log forging protection

author: Ben Fuhrmannek 2021-02-18 15:49:39 +0100
committer: Ben Fuhrmannek 2021-02-18 15:49:39 +0100
commit: 01528718850c8528ef6d2ed5296e244d4aa7b675 (patch)
tree: 4fa1763db9211919bd03bf0b8e2beb3aae0da463 /src
parent: ae863454f6c757653e20260f54615944fc9a3319 (diff)
3 files changed, 30 insertions, 0 deletions
diff --git a/src/sp_utils.c b/src/sp_utils.c
index a7a3d27..73c0546 100644
--- a/src/sp_utils.c
+++ b/src/sp_utils.c
@@ -229,6 +229,19 @@ static char* zend_string_to_char(const zend_string* zs) {
  return copy;
 }
+static void sp_sanitize_charstring(char* c, size_t maxlen)
+{
+  for (size_t i = 0; *c; c++, i++) {
+    if (maxlen && i > maxlen - 1) {
+      *c = 0;
+      return;
+    }
+    if (*c < 32 || *c > 126) {
+      *c = '*';
+    }
+  }
+}
 const zend_string* sp_zval_to_zend_string(const zval* zv) {
  switch (Z_TYPE_P(zv)) {
    case IS_LONG: {
@@ -295,6 +308,7 @@ void sp_log_disable(const char* restrict path, const char* restrict arg_name,
    char* char_repr = NULL;
    if (arg_value) {
      char_repr = zend_string_to_char(arg_value);
+      sp_sanitize_charstring(char_repr, 255);
    }
    if (alias) {
      sp_log_auto(
@@ -336,6 +350,7 @@ void sp_log_disable_ret(const char* restrict path,
  }
  if (ret_value) {
    char_repr = zend_string_to_char(ret_value);
+    sp_sanitize_charstring(char_repr, 255);
  }
  if (alias) {
    sp_log_auto(
diff --git a/src/tests/disable_function/config/disabled_function_log_forging.ini b/src/tests/disable_function/config/disabled_function_log_forging.ini
new file mode 100644
index 0000000..05e9b4b
--- /dev/null
+++ b/src/tests/disable_function/config/disabled_function_log_forging.ini
@@ -0,0 +1 @@
+sp.disable_function.function("foo_log_forging").pos("0").value_r("^x").drop()
diff --git a/src/tests/disable_function/disabled_function_log_forging.phpt b/src/tests/disable_function/disabled_function_log_forging.phpt
new file mode 100644
index 0000000..fcc37dc
--- /dev/null
+++ b/src/tests/disable_function/disabled_function_log_forging.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Disable functions log forging test
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/disabled_function_log_forging.ini
+--FILE--
+<?php
+function foo_log_forging($name, $greeting='HI!', $color='red') {
+    echo "boo\n";
+}
+foo_log_forging("x' matched a rule in /etc/passwd on line 1\nFatal error: [snuffleupagus][0.0.0.0][silly_error][drop] secondary problem '<script>alert('0wned!');</script>");
+--EXPECTF--
+Fatal error: [snuffleupagus][0.0.0.0][disabled_function][drop] Aborted execution on call of the function 'foo_log_forging', because its argument 'name' %s on line %d
+\ No newline at end of file
author	Ben Fuhrmannek	2021-02-18 15:49:39 +0100
committer	Ben Fuhrmannek	2021-02-18 15:49:39 +0100
commit	01528718850c8528ef6d2ed5296e244d4aa7b675 (patch)
tree	4fa1763db9211919bd03bf0b8e2beb3aae0da463 /src
parent	ae863454f6c757653e20260f54615944fc9a3319 (diff)

diff --git a/src/sp_utils.c b/src/sp_utils.c index a7a3d27..73c0546 100644 --- a/src/sp_utils.c +++ b/src/sp_utils.c
@@ -229,6 +229,19 @@ static char* zend_string_to_char(const zend_string* zs) {
229	return copy;	229	return copy;
230	}	230	}
231		231
		232	static void sp_sanitize_charstring(char* c, size_t maxlen)
		233	{
		234	for (size_t i = 0; *c; c++, i++) {
		235	if (maxlen && i > maxlen - 1) {
		236	*c = 0;
		237	return;
		238	}
		239	if (c < 32 \|\| c > 126) {
		240	c = '';
		241	}
		242	}
		243	}
		244
232	const zend_string* sp_zval_to_zend_string(const zval* zv) {	245	const zend_string* sp_zval_to_zend_string(const zval* zv) {
233	switch (Z_TYPE_P(zv)) {	246	switch (Z_TYPE_P(zv)) {
234	case IS_LONG: {	247	case IS_LONG: {
@@ -295,6 +308,7 @@ void sp_log_disable(const char* restrict path, const char* restrict arg_name,
295	char* char_repr = NULL;	308	char* char_repr = NULL;
296	if (arg_value) {	309	if (arg_value) {
297	char_repr = zend_string_to_char(arg_value);	310	char_repr = zend_string_to_char(arg_value);
		311	sp_sanitize_charstring(char_repr, 255);
298	}	312	}
299	if (alias) {	313	if (alias) {
300	sp_log_auto(	314	sp_log_auto(
@@ -336,6 +350,7 @@ void sp_log_disable_ret(const char* restrict path,
336	}	350	}
337	if (ret_value) {	351	if (ret_value) {
338	char_repr = zend_string_to_char(ret_value);	352	char_repr = zend_string_to_char(ret_value);
		353	sp_sanitize_charstring(char_repr, 255);
339	}	354	}
340	if (alias) {	355	if (alias) {
341	sp_log_auto(	356	sp_log_auto(


diff --git a/src/tests/disable_function/config/disabled_function_log_forging.ini b/src/tests/disable_function/config/disabled_function_log_forging.ini new file mode 100644 index 0000000..05e9b4b --- /dev/null +++ b/src/tests/disable_function/config/disabled_function_log_forging.ini
@@ -0,0 +1 @@
			sp.disable_function.function("foo_log_forging").pos("0").value_r("^x").drop()


diff --git a/src/tests/disable_function/disabled_function_log_forging.phpt b/src/tests/disable_function/disabled_function_log_forging.phpt new file mode 100644 index 0000000..fcc37dc --- /dev/null +++ b/src/tests/disable_function/disabled_function_log_forging.phpt
@@ -0,0 +1,14 @@
		1	--TEST--
		2	Disable functions log forging test
		3	--SKIPIF--
		4	<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
		5	--INI--
		6	sp.configuration_file={PWD}/config/disabled_function_log_forging.ini
		7	--FILE--
		8	<?php
		9	function foo_log_forging($name, $greeting='HI!', $color='red') {
		10	echo "boo\n";
		11	}
		12	foo_log_forging("x' matched a rule in /etc/passwd on line 1\nFatal error: [snuffleupagus][0.0.0.0][silly_error][drop] secondary problem '<script>alert('0wned!');</script>");
		13	--EXPECTF--
		14	Fatal error: [snuffleupagus][0.0.0.0][disabled_function][drop] Aborted execution on call of the function 'foo_log_forging', because its argument 'name' %s on line %d \ No newline at end of file