diff options
| -rw-r--r-- | config/default.rules | 12 | ||||
| -rw-r--r-- | src/sp_disabled_functions.c | 20 | ||||
| -rw-r--r-- | src/sp_pcre_compat.c | 4 |
3 files changed, 21 insertions, 15 deletions
diff --git a/config/default.rules b/config/default.rules index 7e3ee53..a5ea3d1 100644 --- a/config/default.rules +++ b/config/default.rules | |||
| @@ -8,10 +8,14 @@ sp.disable_function.function("mail").param("additional_parameters").value_r("\\- | |||
| 8 | sp.disable_function.function("putenv").param("setting").value_r("LD_").drop() | 8 | sp.disable_function.function("putenv").param("setting").value_r("LD_").drop() |
| 9 | 9 | ||
| 10 | ##Prevent various `include`-related vulnerabilities | 10 | ##Prevent various `include`-related vulnerabilities |
| 11 | sp.disable_function.function_r("^(?:require|include)_once$").value_r("\\.(?:php|php7|inc|tpl)$").allow(); | 11 | sp.disable_function.function("require_once").value_r("\.php$").allow(); |
| 12 | sp.disable_function.function_r("^require|include$").value_r("\\.(?:php|php7|inc|tpl)$").allow(); | 12 | sp.disable_function.function("include_once").value_r("\.php$").allow(); |
| 13 | sp.disable_function.function_r("^(?:require|include)_once$").drop(); | 13 | sp.disable_function.function("require").value_r("\.php$").allow(); |
| 14 | sp.disable_function.function_r("^require|include$").drop(); | 14 | sp.disable_function.function("include").value_r("\.php$").allow(); |
| 15 | sp.disable_function.function("require_once").drop() | ||
| 16 | sp.disable_function.function("include_once").drop() | ||
| 17 | sp.disable_function.function("require").drop() | ||
| 18 | sp.disable_function.function("include").drop() | ||
| 15 | 19 | ||
| 16 | # Prevent `system`-related injections | 20 | # Prevent `system`-related injections |
| 17 | sp.disable_function.function("system").param("command").value_r("[$|;&`\\n]").drop(); | 21 | sp.disable_function.function("system").param("command").value_r("[$|;&`\\n]").drop(); |
diff --git a/src/sp_disabled_functions.c b/src/sp_disabled_functions.c index 5a39cdf..e279e5f 100644 --- a/src/sp_disabled_functions.c +++ b/src/sp_disabled_functions.c | |||
| @@ -93,8 +93,8 @@ static bool is_local_var_matching( | |||
| 93 | return false; | 93 | return false; |
| 94 | } | 94 | } |
| 95 | 95 | ||
| 96 | static const sp_list_node* get_config_node(const char* builtin_name) { | 96 | static inline const sp_list_node* get_config_node(const char* builtin_name) { |
| 97 | if (!builtin_name) { | 97 | if (EXPECTED(!builtin_name)) { |
| 98 | return SNUFFLEUPAGUS_G(config) | 98 | return SNUFFLEUPAGUS_G(config) |
| 99 | .config_disabled_functions->disabled_functions; | 99 | .config_disabled_functions->disabled_functions; |
| 100 | } else if (!strcmp(builtin_name, "eval")) { | 100 | } else if (!strcmp(builtin_name, "eval")) { |
| @@ -217,20 +217,20 @@ bool should_disable(zend_execute_data* execute_data, const char* builtin_name, | |||
| 217 | const char* builtin_param, const char* builtin_param_name) { | 217 | const char* builtin_param, const char* builtin_param_name) { |
| 218 | char current_file_hash[SHA256_SIZE * 2 + 1] = {0}; | 218 | char current_file_hash[SHA256_SIZE * 2 + 1] = {0}; |
| 219 | const sp_list_node* config = get_config_node(builtin_name); | 219 | const sp_list_node* config = get_config_node(builtin_name); |
| 220 | char* complete_path_function = get_complete_function_path(execute_data); | 220 | char* complete_path_function = NULL; |
| 221 | char const* client_ip = getenv("REMOTE_ADDR"); | 221 | const char* current_filename = NULL; |
| 222 | const char* current_filename; | ||
| 223 | 222 | ||
| 224 | if (!config || !config->data) { | 223 | if (!config || !config->data) { |
| 225 | return false; | 224 | return false; |
| 226 | } | 225 | } |
| 227 | 226 | ||
| 228 | if (builtin_name && !strcmp(builtin_name, "eval")) { | 227 | if (UNEXPECTED(builtin_name && !strcmp(builtin_name, "eval"))) { |
| 229 | current_filename = get_eval_filename(zend_get_executed_filename()); | 228 | current_filename = get_eval_filename(zend_get_executed_filename()); |
| 230 | } else { | 229 | } else { |
| 231 | current_filename = zend_get_executed_filename(); | 230 | current_filename = zend_get_executed_filename(); |
| 232 | } | 231 | } |
| 233 | 232 | ||
| 233 | complete_path_function = get_complete_function_path(execute_data); | ||
| 234 | if (!complete_path_function) { | 234 | if (!complete_path_function) { |
| 235 | if (builtin_name) { | 235 | if (builtin_name) { |
| 236 | complete_path_function = estrdup(builtin_name); | 236 | complete_path_function = estrdup(builtin_name); |
| @@ -280,9 +280,11 @@ bool should_disable(zend_execute_data* execute_data, const char* builtin_name, | |||
| 280 | } | 280 | } |
| 281 | } | 281 | } |
| 282 | 282 | ||
| 283 | if (client_ip && config_node->cidr && | 283 | if (config_node->cidr) { |
| 284 | (false == cidr_match(client_ip, config_node->cidr))) { | 284 | char* client_ip = getenv("REMOTE_ADDR"); |
| 285 | goto next; | 285 | if (client_ip && false == cidr_match(client_ip, config_node->cidr)) { |
| 286 | goto next; | ||
| 287 | } | ||
| 286 | } | 288 | } |
| 287 | 289 | ||
| 288 | if (config_node->var) { | 290 | if (config_node->var) { |
diff --git a/src/sp_pcre_compat.c b/src/sp_pcre_compat.c index c3f1d86..795903d 100644 --- a/src/sp_pcre_compat.c +++ b/src/sp_pcre_compat.c | |||
| @@ -22,8 +22,8 @@ sp_pcre* sp_pcre_compile(const char* const pattern) { | |||
| 22 | return ret; | 22 | return ret; |
| 23 | } | 23 | } |
| 24 | 24 | ||
| 25 | bool sp_is_regexp_matching_len(const sp_pcre* regexp, const char* str, | 25 | bool ZEND_HOT sp_is_regexp_matching_len(const sp_pcre* regexp, const char* str, |
| 26 | size_t len) { | 26 | size_t len) { |
| 27 | int ret = 0; | 27 | int ret = 0; |
| 28 | 28 | ||
| 29 | assert(NULL != regexp); | 29 | assert(NULL != regexp); |