From 2392c46836ceea520fa2a45369c8d638aadb943c Mon Sep 17 00:00:00 2001 From: Ben Fuhrmannek Date: Fri, 6 Aug 2021 20:23:52 +0200 Subject: implemented ini settings protection --- src/config.m4 | 1 + src/php_snuffleupagus.h | 1 + src/snuffleupagus.c | 46 ++++++++++++----- src/sp_config.c | 13 +++++ src/sp_config.h | 26 +++++++++- src/sp_config_keywords.c | 77 +++++++++++++++++++++++++++++ src/sp_config_keywords.h | 2 + src/sp_ini.c | 126 +++++++++++++++++++++++++++++++++++++++++++++++ src/sp_ini.h | 2 + 9 files changed, 281 insertions(+), 13 deletions(-) create mode 100644 src/sp_ini.c create mode 100644 src/sp_ini.h (limited to 'src') diff --git a/src/config.m4 b/src/config.m4 index e4cc1f5..1410565 100644 --- a/src/config.m4 +++ b/src/config.m4 @@ -7,6 +7,7 @@ sources="$sources sp_disabled_functions.c sp_execute.c sp_upload_validation.c" sources="$sources sp_cookie_encryption.c sp_network_utils.c tweetnacl.c" sources="$sources sp_config_keywords.c sp_var_parser.c sp_var_value.c sp_tree.c" sources="$sources sp_pcre_compat.c sp_crypt.c sp_session.c sp_sloppy.c sp_wrapper.c" +sources="$sources sp_ini.c" PHP_ARG_ENABLE(snuffleupagus, whether to enable snuffleupagus support, [ --enable-snuffleupagus Enable snuffleupagus support]) diff --git a/src/php_snuffleupagus.h b/src/php_snuffleupagus.h index 5b2b414..be4d306 100644 --- a/src/php_snuffleupagus.h +++ b/src/php_snuffleupagus.h @@ -85,6 +85,7 @@ typedef void (*zif_handler)(INTERNAL_FUNCTION_PARAMETERS); #include "sp_session.h" #include "sp_sloppy.h" #include "sp_wrapper.h" +#include "sp_ini.h" extern zend_module_entry snuffleupagus_module_entry; #define phpext_snuffleupagus_ptr &snuffleupagus_module_entry diff --git a/src/snuffleupagus.c b/src/snuffleupagus.c index 8c7ecbf..2ee94a1 100644 --- a/src/snuffleupagus.c +++ b/src/snuffleupagus.c @@ -81,18 +81,6 @@ static PHP_GINIT_FUNCTION(snuffleupagus) { snuffleupagus_globals->is_config_valid = SP_CONFIG_NONE; snuffleupagus_globals->in_eval = 0; -#define SP_INIT_HT(F) \ - snuffleupagus_globals->F = pemalloc(sizeof(*(snuffleupagus_globals->F)), 1); \ - zend_hash_init(snuffleupagus_globals->F, 10, NULL, NULL, 1); - SP_INIT_HT(disabled_functions_hook); - SP_INIT_HT(sp_internal_functions_hook); - SP_INIT_HT(sp_eval_blacklist_functions_hook); - SP_INIT_HT(config.config_disabled_functions); - SP_INIT_HT(config.config_disabled_functions_hooked); - SP_INIT_HT(config.config_disabled_functions_ret); - SP_INIT_HT(config.config_disabled_functions_ret_hooked); -#undef SP_INIT_HT - #define SP_INIT(F) \ snuffleupagus_globals->config.F = \ pecalloc(sizeof(*(snuffleupagus_globals->config.F)), 1, 1); @@ -109,10 +97,24 @@ static PHP_GINIT_FUNCTION(snuffleupagus) { SP_INIT(config_eval); SP_INIT(config_wrapper); SP_INIT(config_session); + SP_INIT(config_ini); SP_INIT(config_disabled_functions_reg); SP_INIT(config_disabled_functions_reg_ret); #undef SP_INIT +#define SP_INIT_HT(F) \ + snuffleupagus_globals->F = pemalloc(sizeof(*(snuffleupagus_globals->F)), 1); \ + zend_hash_init(snuffleupagus_globals->F, 10, NULL, NULL, 1); + SP_INIT_HT(disabled_functions_hook); + SP_INIT_HT(sp_internal_functions_hook); + SP_INIT_HT(sp_eval_blacklist_functions_hook); + SP_INIT_HT(config.config_disabled_functions); + SP_INIT_HT(config.config_disabled_functions_hooked); + SP_INIT_HT(config.config_disabled_functions_ret); + SP_INIT_HT(config.config_disabled_functions_ret_hooked); + SP_INIT_HT(config.config_ini->entries); +#undef SP_INIT_HT + #define SP_INIT_NULL(F) snuffleupagus_globals->config.F = NULL; SP_INIT_NULL(config_disabled_functions_reg->disabled_functions); SP_INIT_NULL(config_disabled_functions_reg_ret->disabled_functions); @@ -131,6 +133,11 @@ PHP_MINIT_FUNCTION(snuffleupagus) { } PHP_MSHUTDOWN_FUNCTION(snuffleupagus) { + sp_log_debug("(MSHUTDOWN)"); + unhook_functions(SNUFFLEUPAGUS_G(sp_internal_functions_hook)); + unhook_functions(SNUFFLEUPAGUS_G(disabled_functions_hook)); + unhook_functions(SNUFFLEUPAGUS_G(sp_eval_blacklist_functions_hook)); + if (SNUFFLEUPAGUS_G(config).config_ini->enable) { sp_unhook_ini(); } UNREGISTER_INI_ENTRIES(); return SUCCESS; @@ -142,6 +149,12 @@ static inline void free_disabled_functions_hashtable(HashTable *const ht) { ZEND_HASH_FOREACH_END(); } +static inline void free_config_ini_entries(HashTable *const ht) { + void *ptr = NULL; + ZEND_HASH_FOREACH_PTR(ht, ptr) { sp_free_ini_entry(ptr); pefree(ptr, 1); } + ZEND_HASH_FOREACH_END(); +} + static PHP_GSHUTDOWN_FUNCTION(snuffleupagus) { sp_log_debug("(GSHUTDOWN)"); #define FREE_HT(F) \ @@ -158,6 +171,9 @@ static PHP_GSHUTDOWN_FUNCTION(snuffleupagus) { FREE_HT_LIST(config_disabled_functions_ret); FREE_HT_LIST(config_disabled_functions_ret_hooked); #undef FREE_HT_LIST + + free_config_ini_entries(snuffleupagus_globals->config.config_ini->entries); + FREE_HT(config.config_ini->entries); #undef FREE_HT #define FREE_LST_DISABLE(L) \ @@ -174,6 +190,7 @@ static PHP_GSHUTDOWN_FUNCTION(snuffleupagus) { FREE_LST(config_wrapper->whitelist); #undef FREE_LST + #define FREE_CFG(C) pefree(snuffleupagus_globals->config.C, 1); #define FREE_CFG_ZSTR(C) sp_free_zstr(snuffleupagus_globals->config.C); FREE_CFG(config_random); @@ -194,6 +211,7 @@ static PHP_GSHUTDOWN_FUNCTION(snuffleupagus) { FREE_CFG(config_eval); FREE_CFG(config_wrapper); FREE_CFG(config_session); + FREE_CFG(config_ini); FREE_CFG(config_disabled_functions_reg); FREE_CFG(config_disabled_functions_reg_ret); #undef FREE_CFG @@ -332,6 +350,10 @@ static PHP_INI_MH(OnUpdateConfiguration) { hook_execute(); hook_cookies(); + if (SNUFFLEUPAGUS_G(config).config_ini->enable) { + sp_hook_ini(); + } + if (true == SNUFFLEUPAGUS_G(config).config_global_strict->enable) { if (!zend_get_extension(PHP_SNUFFLEUPAGUS_EXTNAME)) { zend_extension_entry.startup = NULL; diff --git a/src/sp_config.c b/src/sp_config.c index db3f12d..667867b 100644 --- a/src/sp_config.c +++ b/src/sp_config.c @@ -23,6 +23,8 @@ static sp_config_tokens const sp_func[] = { {.func = parse_session, .token = SP_TOKEN_SESSION_ENCRYPTION}, {.func = parse_sloppy_comparison, .token = SP_TOKEN_SLOPPY_COMPARISON}, {.func = parse_wrapper_whitelist, .token = SP_TOKEN_ALLOW_WRAPPERS}, + {.func = parse_ini_protection, .token = ".ini_protection"}, + {.func = parse_ini_entry, .token = ".ini"}, {NULL, NULL}}; /* Top level keyword parsing */ @@ -281,3 +283,14 @@ void sp_free_zstr(void *data) { zend_string_release_ex((zend_string*)data, 1); } } + +void sp_free_ini_entry(void *data) { + sp_ini_entry *entry = data; + + sp_free_zstr(entry->key); + sp_free_zstr(entry->min); + sp_free_zstr(entry->max); + sp_pcre_free(entry->regexp); + sp_free_zstr(entry->msg); + sp_free_zstr(entry->set); +} \ No newline at end of file diff --git a/src/sp_config.h b/src/sp_config.h index f3b64a6..bd2530a 100644 --- a/src/sp_config.h +++ b/src/sp_config.h @@ -30,6 +30,8 @@ typedef enum { typedef enum { SP_ZEND = 0, SP_SYSLOG = 1 } sp_log_media; +typedef enum { SP_UNSET = 0, SP_READONLY = 1, SP_READWRITE = -1 } sp_ini_permission; + typedef struct { int ip_version; union { @@ -162,6 +164,26 @@ typedef struct { bool enable; } sp_config_upload_validation; +typedef struct { + zend_string *key; + sp_ini_permission access; + zend_string *min; + zend_string *max; + sp_pcre *regexp; + bool simulation; + zend_string *msg; + zend_string *set; + PHP_INI_MH((*orig_onmodify)); +} sp_ini_entry; + +typedef struct { + bool enable; + bool simulation; + // sp_ini_permission access_policy; + bool policy_readonly; + HashTable *entries; // ht of sp_ini_entry +} sp_config_ini; + typedef struct { sp_config_random *config_random; sp_config_sloppy *config_sloppy; @@ -176,6 +198,7 @@ typedef struct { sp_config_eval *config_eval; sp_config_wrapper *config_wrapper; sp_config_session *config_session; + sp_config_ini *config_ini; bool hook_execute; char log_media; @@ -215,6 +238,7 @@ typedef struct { #define SP_TOKEN_EVAL_WHITELIST ".eval_whitelist" #define SP_TOKEN_SLOPPY_COMPARISON ".sloppy_comparison" #define SP_TOKEN_ALLOW_WRAPPERS ".wrappers_whitelist" +#define SP_TOKEN_INI ".ini" // common tokens #define SP_TOKEN_ENABLE ".enable(" @@ -284,6 +308,6 @@ int parse_list(char *restrict, char *restrict, void *); void sp_free_disabled_function(void *data); void sp_free_cookie(void *data); void sp_free_zstr(void *data); - +void sp_free_ini_entry(void *data); #endif /* SP_CONFIG_H */ diff --git a/src/sp_config_keywords.c b/src/sp_config_keywords.c index 8080eec..e6eb05e 100644 --- a/src/sp_config_keywords.c +++ b/src/sp_config_keywords.c @@ -562,3 +562,80 @@ int parse_upload_validation(char *line) { return ret; } + +int parse_ini_protection(char *line) { + bool disable = false, enable = false; + bool rw = false, ro = false; // rw is ignored, but declaring .policy_rw is valid for readability + sp_config_functions sp_config_ini_protection[] = { + {parse_empty, SP_TOKEN_ENABLE, &(enable)}, + {parse_empty, SP_TOKEN_DISABLE, &(disable)}, + {parse_empty, SP_TOKEN_SIMULATION, &(SNUFFLEUPAGUS_G(config).config_ini->simulation)}, + {parse_empty, ".policy_readonly(", &ro}, + {parse_empty, ".policy_ro(", &ro}, + {parse_empty, ".policy_readwrite(", &rw}, + {parse_empty, ".policy_rw(", &rw}, + {0, 0, 0}}; + + int ret = parse_keywords(sp_config_ini_protection, line); + if (ret) { return ret; } + + if (enable && disable) { + sp_log_err("config", "A rule can't be enabled and disabled on line %zu", + sp_line_no); + return -1; + } + if (enable || disable) { + SNUFFLEUPAGUS_G(config).config_ini->enable = (enable || !disable); + } + + if (ro && rw) { + sp_log_err("config", "rule cannot be both read-write and read-only on line %zu", sp_line_no); + return -1; + } + SNUFFLEUPAGUS_G(config).config_ini->policy_readonly = ro; + + return ret; +} + +int parse_ini_entry(char *line) { + sp_ini_entry *entry = pecalloc(sizeof(sp_ini_entry), 1, 1); + bool rw = false, ro = false; + + sp_config_functions sp_config_ini_protection[] = { + {parse_empty, SP_TOKEN_SIMULATION, &entry->simulation}, + {parse_str, ".key(", &entry->key}, + {parse_str, ".msg(", &entry->msg}, + {parse_str, ".set(", &entry->set}, + {parse_str, ".min(", &entry->min}, + {parse_str, ".max(", &entry->max}, + {parse_regexp, ".regexp(", &entry->regexp}, + {parse_empty, ".readonly(", &ro}, + {parse_empty, ".ro(", &ro}, + {parse_empty, ".readwrite()", &rw}, + {parse_empty, ".rw()", &rw}, + {0, 0, 0}}; + + int ret = parse_keywords(sp_config_ini_protection, line); + if (ret) { goto err; } + + if (!entry->key) { + sp_log_err("config", "A .key() must be provided on line %zu", sp_line_no); + ret = -1; goto err; + } + + if (ro && rw) { + sp_log_err("config", "rule cannot be both read-write and read-only on line %zu", sp_line_no); + ret = -1; goto err; + } + entry->access = ro - rw; + + zend_hash_add_ptr(SNUFFLEUPAGUS_G(config).config_ini->entries, entry->key, entry); + return ret; + +err: + if (entry) { + sp_free_ini_entry(entry); + pefree(entry, 1); + } + return ret; +} \ No newline at end of file diff --git a/src/sp_config_keywords.h b/src/sp_config_keywords.h index a279cc9..b90c06c 100644 --- a/src/sp_config_keywords.h +++ b/src/sp_config_keywords.h @@ -18,5 +18,7 @@ int parse_session(char *line); int parse_sloppy_comparison(char *line); int parse_wrapper_whitelist(char *line); int parse_log_media(char *line); +int parse_ini_protection(char *line); +int parse_ini_entry(char *line); #endif // __SP_CONFIG_KEYWORDS_H diff --git a/src/sp_ini.c b/src/sp_ini.c new file mode 100644 index 0000000..05d7d99 --- /dev/null +++ b/src/sp_ini.c @@ -0,0 +1,126 @@ +#include "php_snuffleupagus.h" + +#define SP_INI_HAS_CHECKS_COND(entry) (entry->min || entry->max || entry->regexp) +#define SP_INI_ACCESS_READONLY_COND(entry, cfg) (entry->access == SP_READONLY || (!entry->access && cfg->policy_readonly)) + +static bool /* success */ sp_ini_check(zend_string *varname, zend_string *new_value, sp_ini_entry **sp_entry_p) { + if (!varname || ZSTR_LEN(varname) == 0) { + return false; + } + + sp_config_ini *cfg = SNUFFLEUPAGUS_G(config).config_ini; + sp_ini_entry *entry = zend_hash_find_ptr(cfg->entries, varname); + if (sp_entry_p) { + *sp_entry_p = entry; + } + bool simulation = (cfg->simulation || (entry && entry->simulation)); + + if (!entry) { + if (cfg->policy_readonly) { + sp_log_auto("ini_protection", simulation, "INI setting is read-only"); + if (simulation) { return true; } + return false; + } + return true; + } + + if (SP_INI_ACCESS_READONLY_COND(entry, cfg)) { + sp_log_auto("ini_protection", simulation, "%s", (entry->msg ? ZSTR_VAL(entry->msg) : "INI setting is read-only")); + if (simulation) { return true; } + return false; + } + + if (!new_value && SP_INI_HAS_CHECKS_COND(entry)) { + sp_log_auto("ini_protection", simulation, "new INI value must not be NULL"); + if (simulation) { return true; } + return false; + } + + if (entry->min || entry->max) { + zend_long lvalue = zend_atol(ZSTR_VAL(new_value), ZSTR_LEN(new_value)); + if ((entry->min && zend_atol(ZSTR_VAL(entry->min), ZSTR_LEN(entry->min)) > lvalue) || + (entry->max && zend_atol(ZSTR_VAL(entry->max), ZSTR_LEN(entry->max)) < lvalue)) { + sp_log_auto("ini_protection", simulation, "%s", (entry->msg ? ZSTR_VAL(entry->msg) : "INI value out of range")); + if (simulation) { return true; } + return false; + } + } + + if (entry->regexp) { + if (!sp_is_regexp_matching_len(entry->regexp, ZSTR_VAL(new_value), ZSTR_LEN(new_value))) { + sp_log_auto("ini_protection", simulation, "%s", (entry->msg ? ZSTR_VAL(entry->msg) : "INI value does not match regex")); + if (simulation) { return true; } + return false; + } + } + + return true; +} + +static PHP_INI_MH(sp_ini_onmodify) { + zend_ini_entry *ini_entry = entry; + sp_ini_entry *sp_entry = NULL; + + sp_log_debug("%s =? %s", ZSTR_VAL(ini_entry->name), ZSTR_VAL(new_value)); + if (!sp_ini_check(ini_entry->name, new_value, &sp_entry)) { + return FAILURE; + } + + if (sp_entry && sp_entry->orig_onmodify) { + return sp_entry->orig_onmodify(entry, new_value, mh_arg1, mh_arg2, mh_arg3, stage); + } + + return SUCCESS; +} + +void sp_hook_ini() { + sp_config_ini *cfg = SNUFFLEUPAGUS_G(config).config_ini; + sp_ini_entry *sp_entry; + zend_ini_entry *ini_entry; + ZEND_HASH_FOREACH_PTR(cfg->entries, sp_entry) + sp_log_debug("hook entry `%s`", ZSTR_VAL(sp_entry->key)); + if ((ini_entry = zend_hash_find_ptr(EG(ini_directives), sp_entry->key)) == NULL) { + sp_log_warn("ini_protection", "Cannot hook INI var `%s`. Maybe a typo or the PHP extension providing this var is not loaded yet.", ZSTR_VAL(sp_entry->key)); + continue; + } + if (SP_INI_ACCESS_READONLY_COND(sp_entry, cfg)) { + ini_entry->modifiable = ini_entry->orig_modifiable = 0; + } + PHP_INI_MH((*orig_onmodify)) = ini_entry->on_modify; + + if (SP_INI_HAS_CHECKS_COND(sp_entry) || SP_INI_ACCESS_READONLY_COND(sp_entry, cfg)) { + // only hook on_modify if there is any check to perform + sp_entry->orig_onmodify = ini_entry->on_modify; + ini_entry->on_modify = sp_ini_onmodify; + } + + if (sp_entry->set) { + zend_string *duplicate = zend_string_copy(sp_entry->set); + + if (!orig_onmodify || orig_onmodify(ini_entry, duplicate, ini_entry->mh_arg1, ini_entry->mh_arg2, ini_entry->mh_arg3, ZEND_INI_STAGE_STARTUP) == SUCCESS) { + ini_entry->value = duplicate; + } else { + zend_string_release(duplicate); + sp_log_warn("ini_protection", "Failed to set INI var `%s`.", ZSTR_VAL(sp_entry->key)); + continue; + } + } + ZEND_HASH_FOREACH_END(); +} + +void sp_unhook_ini() { + sp_ini_entry *sp_entry; + zend_ini_entry *ini_entry; + ZEND_HASH_FOREACH_PTR(SNUFFLEUPAGUS_G(config).config_ini->entries, sp_entry) + if (!sp_entry->orig_onmodify) { + // not hooked or no original onmodify + continue; + } + if ((ini_entry = zend_hash_find_ptr(EG(ini_directives), sp_entry->key)) == NULL) { + // unusual. ini entry is missing. + continue; + } + ini_entry->on_modify = sp_entry->orig_onmodify; + sp_entry->orig_onmodify = NULL; + ZEND_HASH_FOREACH_END(); +} diff --git a/src/sp_ini.h b/src/sp_ini.h new file mode 100644 index 0000000..5869539 --- /dev/null +++ b/src/sp_ini.h @@ -0,0 +1,2 @@ +void sp_hook_ini(); +void sp_unhook_ini(); \ No newline at end of file -- cgit v1.3