From c463edcee51dfab4358f1aff5a70c2f2f940a20b Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Fri, 5 Jan 2018 11:07:15 +0100
Subject: Fix a bypass in our eval blacklist

---
 src/php_snuffleupagus.h               |  2 +-
 src/snuffleupagus.c                   |  2 +-
 src/sp_disabled_functions.c           |  2 +-
 src/sp_execute.c                      |  4 ++--
 src/tests/nested_eval_blacklist2.phpt | 28 ++++++++++++++++++++++++++++
 5 files changed, 33 insertions(+), 5 deletions(-)
 create mode 100644 src/tests/nested_eval_blacklist2.phpt

diff --git a/src/php_snuffleupagus.h b/src/php_snuffleupagus.h
index fb90d1c..ca39bb8 100644
--- a/src/php_snuffleupagus.h
+++ b/src/php_snuffleupagus.h
@@ -58,7 +58,7 @@ extern zend_module_entry snuffleupagus_module_entry;
 #endif
 
 ZEND_BEGIN_MODULE_GLOBALS(snuffleupagus)
-bool in_eval;
+size_t in_eval;
 sp_config config;
 bool is_config_valid;
 HashTable *disabled_functions_hook;
diff --git a/src/snuffleupagus.c b/src/snuffleupagus.c
index a3a2fa8..4f11e1e 100644
--- a/src/snuffleupagus.c
+++ b/src/snuffleupagus.c
@@ -53,7 +53,7 @@ ZEND_DLEXPORT zend_extension zend_extension_entry = {
     STANDARD_ZEND_EXTENSION_PROPERTIES};
 
 PHP_GINIT_FUNCTION(snuffleupagus) {
-  snuffleupagus_globals->in_eval = false;
+  snuffleupagus_globals->in_eval = 0;
 
 #define SP_INIT(F) F = pecalloc(sizeof(*F), 1, 1);
 #define SP_INIT_HT(F)          \
diff --git a/src/sp_disabled_functions.c b/src/sp_disabled_functions.c
index 45b8954..d59dd93 100644
--- a/src/sp_disabled_functions.c
+++ b/src/sp_disabled_functions.c
@@ -464,7 +464,7 @@ ZEND_FUNCTION(eval_filter_callback) {
   void (*orig_handler)(INTERNAL_FUNCTION_PARAMETERS);
   const char* current_function_name = get_active_function_name(TSRMLS_C);
 
-  if (SNUFFLEUPAGUS_G(in_eval) == true) {
+  if (SNUFFLEUPAGUS_G(in_eval) > 0) {
     const char* filename = get_eval_filename(zend_get_executed_filename());
     const int line_number = zend_get_executed_lineno(TSRMLS_C);
     if (1 == SNUFFLEUPAGUS_G(config).config_eval->simulation) {
diff --git a/src/sp_execute.c b/src/sp_execute.c
index a50bfd5..3ce6643 100644
--- a/src/sp_execute.c
+++ b/src/sp_execute.c
@@ -68,7 +68,7 @@ static void sp_execute_ex(zend_execute_data *execute_data) {
   }
 
   if (execute_data->func->op_array.type == ZEND_EVAL_CODE) {
-    SNUFFLEUPAGUS_G(in_eval) = true;
+    SNUFFLEUPAGUS_G(in_eval)++;
     sp_list_node *config =
         SNUFFLEUPAGUS_G(config).config_disabled_constructs->construct_eval;
     char *filename = get_eval_filename((char *)zend_get_executed_filename());
@@ -88,7 +88,7 @@ static void sp_execute_ex(zend_execute_data *execute_data) {
     sp_terminate();
   }
 
-  SNUFFLEUPAGUS_G(in_eval) = false;
+  SNUFFLEUPAGUS_G(in_eval)--;
 }
 
 static int sp_stream_open(const char *filename, zend_file_handle *handle) {
diff --git a/src/tests/nested_eval_blacklist2.phpt b/src/tests/nested_eval_blacklist2.phpt
new file mode 100644
index 0000000..3b13e30
--- /dev/null
+++ b/src/tests/nested_eval_blacklist2.phpt
@@ -0,0 +1,28 @@
+--TEST--
+Eval blacklist - nested eval, with a twist
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/eval_backlist.ini
+--FILE--
+<?php 
+$a = strlen("1337 1337 1337");
+echo "Outside of eval: $a\n";
+eval(
+	"echo 'Inception lvl 1...\n';
+   eval(
+     'echo \"Inception lvl 2...\n\";
+      eval(
+				 \"echo \'Inception lvl 3...\n\';
+       \");
+			 strlen(\'Limbo!\');
+   ');
+");
+echo "After eval: $a\n";
+?>
+--EXPECTF--
+Outside of eval: 14
+Inception lvl 1...
+Inception lvl 2...
+Inception lvl 3...
+[snuffleupagus][0.0.0.0][eval][drop] A call to strlen was tried in eval, in %a/tests/nested_eval_blacklist2.php(5) : eval()'d code:7, dropping it.
-- 
cgit v1.3