diff options
| author | jvoisin | 2022-07-12 23:03:46 +0200 |
|---|---|---|
| committer | jvoisin | 2022-07-12 23:03:46 +0200 |
| commit | 8d6496efcab420267a228c35f9f627fec209d031 (patch) | |
| tree | c7d29977b14dedbc4b4d7c571381ca6df667fda6 /src | |
| parent | 08e87202676a4676e66a27625522374faa70704c (diff) | |
Refactoring of the previous commit
Diffstat (limited to 'src')
| -rw-r--r-- | src/php_snuffleupagus.h | 1 | ||||
| -rw-r--r-- | src/sp_execute.c | 20 | ||||
| -rw-r--r-- | src/tests/deny_writable/deny_writable_execution_simulation.phpt | 4 |
3 files changed, 10 insertions, 15 deletions
diff --git a/src/php_snuffleupagus.h b/src/php_snuffleupagus.h index 95caa65..3eeb9db 100644 --- a/src/php_snuffleupagus.h +++ b/src/php_snuffleupagus.h | |||
| @@ -38,6 +38,7 @@ | |||
| 38 | #include "ext/standard/head.h" | 38 | #include "ext/standard/head.h" |
| 39 | #include "ext/standard/info.h" | 39 | #include "ext/standard/info.h" |
| 40 | #include "ext/standard/url.h" | 40 | #include "ext/standard/url.h" |
| 41 | #include "ext/standard/php_string.h" | ||
| 41 | #include "ext/standard/php_var.h" | 42 | #include "ext/standard/php_var.h" |
| 42 | #include "ext/session/php_session.h" | 43 | #include "ext/session/php_session.h" |
| 43 | #include "php.h" | 44 | #include "php.h" |
diff --git a/src/sp_execute.c b/src/sp_execute.c index 56d25c5..65a32db 100644 --- a/src/sp_execute.c +++ b/src/sp_execute.c | |||
| @@ -1,5 +1,4 @@ | |||
| 1 | #include "php_snuffleupagus.h" | 1 | #include "php_snuffleupagus.h" |
| 2 | #include "ext/standard/php_string.h" | ||
| 3 | 2 | ||
| 4 | static void (*orig_execute_ex)(zend_execute_data *execute_data) = NULL; | 3 | static void (*orig_execute_ex)(zend_execute_data *execute_data) = NULL; |
| 5 | static void (*orig_zend_execute_internal)(zend_execute_data *execute_data, | 4 | static void (*orig_zend_execute_internal)(zend_execute_data *execute_data, |
| @@ -11,11 +10,10 @@ static zend_result (*orig_zend_stream_open)(zend_file_handle *handle) = NULL; | |||
| 11 | #endif | 10 | #endif |
| 12 | 11 | ||
| 13 | // FIXME handle symlink | 12 | // FIXME handle symlink |
| 14 | ZEND_COLD static inline void terminate_if_writable(const char *filename) { | 13 | ZEND_COLD static inline void terminate_if_writable(char const* const filename) { |
| 15 | const sp_config_readonly_exec *config_ro_exec = &(SPCFG(readonly_exec)); | 14 | sp_config_readonly_exec const* const config_ro_exec = &(SPCFG(readonly_exec)); |
| 16 | char *errmsg = "unknown access problem"; | 15 | char const *errmsg = "unknown access problem"; |
| 17 | 16 | ||
| 18 | // check write access | ||
| 19 | if (0 == access(filename, W_OK)) { | 17 | if (0 == access(filename, W_OK)) { |
| 20 | errmsg = "Attempted execution of a writable file"; | 18 | errmsg = "Attempted execution of a writable file"; |
| 21 | goto violation; | 19 | goto violation; |
| @@ -29,21 +27,19 @@ ZEND_COLD static inline void terminate_if_writable(const char *filename) { | |||
| 29 | return; | 27 | return; |
| 30 | } | 28 | } |
| 31 | 29 | ||
| 32 | // check effective uid | ||
| 33 | struct stat buf; | 30 | struct stat buf; |
| 34 | if (0 != stat(filename, &buf)) { | 31 | if (0 != stat(filename, &buf)) { |
| 35 | goto err; | 32 | goto err; |
| 36 | } | 33 | } |
| 37 | if (buf.st_uid == geteuid()) { | 34 | if (buf.st_uid == geteuid()) { |
| 38 | errmsg = "Attempted execution of file owned by process"; | 35 | errmsg = "Attempted execution of a file owned by the PHP process"; |
| 39 | goto violation; | 36 | goto violation; |
| 40 | } | 37 | } |
| 41 | 38 | ||
| 42 | // check write access on directory | 39 | char *const dirname = estrndup(filename, strlen(filename)); |
| 43 | char *dirname = estrndup(filename, strlen(filename)); | ||
| 44 | php_dirname(dirname, strlen(dirname)); | 40 | php_dirname(dirname, strlen(dirname)); |
| 45 | if (0 == access(dirname, W_OK)) { | 41 | if (0 == access(dirname, W_OK)) { |
| 46 | errmsg = "Attempted execution of file in writable directory"; | 42 | errmsg = "Attempted execution of a file in a writable directory"; |
| 47 | efree(dirname); | 43 | efree(dirname); |
| 48 | goto violation; | 44 | goto violation; |
| 49 | } | 45 | } |
| @@ -52,18 +48,16 @@ ZEND_COLD static inline void terminate_if_writable(const char *filename) { | |||
| 52 | goto err; | 48 | goto err; |
| 53 | } | 49 | } |
| 54 | 50 | ||
| 55 | // check effecite uid of directory | ||
| 56 | if (0 != stat(dirname, &buf)) { | 51 | if (0 != stat(dirname, &buf)) { |
| 57 | efree(dirname); | 52 | efree(dirname); |
| 58 | goto err; | 53 | goto err; |
| 59 | } | 54 | } |
| 60 | efree(dirname); | 55 | efree(dirname); |
| 61 | if (buf.st_uid == geteuid()) { | 56 | if (buf.st_uid == geteuid()) { |
| 62 | errmsg = "Attempted execution of file in directory owned by process"; | 57 | errmsg = "Attempted execution of a file in directory owned by the PHP process"; |
| 63 | goto violation; | 58 | goto violation; |
| 64 | } | 59 | } |
| 65 | 60 | ||
| 66 | // we would actually need to check all parent directories as well, but that task is left for other tools | ||
| 67 | return; | 61 | return; |
| 68 | 62 | ||
| 69 | violation: | 63 | violation: |
diff --git a/src/tests/deny_writable/deny_writable_execution_simulation.phpt b/src/tests/deny_writable/deny_writable_execution_simulation.phpt index abc276f..d4e4801 100644 --- a/src/tests/deny_writable/deny_writable_execution_simulation.phpt +++ b/src/tests/deny_writable/deny_writable_execution_simulation.phpt | |||
| @@ -48,7 +48,7 @@ Warning: [snuffleupagus][0.0.0.0][readonly_exec][simulation] Attempted execution | |||
| 48 | Warning: [snuffleupagus][0.0.0.0][readonly_exec][simulation] Attempted execution of a writable file (%a/writable_file.txt) in %a/writable_file.txt on line 1 | 48 | Warning: [snuffleupagus][0.0.0.0][readonly_exec][simulation] Attempted execution of a writable file (%a/writable_file.txt) in %a/writable_file.txt on line 1 |
| 49 | Code execution within a writable file. | 49 | Code execution within a writable file. |
| 50 | 50 | ||
| 51 | Warning: [snuffleupagus][0.0.0.0][readonly_exec][simulation] Attempted execution of file owned by process (%s/tests/deny_writable/non_writable_file.txt) in %s/tests/deny_writable/deny_writable_execution_simulation.php on line 13 | 51 | Warning: [snuffleupagus][0.0.0.0][readonly_exec][simulation] Attempted execution of a file owned by the PHP process (%s/tests/deny_writable/non_writable_file.txt) in %s/tests/deny_writable/deny_writable_execution_simulation.php on line 13 |
| 52 | 52 | ||
| 53 | Warning: [snuffleupagus][0.0.0.0][readonly_exec][simulation] Attempted execution of file owned by process (%s/tests/deny_writable/non_writable_file.txt) in %src/tests/deny_writable/non_writable_file.txt on line 1 | 53 | Warning: [snuffleupagus][0.0.0.0][readonly_exec][simulation] Attempted execution of a file owned by the PHP process (%s/tests/deny_writable/non_writable_file.txt) in %src/tests/deny_writable/non_writable_file.txt on line 1 |
| 54 | Code execution within a non-writable file. | 54 | Code execution within a non-writable file. |