From f99a8cfbb711756a2c6520a52768f49d9a4380c4 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Thu, 18 Jan 2018 10:38:50 +0100 Subject: Improve the way we're dealing with filtering on parameter positions This should close #127 --- src/sp_disabled_functions.c | 6 +++--- src/tests/disabled_functions_param_pos.phpt | 2 +- src/tests/disabled_functions_pos_type.phpt | 6 +++--- 3 files changed, 7 insertions(+), 7 deletions(-) (limited to 'src') diff --git a/src/sp_disabled_functions.c b/src/sp_disabled_functions.c index f5051df..933b9af 100644 --- a/src/sp_disabled_functions.c +++ b/src/sp_disabled_functions.c @@ -117,12 +117,12 @@ static bool is_param_matching(zend_execute_data* execute_data, const char* builtin_param, const char** arg_name, const char* builtin_param_name, const char** arg_value_str) { - int nb_param = execute_data->func->common.num_args; + int nb_param = ZEND_CALL_NUM_ARGS(execute_data); int i = 0; zval* arg_value; if (config_node->pos != -1) { - if (config_node->pos <= nb_param) { + if (config_node->pos > nb_param - 1) { char* complete_function_path = get_complete_function_path(execute_data); sp_log_err("config", "It seems that you wrote a rule filtering on the " @@ -160,7 +160,7 @@ static bool is_param_matching(zend_execute_data* execute_data, /* This is the parameter name we're looking for. */ if (true == pcre_matching || config_node->pos != -1) { - arg_value = ZEND_CALL_VAR_NUM(execute_data, i); + arg_value = ZEND_CALL_ARG(execute_data, i + 1); if (config_node->param_type) { // Are we matching on the `type`? if (config_node->param_type == Z_TYPE_P(arg_value)) { diff --git a/src/tests/disabled_functions_param_pos.phpt b/src/tests/disabled_functions_param_pos.phpt index a1f8895..1654b5d 100644 --- a/src/tests/disabled_functions_param_pos.phpt +++ b/src/tests/disabled_functions_param_pos.phpt @@ -9,5 +9,5 @@ sp.configuration_file={PWD}/config/disabled_functions_pos.ini system("id"); ?> --EXPECTF-- -[snuffleupagus][0.0.0.0][config][error] It seems that you wrote a rule filtering on the 0th argument of the function 'system', but it takes only 2 arguments. Matching on _all_ arguments instead. +[snuffleupagus][0.0.0.0][config][error] It seems that you wrote a rule filtering on the 1337th argument of the function 'system', but it takes only 1 arguments. Matching on _all_ arguments instead. [snuffleupagus][0.0.0.0][disabled_function][drop] The call to the function 'system' in %a/disabled_functions_param_pos.php:2 has been disabled, because its argument 'command' content (id) matched a rule. diff --git a/src/tests/disabled_functions_pos_type.phpt b/src/tests/disabled_functions_pos_type.phpt index 7556440..1197971 100644 --- a/src/tests/disabled_functions_pos_type.phpt +++ b/src/tests/disabled_functions_pos_type.phpt @@ -9,6 +9,6 @@ sp.configuration_file={PWD}/config/disabled_functions_pos.ini system([123, 456]); ?> --EXPECTF-- -[snuffleupagus][0.0.0.0][config][error] It seems that you wrote a rule filtering on the 0th argument of the function 'system', but it takes only 2 arguments. Matching on _all_ arguments instead. -[snuffleupagus][0.0.0.0][config][error] It seems that you wrote a rule filtering on the 1st argument of the function 'system', but it takes only 2 arguments. Matching on _all_ arguments instead. -[snuffleupagus][0.0.0.0][disabled_function][drop] The call to the function 'system' in %a/disabled_functions_pos_type.php:2 has been disabled, because its argument 'command' content (?) matched the rule '1'. +[snuffleupagus][0.0.0.0][config][error] It seems that you wrote a rule filtering on the 1337th argument of the function 'system', but it takes only 1 arguments. Matching on _all_ arguments instead. +[snuffleupagus][0.0.0.0][config][error] It seems that you wrote a rule filtering on the 1st argument of the function 'system', but it takes only 1 arguments. Matching on _all_ arguments instead. +[snuffleupagus][0.0.0.0][disabled_function][drop] The call to the function 'system' in %a/tests/disabled_functions_pos_type.php:2 has been disabled, because its argument 'command' content (?) matched the rule '1'. -- cgit v1.3