From 309481168de02f2dee5a4266359d72866442f665 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Mon, 5 Mar 2018 14:25:25 +0100 Subject: Improve a bit the performances (+10%) --- config/default.rules | 12 ++++++++---- src/sp_disabled_functions.c | 20 +++++++++++--------- src/sp_pcre_compat.c | 4 ++-- 3 files changed, 21 insertions(+), 15 deletions(-) diff --git a/config/default.rules b/config/default.rules index 7e3ee53..a5ea3d1 100644 --- a/config/default.rules +++ b/config/default.rules @@ -8,10 +8,14 @@ sp.disable_function.function("mail").param("additional_parameters").value_r("\\- sp.disable_function.function("putenv").param("setting").value_r("LD_").drop() ##Prevent various `include`-related vulnerabilities -sp.disable_function.function_r("^(?:require|include)_once$").value_r("\\.(?:php|php7|inc|tpl)$").allow(); -sp.disable_function.function_r("^require|include$").value_r("\\.(?:php|php7|inc|tpl)$").allow(); -sp.disable_function.function_r("^(?:require|include)_once$").drop(); -sp.disable_function.function_r("^require|include$").drop(); +sp.disable_function.function("require_once").value_r("\.php$").allow(); +sp.disable_function.function("include_once").value_r("\.php$").allow(); +sp.disable_function.function("require").value_r("\.php$").allow(); +sp.disable_function.function("include").value_r("\.php$").allow(); +sp.disable_function.function("require_once").drop() +sp.disable_function.function("include_once").drop() +sp.disable_function.function("require").drop() +sp.disable_function.function("include").drop() # Prevent `system`-related injections sp.disable_function.function("system").param("command").value_r("[$|;&`\\n]").drop(); diff --git a/src/sp_disabled_functions.c b/src/sp_disabled_functions.c index 5a39cdf..e279e5f 100644 --- a/src/sp_disabled_functions.c +++ b/src/sp_disabled_functions.c @@ -93,8 +93,8 @@ static bool is_local_var_matching( return false; } -static const sp_list_node* get_config_node(const char* builtin_name) { - if (!builtin_name) { +static inline const sp_list_node* get_config_node(const char* builtin_name) { + if (EXPECTED(!builtin_name)) { return SNUFFLEUPAGUS_G(config) .config_disabled_functions->disabled_functions; } else if (!strcmp(builtin_name, "eval")) { @@ -217,20 +217,20 @@ bool should_disable(zend_execute_data* execute_data, const char* builtin_name, const char* builtin_param, const char* builtin_param_name) { char current_file_hash[SHA256_SIZE * 2 + 1] = {0}; const sp_list_node* config = get_config_node(builtin_name); - char* complete_path_function = get_complete_function_path(execute_data); - char const* client_ip = getenv("REMOTE_ADDR"); - const char* current_filename; + char* complete_path_function = NULL; + const char* current_filename = NULL; if (!config || !config->data) { return false; } - if (builtin_name && !strcmp(builtin_name, "eval")) { + if (UNEXPECTED(builtin_name && !strcmp(builtin_name, "eval"))) { current_filename = get_eval_filename(zend_get_executed_filename()); } else { current_filename = zend_get_executed_filename(); } + complete_path_function = get_complete_function_path(execute_data); if (!complete_path_function) { if (builtin_name) { complete_path_function = estrdup(builtin_name); @@ -280,9 +280,11 @@ bool should_disable(zend_execute_data* execute_data, const char* builtin_name, } } - if (client_ip && config_node->cidr && - (false == cidr_match(client_ip, config_node->cidr))) { - goto next; + if (config_node->cidr) { + char* client_ip = getenv("REMOTE_ADDR"); + if (client_ip && false == cidr_match(client_ip, config_node->cidr)) { + goto next; + } } if (config_node->var) { diff --git a/src/sp_pcre_compat.c b/src/sp_pcre_compat.c index c3f1d86..795903d 100644 --- a/src/sp_pcre_compat.c +++ b/src/sp_pcre_compat.c @@ -22,8 +22,8 @@ sp_pcre* sp_pcre_compile(const char* const pattern) { return ret; } -bool sp_is_regexp_matching_len(const sp_pcre* regexp, const char* str, - size_t len) { +bool ZEND_HOT sp_is_regexp_matching_len(const sp_pcre* regexp, const char* str, + size_t len) { int ret = 0; assert(NULL != regexp); -- cgit v1.3