diff options
Diffstat (limited to 'src/sp_execute.c')
| -rw-r--r-- | src/sp_execute.c | 20 |
1 files changed, 7 insertions, 13 deletions
diff --git a/src/sp_execute.c b/src/sp_execute.c index 56d25c5..65a32db 100644 --- a/src/sp_execute.c +++ b/src/sp_execute.c | |||
| @@ -1,5 +1,4 @@ | |||
| 1 | #include "php_snuffleupagus.h" | 1 | #include "php_snuffleupagus.h" |
| 2 | #include "ext/standard/php_string.h" | ||
| 3 | 2 | ||
| 4 | static void (*orig_execute_ex)(zend_execute_data *execute_data) = NULL; | 3 | static void (*orig_execute_ex)(zend_execute_data *execute_data) = NULL; |
| 5 | static void (*orig_zend_execute_internal)(zend_execute_data *execute_data, | 4 | static void (*orig_zend_execute_internal)(zend_execute_data *execute_data, |
| @@ -11,11 +10,10 @@ static zend_result (*orig_zend_stream_open)(zend_file_handle *handle) = NULL; | |||
| 11 | #endif | 10 | #endif |
| 12 | 11 | ||
| 13 | // FIXME handle symlink | 12 | // FIXME handle symlink |
| 14 | ZEND_COLD static inline void terminate_if_writable(const char *filename) { | 13 | ZEND_COLD static inline void terminate_if_writable(char const* const filename) { |
| 15 | const sp_config_readonly_exec *config_ro_exec = &(SPCFG(readonly_exec)); | 14 | sp_config_readonly_exec const* const config_ro_exec = &(SPCFG(readonly_exec)); |
| 16 | char *errmsg = "unknown access problem"; | 15 | char const *errmsg = "unknown access problem"; |
| 17 | 16 | ||
| 18 | // check write access | ||
| 19 | if (0 == access(filename, W_OK)) { | 17 | if (0 == access(filename, W_OK)) { |
| 20 | errmsg = "Attempted execution of a writable file"; | 18 | errmsg = "Attempted execution of a writable file"; |
| 21 | goto violation; | 19 | goto violation; |
| @@ -29,21 +27,19 @@ ZEND_COLD static inline void terminate_if_writable(const char *filename) { | |||
| 29 | return; | 27 | return; |
| 30 | } | 28 | } |
| 31 | 29 | ||
| 32 | // check effective uid | ||
| 33 | struct stat buf; | 30 | struct stat buf; |
| 34 | if (0 != stat(filename, &buf)) { | 31 | if (0 != stat(filename, &buf)) { |
| 35 | goto err; | 32 | goto err; |
| 36 | } | 33 | } |
| 37 | if (buf.st_uid == geteuid()) { | 34 | if (buf.st_uid == geteuid()) { |
| 38 | errmsg = "Attempted execution of file owned by process"; | 35 | errmsg = "Attempted execution of a file owned by the PHP process"; |
| 39 | goto violation; | 36 | goto violation; |
| 40 | } | 37 | } |
| 41 | 38 | ||
| 42 | // check write access on directory | 39 | char *const dirname = estrndup(filename, strlen(filename)); |
| 43 | char *dirname = estrndup(filename, strlen(filename)); | ||
| 44 | php_dirname(dirname, strlen(dirname)); | 40 | php_dirname(dirname, strlen(dirname)); |
| 45 | if (0 == access(dirname, W_OK)) { | 41 | if (0 == access(dirname, W_OK)) { |
| 46 | errmsg = "Attempted execution of file in writable directory"; | 42 | errmsg = "Attempted execution of a file in a writable directory"; |
| 47 | efree(dirname); | 43 | efree(dirname); |
| 48 | goto violation; | 44 | goto violation; |
| 49 | } | 45 | } |
| @@ -52,18 +48,16 @@ ZEND_COLD static inline void terminate_if_writable(const char *filename) { | |||
| 52 | goto err; | 48 | goto err; |
| 53 | } | 49 | } |
| 54 | 50 | ||
| 55 | // check effecite uid of directory | ||
| 56 | if (0 != stat(dirname, &buf)) { | 51 | if (0 != stat(dirname, &buf)) { |
| 57 | efree(dirname); | 52 | efree(dirname); |
| 58 | goto err; | 53 | goto err; |
| 59 | } | 54 | } |
| 60 | efree(dirname); | 55 | efree(dirname); |
| 61 | if (buf.st_uid == geteuid()) { | 56 | if (buf.st_uid == geteuid()) { |
| 62 | errmsg = "Attempted execution of file in directory owned by process"; | 57 | errmsg = "Attempted execution of a file in directory owned by the PHP process"; |
| 63 | goto violation; | 58 | goto violation; |
| 64 | } | 59 | } |
| 65 | 60 | ||
| 66 | // we would actually need to check all parent directories as well, but that task is left for other tools | ||
| 67 | return; | 61 | return; |
| 68 | 62 | ||
| 69 | violation: | 63 | violation: |