1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
|
#include "php_snuffleupagus.h"
#include "rfc1867.h"
ZEND_DECLARE_MODULE_GLOBALS(snuffleupagus);
#define EFREE_3(env) \
for (size_t i = 0; i < 4; i++) { \
efree(env[i]); \
}
void hook_upload() {
sp_rfc1867_orig_callback = php_rfc1867_callback;
php_rfc1867_callback = sp_rfc1867_callback;
}
int sp_rfc1867_callback(unsigned int event, void *event_data, void **extra) {
int retval = SUCCESS;
if (sp_rfc1867_orig_callback) {
retval = sp_rfc1867_orig_callback(event, event_data, extra);
}
if (event == MULTIPART_EVENT_END) {
zend_string *file_key __attribute__((unused)) = NULL;
zval *file;
pid_t pid;
sp_log_debug(
"Got %d files",
zend_hash_num_elements(Z_ARRVAL(PG(http_globals)[TRACK_VARS_FILES])));
ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL(PG(http_globals)[TRACK_VARS_FILES]),
file_key, file) { // for each uploaded file
char *filename =
Z_STRVAL_P(zend_hash_str_find(Z_ARRVAL_P(file), "name", 4));
char *tmp_name =
Z_STRVAL_P(zend_hash_str_find(Z_ARRVAL_P(file), "tmp_name", 8));
size_t filesize =
Z_LVAL_P(zend_hash_str_find(Z_ARRVAL_P(file), "size", 4));
char *cmd[3] = {0};
char *env[5] = {0};
sp_log_debug("Filename: %s\nTmpname: %s\nSize: %d\nError: %d\nScript: %s",
filename, tmp_name, filesize,
Z_LVAL_P(zend_hash_str_find(Z_ARRVAL_P(file), "error", 5)),
SNUFFLEUPAGUS_G(config).config_upload_validation->script);
cmd[0] = SNUFFLEUPAGUS_G(config).config_upload_validation->script;
cmd[1] = tmp_name;
cmd[2] = NULL;
spprintf(&env[0], 0, "SP_FILENAME=%s", filename);
spprintf(&env[1], 0, "SP_REMOTE_ADDR=%s", sp_getenv("REMOTE_ADDR"));
spprintf(&env[2], 0, "SP_CURRENT_FILE=%s",
zend_get_executed_filename(TSRMLS_C));
spprintf(&env[3], 0, "SP_FILESIZE=%zu", filesize);
env[4] = NULL;
if ((pid = fork()) == 0) {
if (execve(SNUFFLEUPAGUS_G(config).config_upload_validation->script,
cmd, env) == -1) {
sp_log_err("upload_validation", "Could not call '%s' : %s",
SNUFFLEUPAGUS_G(config).config_upload_validation->script,
strerror(errno));
EFREE_3(env);
exit(1);
}
} else if (pid == -1) {
sp_log_err("upload_validation", "Could not fork process : %s\n",
strerror(errno));
EFREE_3(env);
continue;
}
EFREE_3(env);
int waitstatus;
wait(&waitstatus);
if (WEXITSTATUS(waitstatus) != 0) { // Nope
char *uri = sp_getenv("REQUEST_URI");
int sim = SNUFFLEUPAGUS_G(config).config_upload_validation->simulation;
sp_log_msg("upload_valiation", sim?SP_LOG_SIMULATION:SP_LOG_DROP,
"The upload of %s on %s was rejected.", filename, uri?uri:"?");
if (!SNUFFLEUPAGUS_G(config).config_upload_validation->simulation) {
zend_bailout();
}
}
}
ZEND_HASH_FOREACH_END();
}
return retval;
}
|
