From f3d5d251875ee7f854a3df38709eedef4c6d1a31 Mon Sep 17 00:00:00 2001 From: Ben Fuhrmannek Date: Tue, 10 Aug 2021 16:45:40 +0200 Subject: prevent option to be enabled and then disabled --- src/tests/broken_configuration/config/broken_conf_enable_disable2.ini | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 src/tests/broken_configuration/config/broken_conf_enable_disable2.ini (limited to 'src/tests/broken_configuration/config') diff --git a/src/tests/broken_configuration/config/broken_conf_enable_disable2.ini b/src/tests/broken_configuration/config/broken_conf_enable_disable2.ini new file mode 100644 index 0000000..39d97cc --- /dev/null +++ b/src/tests/broken_configuration/config/broken_conf_enable_disable2.ini @@ -0,0 +1,2 @@ +sp.global_strict.enable(); +sp.global_strict.disable(); -- cgit v1.3 From 06701d94ce1d043203abad603a4b7d0fc213e860 Mon Sep 17 00:00:00 2001 From: Ben Fuhrmannek Date: Tue, 10 Aug 2021 16:58:12 +0200 Subject: filename typo --- src/tests/broken_configuration/broken_conf_enable_disable.phpt | 2 +- src/tests/broken_configuration/broken_conf_upload_validation.phpt | 2 +- src/tests/broken_configuration/config/borken_conf_enable_disable.ini | 1 - src/tests/broken_configuration/config/borken_conf_upload_validation.ini | 1 - src/tests/broken_configuration/config/broken_conf_enable_disable.ini | 1 + src/tests/broken_configuration/config/broken_conf_upload_validation.ini | 1 + src/tests/broken_configuration_php8/broken_conf_enable_disable.phpt | 2 +- src/tests/broken_configuration_php8/broken_conf_upload_validation.phpt | 2 +- .../broken_configuration_php8/config/borken_conf_enable_disable.ini | 1 - .../broken_configuration_php8/config/borken_conf_upload_validation.ini | 1 - 10 files changed, 6 insertions(+), 8 deletions(-) delete mode 100644 src/tests/broken_configuration/config/borken_conf_enable_disable.ini delete mode 100644 src/tests/broken_configuration/config/borken_conf_upload_validation.ini create mode 100644 src/tests/broken_configuration/config/broken_conf_enable_disable.ini create mode 100644 src/tests/broken_configuration/config/broken_conf_upload_validation.ini delete mode 100644 src/tests/broken_configuration_php8/config/borken_conf_enable_disable.ini delete mode 100644 src/tests/broken_configuration_php8/config/borken_conf_upload_validation.ini (limited to 'src/tests/broken_configuration/config') diff --git a/src/tests/broken_configuration/broken_conf_enable_disable.phpt b/src/tests/broken_configuration/broken_conf_enable_disable.phpt index eeba04a..6ca95ea 100644 --- a/src/tests/broken_configuration/broken_conf_enable_disable.phpt +++ b/src/tests/broken_configuration/broken_conf_enable_disable.phpt @@ -4,7 +4,7 @@ Global strict mode = 80000) print "skip"; ?> --INI-- -sp.configuration_file={PWD}/config/borken_conf_enable_disable.ini +sp.configuration_file={PWD}/config/broken_conf_enable_disable.ini --FILE-- --EXPECTF-- PHP Fatal error: [snuffleupagus][0.0.0.0][config][log] A rule can't be enabled and disabled on line 1 in Unknown on line 0 diff --git a/src/tests/broken_configuration/broken_conf_upload_validation.phpt b/src/tests/broken_configuration/broken_conf_upload_validation.phpt index 4b65339..9d36078 100644 --- a/src/tests/broken_configuration/broken_conf_upload_validation.phpt +++ b/src/tests/broken_configuration/broken_conf_upload_validation.phpt @@ -4,7 +4,7 @@ Invalid configuration file for upload validation = 80000) print "skip"; ?> --INI-- file_uploads=1 -sp.configuration_file={PWD}/config/borken_conf_upload_validation.ini +sp.configuration_file={PWD}/config/broken_conf_upload_validation.ini --FILE-- --INI-- -sp.configuration_file={PWD}/config/borken_conf_enable_disable.ini +sp.configuration_file={PWD}/../broken_configuration/config/broken_conf_enable_disable.ini --FILE-- --EXPECTF-- diff --git a/src/tests/broken_configuration_php8/broken_conf_upload_validation.phpt b/src/tests/broken_configuration_php8/broken_conf_upload_validation.phpt index 9edede6..d022e3e 100644 --- a/src/tests/broken_configuration_php8/broken_conf_upload_validation.phpt +++ b/src/tests/broken_configuration_php8/broken_conf_upload_validation.phpt @@ -4,7 +4,7 @@ Invalid configuration file for upload validation --INI-- file_uploads=1 -sp.configuration_file={PWD}/config/borken_conf_upload_validation.ini +sp.configuration_file={PWD}/../broken_configuration/config/broken_conf_upload_validation.ini --FILE-- lineno); + return SP_PARSER_ERROR; + } + if (zend_string_equals_literal(SPCFG(encryption_key), "YOU _DO_ NEED TO CHANGE THIS WITH SOME RANDOM CHARACTERS.") || + zend_string_equals_literal(SPCFG(encryption_key), "c6a0e02b3b818f7559d5f85303d8fe44")) { + sp_log_err("config", "The encryption key set on line %zu is an unchanged dummy value. please use a unique secret.", parsed_rule->lineno); + return SP_PARSER_ERROR; + } + } + return SP_PARSER_STOP; } diff --git a/src/tests/broken_configuration/config/broken_conf_cookie_name_and_regexp.ini b/src/tests/broken_configuration/config/broken_conf_cookie_name_and_regexp.ini index 503889b..6b43b71 100644 --- a/src/tests/broken_configuration/config/broken_conf_cookie_name_and_regexp.ini +++ b/src/tests/broken_configuration/config/broken_conf_cookie_name_and_regexp.ini @@ -1,2 +1,2 @@ -sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR"); +sp.global.secret_key("abcdefGHIJ").cookie_env_var("REMOTE_ADDR"); sp.cookie.name("my_cookie_name").name_r("my_cookie_regexp").encrypt(); diff --git a/src/tests/broken_configuration/config/config_encrypted_cookies_noname.ini b/src/tests/broken_configuration/config/config_encrypted_cookies_noname.ini index 048e404..43a4284 100644 --- a/src/tests/broken_configuration/config/config_encrypted_cookies_noname.ini +++ b/src/tests/broken_configuration/config/config_encrypted_cookies_noname.ini @@ -1,3 +1,3 @@ -sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR"); +sp.global.secret_key("abcdefGHIJ").cookie_env_var("REMOTE_ADDR"); sp.cookie.name("").encrypt(); sp.auto_cookie_secure.enable(); diff --git a/src/tests/broken_configuration/config/config_encrypted_regexp_cookies_bad_regexp.ini b/src/tests/broken_configuration/config/config_encrypted_regexp_cookies_bad_regexp.ini index 4fe92fd..817de14 100644 --- a/src/tests/broken_configuration/config/config_encrypted_regexp_cookies_bad_regexp.ini +++ b/src/tests/broken_configuration/config/config_encrypted_regexp_cookies_bad_regexp.ini @@ -1,3 +1,3 @@ -sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR"); +sp.global.secret_key("abcdefGHIJ").cookie_env_var("REMOTE_ADDR"); sp.cookie.name_r("^super_co[a-z+$").encrypt(); sp.auto_cookie_secure.enable(); diff --git a/src/tests/broken_configuration/config/config_encryption_key_short.ini b/src/tests/broken_configuration/config/config_encryption_key_short.ini new file mode 100644 index 0000000..7de4438 --- /dev/null +++ b/src/tests/broken_configuration/config/config_encryption_key_short.ini @@ -0,0 +1 @@ +sp.global.secret_key("abcdef"); diff --git a/src/tests/broken_configuration/encrypt_key_too_short.phpt b/src/tests/broken_configuration/encrypt_key_too_short.phpt new file mode 100644 index 0000000..fe80be1 --- /dev/null +++ b/src/tests/broken_configuration/encrypt_key_too_short.phpt @@ -0,0 +1,23 @@ +--TEST-- +Cookie encryption key too short +--SKIPIF-- + +--INI-- +sp.configuration_file={PWD}/config/config_encryption_key_short.ini +--COOKIE-- +--ENV-- +return << +--EXPECT-- +PHP Fatal error: [snuffleupagus][2001:0db8:0000:0000:0000:fe00:0042:8329][config][log] The encryption key set on line 1 is too short. please use at least 10 bytes in Unknown on line 0 + +Fatal error: [snuffleupagus][2001:0db8:0000:0000:0000:fe00:0042:8329][config][log] The encryption key set on line 1 is too short. please use at least 10 bytes in Unknown on line 0 + +Fatal error: [snuffleupagus][2001:0db8:0000:0000:0000:fe00:0042:8329][config][log] Invalid configuration file in Unknown on line 0 +Could not startup. \ No newline at end of file diff --git a/src/tests/broken_configuration/encrypt_regexp_cookies_bad_regexp.phpt b/src/tests/broken_configuration/encrypt_regexp_cookies_bad_regexp.phpt index 5383df6..ef83154 100644 --- a/src/tests/broken_configuration/encrypt_regexp_cookies_bad_regexp.phpt +++ b/src/tests/broken_configuration/encrypt_regexp_cookies_bad_regexp.phpt @@ -2,11 +2,12 @@ Cookie decryption in ipv4 --SKIPIF-- += 80000) print "skip"; ?> --INI-- sp.configuration_file={PWD}/config/config_encrypted_regexp_cookies_bad_regexp.ini error_reporting=1 --COOKIE-- -super_cookie=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP3gV9YJZL/pUeNAjCKFW0U2ywmf1CwHzwd2pWM=;awful_cookie=awful_cookie_value; +super_cookie=IpRZV4rivSjANrEOSxINd%2FdFe17giJgaAAAAAAAAAAAAAAAAAAAAALnmBVs%2BTILKxauHeGcUyJpR%2BX2UiZ6OamUTaWc=;awful_cookie=awful_cookie_value; --ENV-- return << --INI-- -sp.configuration_file={PWD}/config/broken_conf_cookie_name_and_regexp.ini +sp.configuration_file={PWD}/../broken_configuration/config/broken_conf_cookie_name_and_regexp.ini --FILE-- --EXPECT-- diff --git a/src/tests/broken_configuration_php8/config/broken_conf_cookie_name_and_regexp.ini b/src/tests/broken_configuration_php8/config/broken_conf_cookie_name_and_regexp.ini index 503889b..6b43b71 100644 --- a/src/tests/broken_configuration_php8/config/broken_conf_cookie_name_and_regexp.ini +++ b/src/tests/broken_configuration_php8/config/broken_conf_cookie_name_and_regexp.ini @@ -1,2 +1,2 @@ -sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR"); +sp.global.secret_key("abcdefGHIJ").cookie_env_var("REMOTE_ADDR"); sp.cookie.name("my_cookie_name").name_r("my_cookie_regexp").encrypt(); diff --git a/src/tests/broken_configuration_php8/config/config_encrypted_cookies_noname.ini b/src/tests/broken_configuration_php8/config/config_encrypted_cookies_noname.ini index 048e404..43a4284 100644 --- a/src/tests/broken_configuration_php8/config/config_encrypted_cookies_noname.ini +++ b/src/tests/broken_configuration_php8/config/config_encrypted_cookies_noname.ini @@ -1,3 +1,3 @@ -sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR"); +sp.global.secret_key("abcdefGHIJ").cookie_env_var("REMOTE_ADDR"); sp.cookie.name("").encrypt(); sp.auto_cookie_secure.enable(); diff --git a/src/tests/broken_configuration_php8/config/config_encrypted_regexp_cookies_bad_regexp.ini b/src/tests/broken_configuration_php8/config/config_encrypted_regexp_cookies_bad_regexp.ini index 4fe92fd..817de14 100644 --- a/src/tests/broken_configuration_php8/config/config_encrypted_regexp_cookies_bad_regexp.ini +++ b/src/tests/broken_configuration_php8/config/config_encrypted_regexp_cookies_bad_regexp.ini @@ -1,3 +1,3 @@ -sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR"); +sp.global.secret_key("abcdefGHIJ").cookie_env_var("REMOTE_ADDR"); sp.cookie.name_r("^super_co[a-z+$").encrypt(); sp.auto_cookie_secure.enable(); diff --git a/src/tests/broken_configuration_php8/encrypt_key_too_short.phpt b/src/tests/broken_configuration_php8/encrypt_key_too_short.phpt new file mode 100644 index 0000000..c14785e --- /dev/null +++ b/src/tests/broken_configuration_php8/encrypt_key_too_short.phpt @@ -0,0 +1,22 @@ +--TEST-- +Cookie encryption key too short +--SKIPIF-- + + +--INI-- +sp.configuration_file={PWD}/../broken_configuration/config/config_encryption_key_short.ini +--COOKIE-- +--ENV-- +return << +--EXPECT-- +Fatal error: [snuffleupagus][2001:0db8:0000:0000:0000:fe00:0042:8329][config][log] The encryption key set on line 1 is too short. please use at least 10 bytes in Unknown on line 0 + +Fatal error: [snuffleupagus][2001:0db8:0000:0000:0000:fe00:0042:8329][config][log] Invalid configuration file in Unknown on line 0 +Could not startup. \ No newline at end of file diff --git a/src/tests/broken_configuration_php8/encrypt_regexp_cookies_bad_regexp.phpt b/src/tests/broken_configuration_php8/encrypt_regexp_cookies_bad_regexp.phpt index 5383df6..6796c5b 100644 --- a/src/tests/broken_configuration_php8/encrypt_regexp_cookies_bad_regexp.phpt +++ b/src/tests/broken_configuration_php8/encrypt_regexp_cookies_bad_regexp.phpt @@ -6,7 +6,7 @@ Cookie decryption in ipv4 sp.configuration_file={PWD}/config/config_encrypted_regexp_cookies_bad_regexp.ini error_reporting=1 --COOKIE-- -super_cookie=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP3gV9YJZL/pUeNAjCKFW0U2ywmf1CwHzwd2pWM=;awful_cookie=awful_cookie_value; +super_cookie=IpRZV4rivSjANrEOSxINd%2FdFe17giJgaAAAAAAAAAAAAAAAAAAAAALnmBVs%2BTILKxauHeGcUyJpR%2BX2UiZ6OamUTaWc=;awful_cookie=awful_cookie_value; --ENV-- return << --EXPECT-- -s:1:"a";650609b417904d0d9bbf1fc44a975d13ecdf6b02b715c1a06271fb3b673f25b1 +s:1:"a";cdbc93e593656164d448db33e4668a3f30fa794d6658016365f7eb453d48b022 diff --git a/src/tests/unserialize/unserialize_sim.phpt b/src/tests/unserialize/unserialize_sim.phpt index 9bff2c1..1256c23 100644 --- a/src/tests/unserialize/unserialize_sim.phpt +++ b/src/tests/unserialize/unserialize_sim.phpt @@ -7,12 +7,13 @@ sp.configuration_file={PWD}/config/config_serialize_sim.ini --FILE-- --EXPECTF-- -s:1:"a";650609b417904d0d9bbf1fc44a975d13ecdf6b02b715c1a06271fb3b673f25b1string(1) "a" +s:1:"a";cdbc93e593656164d448db33e4668a3f30fa794d6658016365f7eb453d48b022 +string(1) "a" Warning: [snuffleupagus][0.0.0.0][unserialize][simulation] Invalid HMAC for s:1:"a";alyualskdufyhalkdjsfh in %a/unserialize_sim.php on line 5 string(1) "a" diff --git a/src/tests/unserialize_php8/config/config_serialize.ini b/src/tests/unserialize_php8/config/config_serialize.ini index 7de4438..e107f15 100644 --- a/src/tests/unserialize_php8/config/config_serialize.ini +++ b/src/tests/unserialize_php8/config/config_serialize.ini @@ -1 +1 @@ -sp.global.secret_key("abcdef"); +sp.global.secret_key("abcdefGHIJ"); -- cgit v1.3 From 0462573a7678468b19bc4865c75f7b82dbedbe03 Mon Sep 17 00:00:00 2001 From: Ben Fuhrmannek Date: Fri, 19 Nov 2021 16:47:08 +0100 Subject: added old php version check --- src/php_snuffleupagus.h | 1 + src/snuffleupagus.c | 13 +++++++++++++ src/sp_config.h | 1 + src/sp_config_keywords.c | 3 ++- .../config/broken_conf_enable_disable2.ini | 1 + .../broken_conf_enable_disable2.phpt | 5 ----- 6 files changed, 18 insertions(+), 6 deletions(-) (limited to 'src/tests/broken_configuration/config') diff --git a/src/php_snuffleupagus.h b/src/php_snuffleupagus.h index 03c9bb6..8fcbd58 100644 --- a/src/php_snuffleupagus.h +++ b/src/php_snuffleupagus.h @@ -127,6 +127,7 @@ bool config_server_encode; bool config_server_strip; zend_string *config_encryption_key; zend_string *config_cookies_env_var; +bool config_show_old_php_warning; HashTable *config_disabled_functions; HashTable *config_disabled_functions_hooked; diff --git a/src/snuffleupagus.c b/src/snuffleupagus.c index c96a911..e3ecd72 100644 --- a/src/snuffleupagus.c +++ b/src/snuffleupagus.c @@ -276,6 +276,9 @@ static PHP_INI_MH(OnUpdateConfiguration) { return FAILURE; } + // set some defaults + SPCFG(show_old_php_warning) = true; + char *str = new_value->val; while (1) { @@ -365,6 +368,16 @@ static PHP_INI_MH(OnUpdateConfiguration) { (SPCFG(disabled_functions) && zend_hash_num_elements(SPCFG(disabled_functions))) || (SPCFG(disabled_functions) && zend_hash_num_elements(SPCFG(disabled_functions_ret))); + if (SPCFG(show_old_php_warning)) { + time_t ts = time(NULL); + sp_log_debug("foo"); + if (PHP_VERSION_ID < 70300 || + PHP_VERSION_ID < 70400 && ts >= (time_t)1638745200L || + PHP_VERSION_ID < 80000 && ts >= (time_t)1669590000L || + PHP_VERSION_ID < 80100 && ts >= (time_t)1700953200L) { + sp_log_warn("End-of-Life Check", "Your PHP version '" PHP_VERSION "' is not officially mainained anymore. Please upgrade as soon as possible."); + } + } return SUCCESS; } diff --git a/src/sp_config.h b/src/sp_config.h index a557105..1a891c1 100644 --- a/src/sp_config.h +++ b/src/sp_config.h @@ -262,6 +262,7 @@ typedef struct { #define SP_TOKEN_SERVER_STRIP "server_strip" #define SP_TOKEN_SID_MIN_LENGTH "sid_min_length" #define SP_TOKEN_SID_MAX_LENGTH "sid_max_length" +#define SP_TOKEN_SHOW_OLD_PHP_WARNING "show_old_php_warning" // upload_validator #define SP_TOKEN_UPLOAD_SCRIPT "script" diff --git a/src/sp_config_keywords.c b/src/sp_config_keywords.c index cf44ed9..cbe4966 100644 --- a/src/sp_config_keywords.c +++ b/src/sp_config_keywords.c @@ -1,7 +1,7 @@ #include "php_snuffleupagus.h" #define SP_SET_ENABLE_DISABLE(enable, disable, varname) \ - if (((varname) || enable) && disable) { \ + if (enable && disable) { \ sp_log_err("config", "A rule can't be enabled and disabled on line %zu", parsed_rule->lineno); \ return SP_PARSER_ERROR; \ } \ @@ -133,6 +133,7 @@ SP_PARSE_FN(parse_global) { {parse_ulong, SP_TOKEN_MAX_EXECUTION_DEPTH, &(SPCFG(max_execution_depth))}, {parse_enable, SP_TOKEN_SERVER_ENCODE, &(SPCFG(server_encode))}, {parse_enable, SP_TOKEN_SERVER_STRIP, &(SPCFG(server_strip))}, + {parse_enable, SP_TOKEN_SHOW_OLD_PHP_WARNING, &(SPCFG(show_old_php_warning))}, {0, 0, 0}}; SP_PROCESS_CONFIG_KEYWORDS_ERR(); diff --git a/src/tests/broken_configuration/config/broken_conf_enable_disable2.ini b/src/tests/broken_configuration/config/broken_conf_enable_disable2.ini index 39d97cc..7ed0c16 100644 --- a/src/tests/broken_configuration/config/broken_conf_enable_disable2.ini +++ b/src/tests/broken_configuration/config/broken_conf_enable_disable2.ini @@ -1,2 +1,3 @@ sp.global_strict.enable(); sp.global_strict.disable(); +;; this is actually not recognised as broken, as there is no internal third state for 'unset' diff --git a/src/tests/broken_configuration_php8/broken_conf_enable_disable2.phpt b/src/tests/broken_configuration_php8/broken_conf_enable_disable2.phpt index efe5538..2446663 100644 --- a/src/tests/broken_configuration_php8/broken_conf_enable_disable2.phpt +++ b/src/tests/broken_configuration_php8/broken_conf_enable_disable2.phpt @@ -7,8 +7,3 @@ Global strict mode sp.configuration_file={PWD}/../broken_configuration/config/broken_conf_enable_disable2.ini --FILE-- --EXPECTF-- - -Fatal error: [snuffleupagus][0.0.0.0][config][log] A rule can't be enabled and disabled on line 2 in Unknown on line 0 - -Fatal error: [snuffleupagus][0.0.0.0][config][log] Invalid configuration file in Unknown on line 0 -Could not startup. -- cgit v1.3