| 19 | ?> | 19 | ?> |
| 20 | --EXPECTF-- | 20 | --EXPECTF-- |
| 21 | BLA | 21 | BLA |
| 22 | Fatal error: [snuffleupagus][0.0.0.0][disabled_function][drop] Aborted execution on call of the function 'require_once', because its argument 'inclusion path' content (%a/test.meh) matched a rule in %a/disabled_functions_require_once.php on line %d | 22 | Fatal error: [snuffleupagus][0.0.0.0][disabled_function][drop] Aborted execution on call of the function 'require_once', because its argument 'inclusion path' content (%a%2Ftest.meh) matched a rule in %a/disabled_functions_require_once.php on line %d |
diff --git a/src/tests/disable_function/disabled_functions_require_simulation.phpt b/src/tests/disable_function/disabled_functions_require_simulation.phpt index 2c52610..d23ad4e 100644 --- a/src/tests/disable_function/disabled_functions_require_simulation.phpt +++ b/src/tests/disable_function/disabled_functions_require_simulation.phpt | |||
| @@ -20,6 +20,6 @@ echo "1337\n"; | |||
| 20 | --EXPECTF-- | 20 | --EXPECTF-- |
| 21 | BLA | 21 | BLA |
| 22 | 22 | ||
| 23 | Warning: [snuffleupagus][0.0.0.0][disabled_function][simulation] Aborted execution on call of the function 'require', because its argument 'inclusion path' content (%a/test.sim) matched a rule in %a/disabled_functions_require_simulation.php on line %d | 23 | Warning: [snuffleupagus][0.0.0.0][disabled_function][simulation] Aborted execution on call of the function 'require', because its argument 'inclusion path' content (%a%2Ftest.sim) matched a rule in %a/disabled_functions_require_simulation.php on line %d |
| 24 | MEH | 24 | MEH |
| 25 | 1337 | 25 | 1337 |