From 8070f622122344ae52b55c3f80e43a1733ae59e2 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Mon, 6 Nov 2017 14:24:24 +0100
Subject: 53 absolute path (#62)

* Add error for relative path---
 config/examples.ini                                | 30 +++++++++++-----------
 src/sp_config_keywords.c                           |  9 +++++--
 src/tests/broken_conf_invalid_filename.phpt        |  9 +++++++
 src/tests/config/broken_conf_invalid_filename.ini  |  1 +
 .../config_disabled_functions_param_allow.ini      |  2 +-
 src/tests/config/disabled_functions.ini            |  2 +-
 6 files changed, 34 insertions(+), 19 deletions(-)
 create mode 100644 src/tests/broken_conf_invalid_filename.phpt
 create mode 100644 src/tests/config/broken_conf_invalid_filename.ini

diff --git a/config/examples.ini b/config/examples.ini
index c522f1a..68a363d 100644
--- a/config/examples.ini
+++ b/config/examples.ini
@@ -1,47 +1,47 @@
 # Restrict system calls to specific file
-sp.disable_function.function("system").filename("update.php").allow();
+sp.disable_function.function("system").filename("/update.php").allow();
 sp.disable_function.function("system").drop();
    
 
 # Restrict system calls to specific file with a specific hash
-sp.disable_function.function("system").filename("update.php").hash("d27c6c5686bc129716b6aac8dfefe2d519a80eb6cc144e97ad42c728d423eed0").allow();
+sp.disable_function.function("system").filename("/update.php").hash("d27c6c5686bc129716b6aac8dfefe2d519a80eb6cc144e97ad42c728d423eed0").allow();
 sp.disable_function.function("system").drop();
 
 
 # AbanteCart 1.2.8 - Multiple SQL Injections <https://blog.ripstech.com/2016/abantecart-multiple-sql-injections>
-sp.disable_function.filename("static_pages/index.php").var("_SERVER[PHP_SELF").value_r("\"").drop().alias("XSS");
-sp.disable_function.filename("core/lib/language_manager.php").function("ALanguageManager>_clone_language_rows").param("from_language").value_r("[^0-9]").drop();
-sp.disable_function.filename("admin/model/tool/backup.php").function("ModelToolBackup>createBackupTask").param("data[table_list]").value_r("'").drop();
+sp.disable_function.filename("/static_pages/index.php").var("_SERVER[PHP_SELF").value_r("\"").drop().alias("XSS");
+sp.disable_function.filename("/core/lib/language_manager.php").function("ALanguageManager>_clone_language_rows").param("from_language").value_r("[^0-9]").drop();
+sp.disable_function.filename("/admin/model/tool/backup.php").function("ModelToolBackup>createBackupTask").param("data[table_list]").value_r("'").drop();
 
 
 # Redaxo 5.2.0: Remote Code Execution via CSRF <https://blog.ripstech.com/2016/redaxo-remote-code-execution-via-csrf>
 # See <http://code.vtiger.com/vtiger/vtigercrm/commit/9b5c5338f80237ae072a06e1ba4a5cfcbfe063b0> for details
-sp.disable_function.filename("redaxo/src/addons/structure/pages/linkmap.php").function("substr").param("string").value_r("\"").drop();
+sp.disable_function.filename("/redaxo/src/addons/structure/pages/linkmap.php").function("substr").param("string").value_r("\"").drop();
 
 
 # Guest Post: Vtiger 6.5.0 - SQL Injection <https://blog.ripstech.com/2016/vtiger-sql-injection/>
-sp.disable_function.filename("modules/Calendar/Activity.php").function("save_module").param("query").value_r("[^0-9;]").drop();
+sp.disable_function.filename("/modules/Calendar/Activity.php").function("save_module").param("query").value_r("[^0-9;]").drop();
 
 
 # The State of Wordpress Security <https://blog.ripstech.com/2016/the-state-of-wordpress-security>
 # All In One WP Security & Firewall
-sp.disable_function.filename("admin/wp-security-dashboard-menu.php").function("render_tab3").var("_REQUEST[tab]]").value_r("\"").drop();
+sp.disable_function.filename("/admin/wp-security-dashboard-menu.php").function("render_tab3").var("_REQUEST[tab]]").value_r("\"").drop();
 
 
 # PHPKit 1.6.6: Code Execution for Privileged Users <https://blog.ripstech.com/2016/phpkit-code-exection-for-privileged-users>
-sp.disable_function.filename("pkinc/func/default.php").function("move_uploaded_file").param("destination").value_r("\\.ph\\.+$").drop();
+sp.disable_function.filename("/pkinc/func/default.php").function("move_uploaded_file").param("destination").value_r("\\.ph\\.+$").drop();
 
 
 # Coppermine 1.5.42: Second-Order Command Execution <https://blog.ripstech.com/2016/coppermine-second-order-command-execution>
-sp.disable_function.filename("include/imageobject_im.class.php").function("exec").var("CONFIG[im_options]).value_r("[^a-z0-9]").drop();
-sp.disable_function.filename("forgot_passwd.php").function("cpg_db_query").var("CLEAN[id]").value_r("[^a-z0-9]").drop();
+sp.disable_function.filename("/include/imageobject_im.class.php").function("exec").var("CONFIG[im_options]).value_r("[^a-z0-9]").drop();
+sp.disable_function.filename("/forgot_passwd.php").function("cpg_db_query").var("CLEAN[id]").value_r("[^a-z0-9]").drop();
 
 
 # CVE-2014-1610 - Mediawiki RCE
-sp.disable_function.filename("includes/media/DjVu.php")
-sp.disable_function.filename("includes/media/ImageHandler.php").var("_GET[page]").value_r("[^0-9]").drop()
+sp.disable_function.filename("/includes/media/DjVu.php")
+sp.disable_function.filename("/includes/media/ImageHandler.php").var("_GET[page]").value_r("[^0-9]").drop()
 
 
 # CVE-2017-1001000 - https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
-sp.disable_function.filename("wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php").function("register_routes").var("_GET[id]").value_r("[^0-9]").drop();
-sp.disable_function.filename("wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php").function("register_routes").var("_POST[id]").value_r("[^0-9]").drop();
\ No newline at end of file
+sp.disable_function.filename("/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php").function("register_routes").var("_GET[id]").value_r("[^0-9]").drop();
+sp.disable_function.filename("/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php").function("register_routes").var("_POST[id]").value_r("[^0-9]").drop();
diff --git a/src/sp_config_keywords.c b/src/sp_config_keywords.c
index b1b22b5..34b855a 100644
--- a/src/sp_config_keywords.c
+++ b/src/sp_config_keywords.c
@@ -197,7 +197,7 @@ int parse_disabled_functions(char *line) {
   MUTUALLY_EXCLUSIVE(df->ret, df->r_ret, "r_ret", "ret");
 #undef MUTUALLY_EXCLUSIVE
 
-  if (1 < ((df->r_param?1:0) + (df->param?1:0) + ((-1 != df->pos)?1:0))) {
+ if (1 < ((df->r_param?1:0) + (df->param?1:0) + ((-1 != df->pos)?1:0))) {
     sp_log_err("config",
                "Invalid configuration line: 'sp.disabled_functions%s':"
                "'.r_param', '.param' and '.pos' are mutually exclusive on line %zu.",
@@ -215,6 +215,12 @@ int parse_disabled_functions(char *line) {
                " must take a function name on line %zu.",
                line, sp_line_no);
     return -1;
+  } else if (df->filename && *df->filename != '/') {
+     sp_log_err("config",
+                "Invalid configuration line: 'sp.disabled_functions%s':"
+                "'.filename' must be an absolute path on line %zu.",
+                line, sp_line_no);
+     return -1;
   } else if (!(allow ^ drop)) {
     sp_log_err("config",
                "Invalid configuration line: 'sp.disabled_functions%s': The "
@@ -244,7 +250,6 @@ int parse_disabled_functions(char *line) {
       return -1;
     }
   }
-
   df->allow = allow;
 
   if (df->function) {
diff --git a/src/tests/broken_conf_invalid_filename.phpt b/src/tests/broken_conf_invalid_filename.phpt
new file mode 100644
index 0000000..61b967b
--- /dev/null
+++ b/src/tests/broken_conf_invalid_filename.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Broken configuration filename without absolute path
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/broken_conf_invalid_filename.ini
+--FILE--
+--EXPECTF--
+[snuffleupagus][0.0.0.0][config][error] Invalid configuration line: 'sp.disabled_functions.function("sprintf").filename("wrong file name").drop();':'.filename' must be an absolute path on line 1.
diff --git a/src/tests/config/broken_conf_invalid_filename.ini b/src/tests/config/broken_conf_invalid_filename.ini
new file mode 100644
index 0000000..1be3b51
--- /dev/null
+++ b/src/tests/config/broken_conf_invalid_filename.ini
@@ -0,0 +1 @@
+sp.disable_function.function("sprintf").filename("wrong file name").drop();
diff --git a/src/tests/config/config_disabled_functions_param_allow.ini b/src/tests/config/config_disabled_functions_param_allow.ini
index aa86f52..8e139e4 100644
--- a/src/tests/config/config_disabled_functions_param_allow.ini
+++ b/src/tests/config/config_disabled_functions_param_allow.ini
@@ -1,3 +1,3 @@
-sp.disable_function.function("system").param("command").value("echo win").filename("test.php").drop();
+sp.disable_function.function("system").param("command").value("echo win").filename("/test.php").drop();
 sp.disable_function.function("system").param("command").value("echo win").allow();
 sp.disable_function.function("system").drop();
diff --git a/src/tests/config/disabled_functions.ini b/src/tests/config/disabled_functions.ini
index 18aab27..226a107 100644
--- a/src/tests/config/disabled_functions.ini
+++ b/src/tests/config/disabled_functions.ini
@@ -4,5 +4,5 @@ sp.disable_function.function("printf").disable().drop();
 sp.disable_function.function("printf").simulation().drop();
 sp.disable_function.function("print").disable().drop();  # this is a comment
 sp.disable_function.function_r("^var_dump$").drop();
-sp.disable_function.function("sprintf").filename("wrong file name").drop();
+sp.disable_function.function("sprintf").filename("/wrong file name").drop();
 sp.disable_function.function("eval").drop();
-- 
cgit v1.3