From ca3be84076521c4bb053511775c94c0b195aeac8 Mon Sep 17 00:00:00 2001
From: kkadosh
Date: Thu, 28 Jun 2018 21:43:40 +0000
Subject: Better handling of filters for builtins

---
 src/sp_config_keywords.c                           |  9 +++----
 src/sp_crypt.c                                     |  6 ++---
 src/sp_disabled_functions.c                        | 31 +++++++++++++++++++---
 src/sp_session.c                                   | 14 +++-------
 .../config/disabled_functions_drop_include.ini     |  4 +++
 .../disabled_functions_drop_include_simulation.ini |  4 +++
 src/tests/disabled_functions_drop_include.phpt     | 28 +++++++++++++++++++
 ...disabled_functions_drop_include_simulation.phpt | 28 +++++++++++++++++++
 8 files changed, 101 insertions(+), 23 deletions(-)
 create mode 100644 src/tests/config/disabled_functions_drop_include.ini
 create mode 100644 src/tests/config/disabled_functions_drop_include_simulation.ini
 create mode 100644 src/tests/disabled_functions_drop_include.phpt
 create mode 100644 src/tests/disabled_functions_drop_include_simulation.phpt

(limited to 'src')

diff --git a/src/sp_config_keywords.c b/src/sp_config_keywords.c
index f702f4d..cc1f0f9 100644
--- a/src/sp_config_keywords.c
+++ b/src/sp_config_keywords.c
@@ -61,8 +61,7 @@ static int parse_enable(char *line, bool *restrict retval,
 }
 
 int parse_session(char *line) {
-  sp_config_session *session =
-      pecalloc(sizeof(sp_config_session), 1, 0);
+  sp_config_session *session = pecalloc(sizeof(sp_config_session), 1, 0);
 
   sp_config_functions sp_config_funcs_session_encryption[] = {
       {parse_empty, SP_TOKEN_ENCRYPT, &(session->encrypt)},
@@ -95,10 +94,8 @@ int parse_session(char *line) {
     }
   }
 
-  SNUFFLEUPAGUS_G(config).config_session->encrypt =
-      session->encrypt;
-  SNUFFLEUPAGUS_G(config).config_session->simulation =
-      session->simulation;
+  SNUFFLEUPAGUS_G(config).config_session->encrypt = session->encrypt;
+  SNUFFLEUPAGUS_G(config).config_session->simulation = session->simulation;
   pefree(session, 0);
   return ret;
 }
diff --git a/src/sp_crypt.c b/src/sp_crypt.c
index 55ae37b..6a46d06 100644
--- a/src/sp_crypt.c
+++ b/src/sp_crypt.c
@@ -64,9 +64,9 @@ int decrypt_zval(zval *pDest, bool simulation, zend_hash_key *hash_key) {
     }
   }
 
-
-  if (ZSTR_LEN(debase64) + (size_t)crypto_secretbox_ZEROBYTES < ZSTR_LEN(debase64)) {
-        if (true == simulation) {
+  if (ZSTR_LEN(debase64) + (size_t)crypto_secretbox_ZEROBYTES <
+      ZSTR_LEN(debase64)) {
+    if (true == simulation) {
       sp_log_msg(
           "cookie_encryption", SP_LOG_SIMULATION,
           "Integer overflow tentative detected in cookie encryption handling "
diff --git a/src/sp_disabled_functions.c b/src/sp_disabled_functions.c
index eeee007..341c0a4 100644
--- a/src/sp_disabled_functions.c
+++ b/src/sp_disabled_functions.c
@@ -248,6 +248,23 @@ static zend_execute_data* is_file_matching(
 #undef ITERATE
 }
 
+static bool check_is_builtin_name(
+    sp_disabled_function const* const config_node) {
+  if (config_node->function) {
+    return (!strcmp(config_node->function, "include") ||
+            !strcmp(config_node->function, "include_once") ||
+            !strcmp(config_node->function, "require") ||
+            !strcmp(config_node->function, "require_once"));
+  }
+  if (config_node->r_function) {
+    return (sp_is_regexp_matching(config_node->r_function, "include") ||
+            sp_is_regexp_matching(config_node->r_function, "include_once") ||
+            sp_is_regexp_matching(config_node->r_function, "require") ||
+            sp_is_regexp_matching(config_node->r_function, "require_once"));
+  }
+  return false;
+}
+
 bool should_disable(zend_execute_data* execute_data, const char* builtin_name,
                     const char* builtin_param, const char* builtin_param_name) {
   char current_file_hash[SHA256_SIZE * 2 + 1] = {0};
@@ -303,13 +320,11 @@ bool should_disable(zend_execute_data* execute_data, const char* builtin_name,
         goto next;
       }
     }
-
     if (config_node->line) {
       if (config_node->line != zend_get_executed_lineno()) {
         goto next;
       }
     }
-
     if (config_node->filename || config_node->r_filename) {
       zend_execute_data* ex =
           is_file_matching(execute_data, config_node, current_filename);
@@ -327,7 +342,6 @@ bool should_disable(zend_execute_data* execute_data, const char* builtin_name,
         goto next;
       }
     }
-
     if (config_node->var) {
       if (false == is_local_var_matching(execute_data, config_node)) {
         goto next;
@@ -360,8 +374,17 @@ bool should_disable(zend_execute_data* execute_data, const char* builtin_name,
       }
     }
 
-    /* Everything matched.*/
+    if (config_node->value_r || config_node->value) {
+      if (check_is_builtin_name(config_node)) {
+        if (false == is_param_matching(execute_data, config_node, builtin_name,
+                                       builtin_param, &arg_name,
+                                       builtin_param_name, &arg_value_str)) {
+          goto next;
+        }
+      }
+    }
 
+    /* Everything matched.*/
     if (true == config_node->allow) {
       goto allow;
     }
diff --git a/src/sp_session.c b/src/sp_session.c
index 4085007..ce852ad 100644
--- a/src/sp_session.c
+++ b/src/sp_session.c
@@ -21,7 +21,6 @@ static int (*old_s_write)(PS_WRITE_ARGS);
 static int (*previous_sessionRINIT)(INIT_FUNC_ARGS) = NULL;
 static ZEND_INI_MH((*old_OnUpdateSaveHandler)) = NULL;
 
-
 static int sp_hook_s_read(PS_READ_ARGS) {
   int r = old_s_read(mod_data, key, val, maxlifetime);
   if (r == SUCCESS && SNUFFLEUPAGUS_G(config).config_session->encrypt &&
@@ -31,8 +30,7 @@ static int sp_hook_s_read(PS_READ_ARGS) {
     ZVAL_PSTRINGL(&val_zval, ZSTR_VAL(*val), ZSTR_LEN(*val));
 
     int ret = decrypt_zval(
-        &val_zval, SNUFFLEUPAGUS_G(config).config_session->simulation,
-        NULL);
+        &val_zval, SNUFFLEUPAGUS_G(config).config_session->simulation, NULL);
     if (0 != ret) {
       if (SNUFFLEUPAGUS_G(config).config_session->simulation) {
         return ret;
@@ -51,10 +49,8 @@ static int sp_hook_s_read(PS_READ_ARGS) {
   return r;
 }
 
-
 static int sp_hook_s_write(PS_WRITE_ARGS) {
-  if (ZSTR_LEN(val) > 0 &&
-      SNUFFLEUPAGUS_G(config).config_session->encrypt) {
+  if (ZSTR_LEN(val) > 0 && SNUFFLEUPAGUS_G(config).config_session->encrypt) {
     zend_string *new_val = encrypt_zval(ZSTR_VAL(val), ZSTR_LEN(val));
     return old_s_write(mod_data, key, new_val, maxlifetime);
   }
@@ -92,11 +88,9 @@ static void sp_hook_session_module() {
 
 static PHP_INI_MH(sp_OnUpdateSaveHandler) {
   if (stage == PHP_INI_STAGE_RUNTIME &&
-      SESSION_G(session_status) == php_session_none &&
-      s_original_mod &&
+      SESSION_G(session_status) == php_session_none && s_original_mod &&
       zend_string_equals_literal(new_value, "user") == 0 &&
-      strcmp(((ps_module *)s_original_mod)->s_name, "user") ==
-          0) {
+      strcmp(((ps_module *)s_original_mod)->s_name, "user") == 0) {
     return SUCCESS;
   }
 
diff --git a/src/tests/config/disabled_functions_drop_include.ini b/src/tests/config/disabled_functions_drop_include.ini
new file mode 100644
index 0000000..0b10f65
--- /dev/null
+++ b/src/tests/config/disabled_functions_drop_include.ini
@@ -0,0 +1,4 @@
+sp.disable_function.function("require_once").value_r("\.ico$").drop();
+sp.disable_function.function("include_once").value_r("\.ico$").drop();
+sp.disable_function.function("require").value_r("\.ico$").drop();
+sp.disable_function.function("include").value_r("\.ico$").drop();
diff --git a/src/tests/config/disabled_functions_drop_include_simulation.ini b/src/tests/config/disabled_functions_drop_include_simulation.ini
new file mode 100644
index 0000000..4064da1
--- /dev/null
+++ b/src/tests/config/disabled_functions_drop_include_simulation.ini
@@ -0,0 +1,4 @@
+sp.disable_function.function("require_once").value_r("\.ico$").drop().simulation();
+sp.disable_function.function("include_once").value_r("\.ico$").drop().simulation();
+sp.disable_function.function("require").value_r("\.ico$").drop().simulation();
+sp.disable_function.function("include").value_r("\.ico$").drop().simulation();
diff --git a/src/tests/disabled_functions_drop_include.phpt b/src/tests/disabled_functions_drop_include.phpt
new file mode 100644
index 0000000..e18dd73
--- /dev/null
+++ b/src/tests/disabled_functions_drop_include.phpt
@@ -0,0 +1,28 @@
+--TEST--
+Disable function, bug : https://github.com/nbs-system/snuffleupagus/issues/181
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/disabled_functions_drop_include.ini
+--FILE--
+<?php
+$dir = __DIR__;
+
+@unlink("$dir/test_include.php");
+
+$code = <<< 'EOD'
+<?php
+$test = "testOK";
+?>
+EOD;
+
+file_put_contents("$dir/test_include.php", $code);
+
+include "$dir/test_include.php";
+
+echo $test;
+
+?>
+
+--EXPECTF--
+testOK
diff --git a/src/tests/disabled_functions_drop_include_simulation.phpt b/src/tests/disabled_functions_drop_include_simulation.phpt
new file mode 100644
index 0000000..07c3e98
--- /dev/null
+++ b/src/tests/disabled_functions_drop_include_simulation.phpt
@@ -0,0 +1,28 @@
+--TEST--
+Disable function, bug : https://github.com/nbs-system/snuffleupagus/issues/181
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) die "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/disabled_functions_drop_include_simulation.ini
+--FILE--
+<?php
+$dir = __DIR__;
+
+@unlink("$dir/test_include.php");
+
+$code = <<< 'EOD'
+<?php
+$test = "testOK";
+?>
+EOD;
+
+file_put_contents("$dir/test_include.php", $code);
+
+include "$dir/test_include.php";
+
+echo $test;
+
+?>
+
+--EXPECTF--
+testOK
-- 
cgit v1.3