Better handling of filters for builtins

author: kkadosh 2018-06-28 21:43:40 +0000
committer: jvoisin 2018-06-28 21:43:40 +0000
commit: ca3be84076521c4bb053511775c94c0b195aeac8 (patch)
tree: 3026bd494850086795a67d18f56264abbe4cc11c /src
parent: 7832438b7abedf567ce6376f99949f419abcdff1 (diff)
8 files changed, 101 insertions, 23 deletions
diff --git a/src/sp_config_keywords.c b/src/sp_config_keywords.c
index f702f4d..cc1f0f9 100644
--- a/src/sp_config_keywords.c
+++ b/src/sp_config_keywords.c
@@ -61,8 +61,7 @@ static int parse_enable(char *line, bool *restrict retval,
 }
 int parse_session(char *line) {
-  sp_config_session *session =
+  sp_config_session *session = pecalloc(sizeof(sp_config_session), 1, 0);
-      pecalloc(sizeof(sp_config_session), 1, 0);
  sp_config_functions sp_config_funcs_session_encryption[] = {
      {parse_empty, SP_TOKEN_ENCRYPT, &(session->encrypt)},
@@ -95,10 +94,8 @@ int parse_session(char *line) {
    }
  }
-  SNUFFLEUPAGUS_G(config).config_session->encrypt =
+  SNUFFLEUPAGUS_G(config).config_session->encrypt = session->encrypt;
-      session->encrypt;
+  SNUFFLEUPAGUS_G(config).config_session->simulation = session->simulation;
-  SNUFFLEUPAGUS_G(config).config_session->simulation =
-      session->simulation;
  pefree(session, 0);
  return ret;
 }
diff --git a/src/sp_crypt.c b/src/sp_crypt.c
index 55ae37b..6a46d06 100644
--- a/src/sp_crypt.c
+++ b/src/sp_crypt.c
@@ -64,9 +64,9 @@ int decrypt_zval(zval *pDest, bool simulation, zend_hash_key *hash_key) {
    }
  }
+  if (ZSTR_LEN(debase64) + (size_t)crypto_secretbox_ZEROBYTES <
-  if (ZSTR_LEN(debase64) + (size_t)crypto_secretbox_ZEROBYTES < ZSTR_LEN(debase64)) {
+      ZSTR_LEN(debase64)) {
-        if (true == simulation) {
+    if (true == simulation) {
      sp_log_msg(
          "cookie_encryption", SP_LOG_SIMULATION,
          "Integer overflow tentative detected in cookie encryption handling "
diff --git a/src/sp_disabled_functions.c b/src/sp_disabled_functions.c
index eeee007..341c0a4 100644
--- a/src/sp_disabled_functions.c
+++ b/src/sp_disabled_functions.c
@@ -248,6 +248,23 @@ static zend_execute_data* is_file_matching(
 #undef ITERATE
 }
+static bool check_is_builtin_name(
+    sp_disabled_function const* const config_node) {
+  if (config_node->function) {
+    return (!strcmp(config_node->function, "include") ||
+            !strcmp(config_node->function, "include_once") ||
+            !strcmp(config_node->function, "require") ||
+            !strcmp(config_node->function, "require_once"));
+  }
+  if (config_node->r_function) {
+    return (sp_is_regexp_matching(config_node->r_function, "include") ||
+            sp_is_regexp_matching(config_node->r_function, "include_once") ||
+            sp_is_regexp_matching(config_node->r_function, "require") ||
+            sp_is_regexp_matching(config_node->r_function, "require_once"));
+  }
+  return false;
+}
 bool should_disable(zend_execute_data* execute_data, const char* builtin_name,
                    const char* builtin_param, const char* builtin_param_name) {
  char current_file_hash[SHA256_SIZE * 2 + 1] = {0};
@@ -303,13 +320,11 @@ bool should_disable(zend_execute_data* execute_data, const char* builtin_name,
        goto next;
      }
    }
    if (config_node->line) {
      if (config_node->line != zend_get_executed_lineno()) {
        goto next;
      }
    }
    if (config_node->filename || config_node->r_filename) {
      zend_execute_data* ex =
          is_file_matching(execute_data, config_node, current_filename);
@@ -327,7 +342,6 @@ bool should_disable(zend_execute_data* execute_data, const char* builtin_name,
        goto next;
      }
    }
    if (config_node->var) {
      if (false == is_local_var_matching(execute_data, config_node)) {
        goto next;
@@ -360,8 +374,17 @@ bool should_disable(zend_execute_data* execute_data, const char* builtin_name,
      }
    }
-    /* Everything matched.*/
+    if (config_node->value_r || config_node->value) {
+      if (check_is_builtin_name(config_node)) {
+        if (false == is_param_matching(execute_data, config_node, builtin_name,
+                                       builtin_param, &arg_name,
+                                       builtin_param_name, &arg_value_str)) {
+          goto next;
+        }
+      }
+    }
+    /* Everything matched.*/
    if (true == config_node->allow) {
      goto allow;
    }
diff --git a/src/sp_session.c b/src/sp_session.c
index 4085007..ce852ad 100644
--- a/src/sp_session.c
+++ b/src/sp_session.c
@@ -21,7 +21,6 @@ static int (*old_s_write)(PS_WRITE_ARGS);
 static int (*previous_sessionRINIT)(INIT_FUNC_ARGS) = NULL;
 static ZEND_INI_MH((*old_OnUpdateSaveHandler)) = NULL;
 static int sp_hook_s_read(PS_READ_ARGS) {
  int r = old_s_read(mod_data, key, val, maxlifetime);
  if (r == SUCCESS && SNUFFLEUPAGUS_G(config).config_session->encrypt &&
@@ -31,8 +30,7 @@ static int sp_hook_s_read(PS_READ_ARGS) {
    ZVAL_PSTRINGL(&val_zval, ZSTR_VAL(*val), ZSTR_LEN(*val));
    int ret = decrypt_zval(
-        &val_zval, SNUFFLEUPAGUS_G(config).config_session->simulation,
+        &val_zval, SNUFFLEUPAGUS_G(config).config_session->simulation, NULL);
-        NULL);
    if (0 != ret) {
      if (SNUFFLEUPAGUS_G(config).config_session->simulation) {
        return ret;
@@ -51,10 +49,8 @@ static int sp_hook_s_read(PS_READ_ARGS) {
  return r;
 }
 static int sp_hook_s_write(PS_WRITE_ARGS) {
-  if (ZSTR_LEN(val) > 0 &&
+  if (ZSTR_LEN(val) > 0 && SNUFFLEUPAGUS_G(config).config_session->encrypt) {
-      SNUFFLEUPAGUS_G(config).config_session->encrypt) {
    zend_string *new_val = encrypt_zval(ZSTR_VAL(val), ZSTR_LEN(val));
    return old_s_write(mod_data, key, new_val, maxlifetime);
  }
@@ -92,11 +88,9 @@ static void sp_hook_session_module() {
 static PHP_INI_MH(sp_OnUpdateSaveHandler) {
  if (stage == PHP_INI_STAGE_RUNTIME &&
-      SESSION_G(session_status) == php_session_none &&
+      SESSION_G(session_status) == php_session_none && s_original_mod &&
-      s_original_mod &&
      zend_string_equals_literal(new_value, "user") == 0 &&
-      strcmp(((ps_module *)s_original_mod)->s_name, "user") ==
+      strcmp(((ps_module *)s_original_mod)->s_name, "user") == 0) {
-          0) {
    return SUCCESS;
  }
diff --git a/src/tests/config/disabled_functions_drop_include.ini b/src/tests/config/disabled_functions_drop_include.ini
new file mode 100644
index 0000000..0b10f65
--- /dev/null
+++ b/src/tests/config/disabled_functions_drop_include.ini
@@ -0,0 +1,4 @@
+sp.disable_function.function("require_once").value_r("\.ico$").drop();
+sp.disable_function.function("include_once").value_r("\.ico$").drop();
+sp.disable_function.function("require").value_r("\.ico$").drop();
+sp.disable_function.function("include").value_r("\.ico$").drop();
diff --git a/src/tests/config/disabled_functions_drop_include_simulation.ini b/src/tests/config/disabled_functions_drop_include_simulation.ini
new file mode 100644
index 0000000..4064da1
--- /dev/null
+++ b/src/tests/config/disabled_functions_drop_include_simulation.ini
@@ -0,0 +1,4 @@
+sp.disable_function.function("require_once").value_r("\.ico$").drop().simulation();
+sp.disable_function.function("include_once").value_r("\.ico$").drop().simulation();
+sp.disable_function.function("require").value_r("\.ico$").drop().simulation();
+sp.disable_function.function("include").value_r("\.ico$").drop().simulation();
diff --git a/src/tests/disabled_functions_drop_include.phpt b/src/tests/disabled_functions_drop_include.phpt
new file mode 100644
index 0000000..e18dd73
--- /dev/null
+++ b/src/tests/disabled_functions_drop_include.phpt
@@ -0,0 +1,28 @@
+--TEST--
+Disable function, bug : https://github.com/nbs-system/snuffleupagus/issues/181
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/disabled_functions_drop_include.ini
+--FILE--
+<?php
+$dir = __DIR__;
+@unlink("$dir/test_include.php");
+$code = <<< 'EOD'
+<?php
+$test = "testOK";
+?>
+EOD;
+file_put_contents("$dir/test_include.php", $code);
+include "$dir/test_include.php";
+echo $test;
+?>
+--EXPECTF--
+testOK
diff --git a/src/tests/disabled_functions_drop_include_simulation.phpt b/src/tests/disabled_functions_drop_include_simulation.phpt
new file mode 100644
index 0000000..07c3e98
--- /dev/null
+++ b/src/tests/disabled_functions_drop_include_simulation.phpt
@@ -0,0 +1,28 @@
+--TEST--
+Disable function, bug : https://github.com/nbs-system/snuffleupagus/issues/181
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/disabled_functions_drop_include_simulation.ini
+--FILE--
+<?php
+$dir = __DIR__;
+@unlink("$dir/test_include.php");
+$code = <<< 'EOD'
+<?php
+$test = "testOK";
+?>
+EOD;
+file_put_contents("$dir/test_include.php", $code);
+include "$dir/test_include.php";
+echo $test;
+?>
+--EXPECTF--
+testOK
author	kkadosh	2018-06-28 21:43:40 +0000
committer	jvoisin	2018-06-28 21:43:40 +0000
commit	ca3be84076521c4bb053511775c94c0b195aeac8 (patch)
tree	3026bd494850086795a67d18f56264abbe4cc11c /src
parent	7832438b7abedf567ce6376f99949f419abcdff1 (diff)

diff --git a/src/sp_config_keywords.c b/src/sp_config_keywords.c index f702f4d..cc1f0f9 100644 --- a/src/sp_config_keywords.c +++ b/src/sp_config_keywords.c
@@ -61,8 +61,7 @@ static int parse_enable(char line, bool restrict retval,
61	}	61	}
62		62
63	int parse_session(char *line) {	63	int parse_session(char *line) {
64	sp_config_session *session =	64	sp_config_session *session = pecalloc(sizeof(sp_config_session), 1, 0);
65	pecalloc(sizeof(sp_config_session), 1, 0);
66		65
67	sp_config_functions sp_config_funcs_session_encryption[] = {	66	sp_config_functions sp_config_funcs_session_encryption[] = {
68	{parse_empty, SP_TOKEN_ENCRYPT, &(session->encrypt)},	67	{parse_empty, SP_TOKEN_ENCRYPT, &(session->encrypt)},
@@ -95,10 +94,8 @@ int parse_session(char *line) {
95	}	94	}
96	}	95	}
97		96
98	SNUFFLEUPAGUS_G(config).config_session->encrypt =	97	SNUFFLEUPAGUS_G(config).config_session->encrypt = session->encrypt;
99	session->encrypt;	98	SNUFFLEUPAGUS_G(config).config_session->simulation = session->simulation;
100	SNUFFLEUPAGUS_G(config).config_session->simulation =
101	session->simulation;
102	pefree(session, 0);	99	pefree(session, 0);
103	return ret;	100	return ret;
104	}	101	}


diff --git a/src/sp_crypt.c b/src/sp_crypt.c index 55ae37b..6a46d06 100644 --- a/src/sp_crypt.c +++ b/src/sp_crypt.c
@@ -64,9 +64,9 @@ int decrypt_zval(zval pDest, bool simulation, zend_hash_key hash_key) {
64	}	64	}
65	}	65	}
66		66
67		67	if (ZSTR_LEN(debase64) + (size_t)crypto_secretbox_ZEROBYTES <
68	if (ZSTR_LEN(debase64) + (size_t)crypto_secretbox_ZEROBYTES < ZSTR_LEN(debase64)) {	68	ZSTR_LEN(debase64)) {
69	if (true == simulation) {	69	if (true == simulation) {
70	sp_log_msg(	70	sp_log_msg(
71	"cookie_encryption", SP_LOG_SIMULATION,	71	"cookie_encryption", SP_LOG_SIMULATION,
72	"Integer overflow tentative detected in cookie encryption handling "	72	"Integer overflow tentative detected in cookie encryption handling "


diff --git a/src/sp_disabled_functions.c b/src/sp_disabled_functions.c index eeee007..341c0a4 100644 --- a/src/sp_disabled_functions.c +++ b/src/sp_disabled_functions.c
@@ -248,6 +248,23 @@ static zend_execute_data* is_file_matching(
248	#undef ITERATE	248	#undef ITERATE
249	}	249	}
250		250
		251	static bool check_is_builtin_name(
		252	sp_disabled_function const* const config_node) {
		253	if (config_node->function) {
		254	return (!strcmp(config_node->function, "include") \|\|
		255	!strcmp(config_node->function, "include_once") \|\|
		256	!strcmp(config_node->function, "require") \|\|
		257	!strcmp(config_node->function, "require_once"));
		258	}
		259	if (config_node->r_function) {
		260	return (sp_is_regexp_matching(config_node->r_function, "include") \|\|
		261	sp_is_regexp_matching(config_node->r_function, "include_once") \|\|
		262	sp_is_regexp_matching(config_node->r_function, "require") \|\|
		263	sp_is_regexp_matching(config_node->r_function, "require_once"));
		264	}
		265	return false;
		266	}
		267
251	bool should_disable(zend_execute_data* execute_data, const char* builtin_name,	268	bool should_disable(zend_execute_data* execute_data, const char* builtin_name,
252	const char* builtin_param, const char* builtin_param_name) {	269	const char* builtin_param, const char* builtin_param_name) {
253	char current_file_hash[SHA256_SIZE * 2 + 1] = {0};	270	char current_file_hash[SHA256_SIZE * 2 + 1] = {0};
@@ -303,13 +320,11 @@ bool should_disable(zend_execute_data* execute_data, const char* builtin_name,
303	goto next;	320	goto next;
304	}	321	}
305	}	322	}
306
307	if (config_node->line) {	323	if (config_node->line) {
308	if (config_node->line != zend_get_executed_lineno()) {	324	if (config_node->line != zend_get_executed_lineno()) {
309	goto next;	325	goto next;
310	}	326	}
311	}	327	}
312
313	if (config_node->filename \|\| config_node->r_filename) {	328	if (config_node->filename \|\| config_node->r_filename) {
314	zend_execute_data* ex =	329	zend_execute_data* ex =
315	is_file_matching(execute_data, config_node, current_filename);	330	is_file_matching(execute_data, config_node, current_filename);
@@ -327,7 +342,6 @@ bool should_disable(zend_execute_data* execute_data, const char* builtin_name,
327	goto next;	342	goto next;
328	}	343	}
329	}	344	}
330
331	if (config_node->var) {	345	if (config_node->var) {
332	if (false == is_local_var_matching(execute_data, config_node)) {	346	if (false == is_local_var_matching(execute_data, config_node)) {
333	goto next;	347	goto next;
@@ -360,8 +374,17 @@ bool should_disable(zend_execute_data* execute_data, const char* builtin_name,
360	}	374	}
361	}	375	}
362		376
363	/* Everything matched.*/	377	if (config_node->value_r \|\| config_node->value) {
		378	if (check_is_builtin_name(config_node)) {
		379	if (false == is_param_matching(execute_data, config_node, builtin_name,
		380	builtin_param, &arg_name,
		381	builtin_param_name, &arg_value_str)) {
		382	goto next;
		383	}
		384	}
		385	}
364		386
		387	/* Everything matched.*/
365	if (true == config_node->allow) {	388	if (true == config_node->allow) {
366	goto allow;	389	goto allow;
367	}	390	}


diff --git a/src/sp_session.c b/src/sp_session.c index 4085007..ce852ad 100644 --- a/src/sp_session.c +++ b/src/sp_session.c
@@ -21,7 +21,6 @@ static int (*old_s_write)(PS_WRITE_ARGS);
21	static int (*previous_sessionRINIT)(INIT_FUNC_ARGS) = NULL;	21	static int (*previous_sessionRINIT)(INIT_FUNC_ARGS) = NULL;
22	static ZEND_INI_MH((*old_OnUpdateSaveHandler)) = NULL;	22	static ZEND_INI_MH((*old_OnUpdateSaveHandler)) = NULL;
23		23
24
25	static int sp_hook_s_read(PS_READ_ARGS) {	24	static int sp_hook_s_read(PS_READ_ARGS) {
26	int r = old_s_read(mod_data, key, val, maxlifetime);	25	int r = old_s_read(mod_data, key, val, maxlifetime);
27	if (r == SUCCESS && SNUFFLEUPAGUS_G(config).config_session->encrypt &&	26	if (r == SUCCESS && SNUFFLEUPAGUS_G(config).config_session->encrypt &&
@@ -31,8 +30,7 @@ static int sp_hook_s_read(PS_READ_ARGS) {
31	ZVAL_PSTRINGL(&val_zval, ZSTR_VAL(val), ZSTR_LEN(val));	30	ZVAL_PSTRINGL(&val_zval, ZSTR_VAL(val), ZSTR_LEN(val));
32		31
33	int ret = decrypt_zval(	32	int ret = decrypt_zval(
34	&val_zval, SNUFFLEUPAGUS_G(config).config_session->simulation,	33	&val_zval, SNUFFLEUPAGUS_G(config).config_session->simulation, NULL);
35	NULL);
36	if (0 != ret) {	34	if (0 != ret) {
37	if (SNUFFLEUPAGUS_G(config).config_session->simulation) {	35	if (SNUFFLEUPAGUS_G(config).config_session->simulation) {
38	return ret;	36	return ret;
@@ -51,10 +49,8 @@ static int sp_hook_s_read(PS_READ_ARGS) {
51	return r;	49	return r;
52	}	50	}
53		51
54
55	static int sp_hook_s_write(PS_WRITE_ARGS) {	52	static int sp_hook_s_write(PS_WRITE_ARGS) {
56	if (ZSTR_LEN(val) > 0 &&	53	if (ZSTR_LEN(val) > 0 && SNUFFLEUPAGUS_G(config).config_session->encrypt) {
57	SNUFFLEUPAGUS_G(config).config_session->encrypt) {
58	zend_string *new_val = encrypt_zval(ZSTR_VAL(val), ZSTR_LEN(val));	54	zend_string *new_val = encrypt_zval(ZSTR_VAL(val), ZSTR_LEN(val));
59	return old_s_write(mod_data, key, new_val, maxlifetime);	55	return old_s_write(mod_data, key, new_val, maxlifetime);
60	}	56	}
@@ -92,11 +88,9 @@ static void sp_hook_session_module() {
92		88
93	static PHP_INI_MH(sp_OnUpdateSaveHandler) {	89	static PHP_INI_MH(sp_OnUpdateSaveHandler) {
94	if (stage == PHP_INI_STAGE_RUNTIME &&	90	if (stage == PHP_INI_STAGE_RUNTIME &&
95	SESSION_G(session_status) == php_session_none &&	91	SESSION_G(session_status) == php_session_none && s_original_mod &&
96	s_original_mod &&
97	zend_string_equals_literal(new_value, "user") == 0 &&	92	zend_string_equals_literal(new_value, "user") == 0 &&
98	strcmp(((ps_module *)s_original_mod)->s_name, "user") ==	93	strcmp(((ps_module *)s_original_mod)->s_name, "user") == 0) {
99	0) {
100	return SUCCESS;	94	return SUCCESS;
101	}	95	}
102		96


diff --git a/src/tests/config/disabled_functions_drop_include.ini b/src/tests/config/disabled_functions_drop_include.ini new file mode 100644 index 0000000..0b10f65 --- /dev/null +++ b/src/tests/config/disabled_functions_drop_include.ini
@@ -0,0 +1,4 @@
		1	sp.disable_function.function("require_once").value_r("\.ico$").drop();
		2	sp.disable_function.function("include_once").value_r("\.ico$").drop();
		3	sp.disable_function.function("require").value_r("\.ico$").drop();
		4	sp.disable_function.function("include").value_r("\.ico$").drop();


diff --git a/src/tests/config/disabled_functions_drop_include_simulation.ini b/src/tests/config/disabled_functions_drop_include_simulation.ini new file mode 100644 index 0000000..4064da1 --- /dev/null +++ b/src/tests/config/disabled_functions_drop_include_simulation.ini
@@ -0,0 +1,4 @@
		1	sp.disable_function.function("require_once").value_r("\.ico$").drop().simulation();
		2	sp.disable_function.function("include_once").value_r("\.ico$").drop().simulation();
		3	sp.disable_function.function("require").value_r("\.ico$").drop().simulation();
		4	sp.disable_function.function("include").value_r("\.ico$").drop().simulation();


diff --git a/src/tests/disabled_functions_drop_include.phpt b/src/tests/disabled_functions_drop_include.phpt new file mode 100644 index 0000000..e18dd73 --- /dev/null +++ b/src/tests/disabled_functions_drop_include.phpt
@@ -0,0 +1,28 @@
		1	--TEST--
		2	Disable function, bug : https://github.com/nbs-system/snuffleupagus/issues/181
		3	--SKIPIF--
		4	<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
		5	--INI--
		6	sp.configuration_file={PWD}/config/disabled_functions_drop_include.ini
		7	--FILE--
		8	<?php
		9	$dir = __DIR__;
		10
		11	@unlink("$dir/test_include.php");
		12
		13	$code = <<< 'EOD'
		14	<?php
		15	$test = "testOK";
		16	?>
		17	EOD;
		18
		19	file_put_contents("$dir/test_include.php", $code);
		20
		21	include "$dir/test_include.php";
		22
		23	echo $test;
		24
		25	?>
		26
		27	--EXPECTF--
		28	testOK


diff --git a/src/tests/disabled_functions_drop_include_simulation.phpt b/src/tests/disabled_functions_drop_include_simulation.phpt new file mode 100644 index 0000000..07c3e98 --- /dev/null +++ b/src/tests/disabled_functions_drop_include_simulation.phpt
@@ -0,0 +1,28 @@
		1	--TEST--
		2	Disable function, bug : https://github.com/nbs-system/snuffleupagus/issues/181
		3	--SKIPIF--
		4	<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
		5	--INI--
		6	sp.configuration_file={PWD}/config/disabled_functions_drop_include_simulation.ini
		7	--FILE--
		8	<?php
		9	$dir = __DIR__;
		10
		11	@unlink("$dir/test_include.php");
		12
		13	$code = <<< 'EOD'
		14	<?php
		15	$test = "testOK";
		16	?>
		17	EOD;
		18
		19	file_put_contents("$dir/test_include.php", $code);
		20
		21	include "$dir/test_include.php";
		22
		23	echo $test;
		24
		25	?>
		26
		27	--EXPECTF--
		28	testOK