| Age | Commit message (Collapse) | Author |
|---|
|
|
|
setcookie() is always URL encoded, urlencode is only turned off for setrawcookie().
Turning it off breaks cookies that have a value containing certain characters (namely spaces)
https://github.com/php/php-src/blob/685e99655ae97c667950f7f7d176985958718f56/ext/standard/head.c#L97
|
|
|
|
|
|
|
|
|
|
When the `php` logging facility is used, the error could have been caught by
using `set_error_handler` and whatnot. This commit ensures that if the
`.drop()` option is set, we're calling `zend_bailout()` that can't be caught.
An attacker could have used this issue to silently perform some recon of the
running environment. This isn't considered a vulnerability as an attacker
with arbitrary php code execution can simply use the use-after-free of the day
to gain arbitrary (native) code execution anyway, after detecting that
Snuffleupagus is in use, to take little risks of detection.
|
|
|
|
```
========DIFF========
001- OK
001+ Fatal error: Uncaught ValueError: setcookie(): "partitioned" option cannot be used without "secure" option in /builddir/build/BUILD/snuffleupagus-1c7598c432551d0c49c2c57f249ccd5ccabce638/src/tests/samesite_cookies.php:2
002+ Stack trace:
003+ #0 /builddir/build/BUILD/snuffleupagus-1c7598c432551d0c49c2c57f249ccd5ccabce638/src/tests/samesite_cookies.php(2): setcookie('super_cookie', 'super_value')
004+ #1 {main}
005+ thrown in /builddir/build/BUILD/snuffleupagus-1c7598c432551d0c49c2c57f249ccd5ccabce638/src/tests/samesite_cookies.php on line 2
========DONE========
FAIL Cookie samesite [tests/samesite_cookies.phpt]
```
Even though the warning might be spurious, let's fix this properly, by
initialising `partitioned` to false, and by setting it only if `secure` is set
as well.
|
|
|
|
|
|
```
Program terminated with signal SIGSEGV, Segmentation fault.
20 if (!(func->common.function_name)) {
(gdb) info locals
func = 0x0
function_name = 0xffb25f6d0190 "SearchByCallback"
complete_path_function = 0xffb26c8a0570 "\240\005\212l\262\377"
```
It seems that in some callback shenanigans, there is currently no non-NULL
`func` member in execute_data. PHP truly is marvelous.
This should close #515
|
|
|
|
sp_log_debug() does not take a feature as first argument:
src/sp_wrapper.c: In function 'sp_reregister_php_wrapper':
src/sp_utils.h:61:53: warning: too many arguments for format [-Wformat-extra-args]
61 | if (sp_debug_stderr > 0) dprintf(sp_debug_stderr, "[snuffleupagus][DEBUG] %s(): " fmt "\n", __FUNCTION__, ##__VA_ARGS__);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/sp_wrapper.c:144:3: note: in expansion of macro 'sp_log_debug'
144 | sp_log_debug(LOG_FEATURE, "Stream \"php\" successfully re-registered");
| ^~~~~~~~~~~~
|
|
Please GCC conversion warning:
src/sp_upload_validation.c: In function 'sp_rfc1867_callback':
src/sp_utils.h:61:53: warning: format '%lld' expects argument of type 'long long int', but argument 7 has type 'zend_long' {aka 'long int'} [-Wformat=]
61 | if (sp_debug_stderr > 0) dprintf(sp_debug_stderr, "[snuffleupagus][DEBUG] %s(): " fmt "\n", __FUNCTION__, ##__VA_ARGS__);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/sp_upload_validation.c:48:7: note: in expansion of macro 'sp_log_debug'
48 | sp_log_debug("Filename: %s\nTmpname: %s\nSize: %zd\nError: %lld\nScript: %s",
| ^~~~~~~~~~~~
|
|
Do not dereference the hash key for cookie encryption if it's NULL:
Program terminated with signal SIGSEGV, Segmentation fault.
#0 zend_string_equal_content (s1=0x79bdb92170f0, s2=0x0) at /usr/include/php/20240924/Zend/zend_string.h:386
No locals.
#1 zend_string_equals (s1=0x79bdb92170f0, s2=0x0) at /usr/include/php/20240924/Zend/zend_string.h:391
No locals.
#2 sp_match_value (value=0x0, to_match=0x79bdb92170f0, rx=0x0) at ./src/sp_utils.c:273
No locals.
#3 0x00007989377b0709 in sp_lookup_cookie_config (key=0x0) at ./src/sp_cookie_encryption.c:8
config = 0x79bdb92158d0
it = 0x79ae80dabd00
it = <optimized out>
config = <optimized out>
#4 decrypt_cookie (pDest=0x79893b6787c0, num_args=<optimized out>, args=<optimized out>, hash_key=0x7ffe657c3880) at ./src/sp_cookie_encryption.c:19
cookie = <optimized out>
#5 0x000061875aac52df in zend_hash_apply_with_arguments ()
No symbol table info available.
#6 0x00007989377ae74b in zm_activate_snuffleupagus (type=<optimized out>, module_number=<optimized out>) at ./src/snuffleupagus.c:228
config_wrapper = 0x7989377c3490 <snuffleupagus_globals+144>
#7 0x000061875aa21710 in zend_activate_modules ()
No symbol table info available.
#8 0x000061875a9a7f18 in php_request_startup ()
No symbol table info available.
|
|
|
|
People are usually well-aware of the outdatedness of the PHP version they're
running, which is likely why they're running Snuffleupagus in the first place.
This feature shouldn't have been enabled by default, and I fail to see any case
where anyone would want to enable it. Moreover, it doesn't take LTS versions
from vendors/distributions into account, thus breaking on RHEL/Debian (old)stable.
|
|
|
|
Spotted by @kpcyrd
|
|
|
|
|
|
PHP changed some includes for PHP8.4. This commit also adds php8.4-rc to the CI
This fixes #497 and #496
Reported-by: rainerjung
|
|
|
|
No need to use an ulong, an uint is more than enough for our usecases.
This fixes the following warning:
```
src/sp_config.c:207:20: runtime error: store to misaligned address 0x796d1f9a78d4 for type 'u_long', which requires 8 byte alignment
0x796d1f9a78d4: note: pointer points here
00 00 00 00 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^
#0 0x796d1f92251a in parse_ulong src/sp_config.c:207
#1 0x796d1f9239a9 in sp_process_rule src/sp_config.c:76
#2 0x796d1f92404f in sp_process_config_root src/sp_config.c:31
#3 0x796d1f96770d in sp_config_scan src/sp_config_scanner.c:1482
#4 0x796d1f922cd3 in sp_parse_config src/sp_config.c:62
#5 0x796d1f91e6cf in OnUpdateConfiguration src/snuffleupagus.c:522
#6 0x598aae727646 in zend_register_ini_entries_ex (/usr/bin/php8.2+0x36d646) (BuildId: 5228f916ded87172ddf0f3eca448f1e43874d60f)
#7 0x796d1f91cae1 in zm_startup_snuffleupagus src/snuffleupagus.c:121
#8 0x598aae6b70df in zend_startup_module_ex (/usr/bin/php8.2+0x2fd0df) (BuildId: 5228f916ded87172ddf0f3eca448f1e43874d60f)
#9 0x598aae6b717f (/usr/bin/php8.2+0x2fd17f) (BuildId: 5228f916ded87172ddf0f3eca448f1e43874d60f)
#10 0x598aae6c566a in zend_hash_apply (/usr/bin/php8.2+0x30b66a) (BuildId: 5228f916ded87172ddf0f3eca448f1e43874d60f)
#11 0x598aae64c0b5 in php_module_startup (/usr/bin/php8.2+0x2920b5) (BuildId: 5228f916ded87172ddf0f3eca448f1e43874d60f)
#12 0x598aae4e2265 (/usr/bin/php8.2+0x128265) (BuildId: 5228f916ded87172ddf0f3eca448f1e43874d60f)
#13 0x796d21b4dc89 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#14 0x796d21b4dd44 in __libc_start_main_impl ../csu/libc-start.c:360
#15 0x598aae4e3550 in _start (/usr/bin/php8.2+0x129550) (BuildId: 5228f916ded87172ddf0f3eca448f1e43874d60f)
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/sp_config.c:207:20 in
```
|
|
This should fix the following compilation issue:
```
/wrkdirs/usr/ports/security/snuffleupagus/work-php83/snuffleupagus-0.10.0/src/sp_utils.c:438:37: error: too few arguments provided to function-like macro invocation
438 | memcpy(mb_name, ZEND_STRL("mb_"));
| ^
/usr/include/ssp/string.h:117:9: note: macro 'memcpy' defined here
117 | #define memcpy(dst, src, len) __ssp_bos_check3(memcpy, dst, src, len)
```
|
|
|
|
Not sure this is needed, but better safe than sorry.
|
|
|
|
In addition of the current possibility to filter wrappers by their
protocol name, also add the option to filter the "php" wrapper by the
requested kind.
Especially the 'filter' backend can be disabled that way.
|
|
Annotate the common logging function sp_log_msgf() with the format
attribute so compilers can check the used format string and passed
arguments for discrepancies.
Adjust the lineno printing by using %zu and the type size_t
consistently.
|
|
src/sp_unserialize.c: In function 'zif_sp_unserialize':
src/sp_unserialize.c:131:15: warning: unused variable 'orig_handler' [-Wunused-variable]
131 | zif_handler orig_handler = zend_hash_str_find_ptr(SPG(sp_internal_functions_hook), ZEND_STRL("unserialize"));
| ^~~~~~~~~~~~
|
|
|
|
|
|
|
|
Adjusts casts to void dropping const qualifiers. This helps to avoid
mistakes, e.g. modifying string literals.
Also use size_t for length, similar to the upstream php interfaces.
|
|
Avoid missing prototype warnings by declaring variables and functions
that are only used in a single file static.
|
|
Use the special value void as parameter for functions taking nor
argument.
|
|
|
|
Please GCC:
In file included from /usr/include/php/20220829/Zend/zend.h:30,
from /usr/include/php/20220829/main/php.h:31,
from /usr/include/php/20220829/main/SAPI.h:20,
from src/php_snuffleupagus.h:37,
from src/sp_ifilter.c:1:
src/sp_pcre_compat.h: In function 'sp_regexp_compile':
src/sp_pcre_compat.h:38:36: warning: '__zend_calloc' sizes specified with 'sizeof' in the earlier argument and not in the later argument [-Wcalloc-transposed-args]
38 | sp_regexp *ret = pecalloc(sizeof(sp_regexp), 1, 1);
| ^~~~~~~~~
/usr/include/php/20220829/Zend/zend_alloc.h:199:72: note: in definition of macro 'pecalloc'
199 | #define pecalloc(nmemb, size, persistent) ((persistent)?__zend_calloc((nmemb), (size)):ecalloc((nmemb), (size)))
| ^~~~~
src/sp_pcre_compat.h:38:36: note: earlier argument should specify number of elements, later size of each element
38 | sp_regexp *ret = pecalloc(sizeof(sp_regexp), 1, 1);
| ^~~~~~~~~
/usr/include/php/20220829/Zend/zend_alloc.h:199:72: note: in definition of macro 'pecalloc'
199 | #define pecalloc(nmemb, size, persistent) ((persistent)?__zend_calloc((nmemb), (size)):ecalloc((nmemb), (size)))
| ^~~~~
|
|
|
|
|
|
|
|
This should help diagnose https://github.com/jvoisin/snuffleupagus/issues/477
|
|
On violations of INI settings include the key and if appropriate the
value in the log message. This helps to locate offenders and fine tune
the configuration itself.
|
|
|
|
|
|
|
|
|
|
typo
|
