tony2001 Tue May 22 14:32:40 2007 UTC Added files: /php-src/ext/standard/tests/general_functions import_request1.phpt import_request2.phpt import_request3.phpt
Modified files: /php-src/ext/standard basic_functions.c php_var.h Log: improve variable name checks add more tests
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/basic_functions.c?r1=1.857&r2=1.858&diff_format=u Index: php-src/ext/standard/basic_functions.c diff -u php-src/ext/standard/basic_functions.c:1.857 php-src/ext/standard/basic_functions.c:1.858 --- php-src/ext/standard/basic_functions.c:1.857 Fri May 18 12:15:01 2007 +++ php-src/ext/standard/basic_functions.c Tue May 22 14:32:39 2007 @@ -17,7 +17,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: basic_functions.c,v 1.857 2007/05/18 12:15:01 rasmus Exp $ */ +/* $Id: basic_functions.c,v 1.858 2007/05/22 14:32:39 tony2001 Exp $ */ #include "php.h" #include "php_streams.h" @@ -6321,16 +6321,10 @@ prefix = va_arg(args, zval *); prefix_len = Z_UNILEN_P(prefix); - if (!prefix_len) { - if (!hash_key->nKeyLength) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric key detected - possible security hazard"); - return 0; - } else if (hash_key->nKeyLength == sizeof("GLOBALS") && - ZEND_U_EQUAL(hash_key->type, hash_key->arKey, hash_key->nKeyLength-1, "GLOBALS", sizeof("GLOBALS")-1)) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted GLOBALS variable overwrite"); - return 0; - } - } + if (!prefix_len && !hash_key->nKeyLength) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric key detected - possible security hazard"); + return 0; + } if (hash_key->nKeyLength) { php_prefix_varname(&new_key, prefix, hash_key->arKey, hash_key->nKeyLength-1, hash_key->type, 0 TSRMLS_CC); @@ -6342,6 +6336,11 @@ zval_dtor(&num); } + if (php_varname_check(Z_TYPE(new_key), Z_UNIVAL(new_key), Z_UNILEN(new_key), 0 TSRMLS_CC) == FAILURE) { + zval_dtor(&new_key); + return 0; + } + zend_u_delete_global_variable(Z_TYPE(new_key), Z_UNIVAL(new_key), Z_UNILEN(new_key) TSRMLS_CC); ZEND_U_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), Z_TYPE(new_key), Z_UNIVAL(new_key), Z_UNILEN(new_key) + 1, *var, (*var)->refcount+1, 0); http://cvs.php.net/viewvc.cgi/php-src/ext/standard/php_var.h?r1=1.37&r2=1.38&diff_format=u Index: php-src/ext/standard/php_var.h diff -u php-src/ext/standard/php_var.h:1.37 php-src/ext/standard/php_var.h:1.38 --- php-src/ext/standard/php_var.h:1.37 Mon Jan 1 09:29:32 2007 +++ php-src/ext/standard/php_var.h Tue May 22 14:32:39 2007 @@ -16,7 +16,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: php_var.h,v 1.37 2007/01/01 09:29:32 sebastian Exp $ */ +/* $Id: php_var.h,v 1.38 2007/05/22 14:32:39 tony2001 Exp $ */ #ifndef PHP_VAR_H #define PHP_VAR_H @@ -68,4 +68,101 @@ PHPAPI zend_class_entry *php_create_empty_class(char *class_name, int len); +static inline int php_varname_check_string(char * name, int name_len, zend_bool silent TSRMLS_DC) /* {{{ */ +{ + if (name_len == sizeof("GLOBALS")-1 && !memcmp(name, "GLOBALS", sizeof("GLOBALS")-1)) { + if (!silent) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted GLOBALS variable overwrite"); + } + return FAILURE; + } else if (name[0] == '_' && + ( + (name_len == sizeof("_GET")-1 && !memcmp(name, "_GET", sizeof("_GET"))) || + (name_len == sizeof("_POST")-1 && !memcmp(name, "_POST", sizeof("_POST"))) || + (name_len == sizeof("_COOKIE")-1 && !memcmp(name, "_COOKIE", sizeof("_COOKIE"))) || + (name_len == sizeof("_ENV")-1 && !memcmp(name, "_ENV", sizeof("_ENV"))) || + (name_len == sizeof("_SERVER")-1 && !memcmp(name, "_SERVER", sizeof("_SERVER"))) || + (name_len == sizeof("_SESSION")-1 && !memcmp(name, "_SESSION", sizeof("_SESSION"))) || + (name_len == sizeof("_FILES")-1 && !memcmp(name, "_FILES", sizeof("_FILES"))) || + (name_len == sizeof("_REQUEST")-1 && !memcmp(name, "_REQUEST", sizeof("_REQUEST"))) + ) + ) { + if (!silent) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted super-global (%s) variable overwrite", name); + } + return FAILURE; + } else if (name[0] == 'H' && + ( + (name_len == sizeof("HTTP_POST_VARS")-1 && !memcmp(name, "HTTP_POST_VARS", sizeof("HTTP_POST_VARS"))) || + (name_len == sizeof("HTTP_GET_VARS")-1 && !memcmp(name, "HTTP_GET_VARS", sizeof("HTTP_GET_VARS"))) || + (name_len == sizeof("HTTP_COOKIE_VARS")-1 && !memcmp(name, "HTTP_COOKIE_VARS", sizeof("HTTP_COOKIE_VARS"))) || + (name_len == sizeof("HTTP_ENV_VARS")-1 && !memcmp(name, "HTTP_ENV_VARS", sizeof("HTTP_ENV_VARS"))) || + (name_len == sizeof("HTTP_SESSION_VARS")-1 && !memcmp(name, "HTTP_SESSION_VARS", sizeof("HTTP_SESSION_VARS"))) || + (name_len == sizeof("HTTP_SERVER_VARS")-1 && !memcmp(name, "HTTP_SERVER_VARS", sizeof("HTTP_SERVER_VARS"))) || + (name_len == sizeof("HTTP_RAW_POST_DATA")-1 && !memcmp(name, "HTTP_RAW_POST_DATA", sizeof("HTTP_RAW_POST_DATA"))) || + (name_len == sizeof("HTTP_POST_VARS")-1 && !memcmp(name, "HTTP_POST_FILES", sizeof("HTTP_POST_FILES"))) + ) + ) { + if (!silent) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted long input array (%s) overwrite", name); + } + return FAILURE; + } + return SUCCESS; +} +/* }}} */ + +static inline int php_varname_check_unicode(UChar *name, int name_len, zend_bool silent TSRMLS_DC) /* {{{ */ +{ + if (name_len == sizeof("GLOBALS")-1 && !zend_cmp_unicode_and_literal(name, name_len, "GLOBALS", sizeof("GLOBALS")-1)) { + if (!silent) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted GLOBALS variable overwrite"); + } + return FAILURE; + } else if (name[0] == 0x5f /* '_' */ && + ( + (name_len == sizeof("_GET")-1 && !zend_cmp_unicode_and_literal(name, name_len, "_GET", sizeof("_GET")-1)) || + (name_len == sizeof("_POST")-1 && !zend_cmp_unicode_and_literal(name, name_len, "_POST", sizeof("_POST")-1)) || + (name_len == sizeof("_COOKIE")-1 && !zend_cmp_unicode_and_literal(name, name_len, "_COOKIE", sizeof("_COOKIE")-1)) || + (name_len == sizeof("_ENV")-1 && !zend_cmp_unicode_and_literal(name, name_len, "_ENV", sizeof("_ENV")-1)) || + (name_len == sizeof("_SERVER")-1 && !zend_cmp_unicode_and_literal(name, name_len, "_SERVER", sizeof("_SERVER")-1)) || + (name_len == sizeof("_SESSION")-1 && !zend_cmp_unicode_and_literal(name, name_len, "_SESSION", sizeof("_SESSION")-1)) || + (name_len == sizeof("_FILES")-1 && !zend_cmp_unicode_and_literal(name, name_len, "_FILES", sizeof("_FILES")-1)) || + (name_len == sizeof("_REQUEST")-1 && !zend_cmp_unicode_and_literal(name, name_len, "_REQUEST", sizeof("_REQUEST")-1)) + ) + ) { + if (!silent) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted super-global (%r) variable overwrite", name); + } + return FAILURE; + } else if (name[0] == 0x48 /* 'H' */ && + ( + (name_len == sizeof("HTTP_POST_VARS")-1 && !zend_cmp_unicode_and_literal(name, name_len, "HTTP_POST_VARS", sizeof("HTTP_POST_VARS")-1)) || + (name_len == sizeof("HTTP_GET_VARS")-1 && !zend_cmp_unicode_and_literal(name, name_len, "HTTP_GET_VARS", sizeof("HTTP_GET_VARS")-1)) || + (name_len == sizeof("HTTP_COOKIE_VARS")-1 && !zend_cmp_unicode_and_literal(name, name_len, "HTTP_COOKIE_VARS", sizeof("HTTP_COOKIE_VARS")-1)) || + (name_len == sizeof("HTTP_ENV_VARS")-1 && !zend_cmp_unicode_and_literal(name, name_len, "HTTP_ENV_VARS", sizeof("HTTP_ENV_VARS")-1)) || + (name_len == sizeof("HTTP_SESSION_VARS")-1 && !zend_cmp_unicode_and_literal(name, name_len, "HTTP_SESSION_VARS", sizeof("HTTP_SESSION_VARS")-1)) || + (name_len == sizeof("HTTP_SERVER_VARS")-1 && !zend_cmp_unicode_and_literal(name, name_len, "HTTP_SERVER_VARS", sizeof("HTTP_SERVER_VARS")-1)) || + (name_len == sizeof("HTTP_RAW_POST_DATA")-1 && !zend_cmp_unicode_and_literal(name, name_len, "HTTP_RAW_POST_DATA", sizeof("HTTP_RAW_POST_DATA")-1)) || + (name_len == sizeof("HTTP_POST_FILES")-1 && !zend_cmp_unicode_and_literal(name, name_len, "HTTP_POST_FILES", sizeof("HTTP_POST_FILES")-1)) + ) + ) { + if (!silent) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted long input array (%r) overwrite", name); + } + return FAILURE; + } + return SUCCESS; +} +/* }}} */ + +static inline int php_varname_check(zend_uchar type, zstr name, int name_len, zend_bool silent TSRMLS_DC) /* {{{ */ +{ + if (type == IS_UNICODE) { + return php_varname_check_unicode(name.u, name_len, silent TSRMLS_CC); + } + return php_varname_check_string(name.s, name_len, silent TSRMLS_CC); +} +/* }}} */ + #endif /* PHP_VAR_H */ http://cvs.php.net/viewvc.cgi/php-src/ext/standard/tests/general_functions/import_request1.phpt?view=markup&rev=1.1 Index: php-src/ext/standard/tests/general_functions/import_request1.phpt +++ php-src/ext/standard/tests/general_functions/import_request1.phpt --TEST-- import_request_variables() test (overwrite super-globals) --GET-- GET=0&POST=1&COOKIE=2&FILES=3&REQUEST=4 --POST-- GET=5&POST=6&COOKIE=7&FILES=8&REQUEST=9 --COOKIE-- GET=10;POST=11;COOKIE=12;FILES=13;REQUEST=14 --INI-- variables_order=CGP --FILE-- <?php import_request_variables("gpc", "_"); var_dump($_GET, $_POST, $_COOKIE, $_FILES, $_REQUEST); echo "Done\n"; ?> --EXPECTF-- Warning: import_request_variables(): Attempted super-global (_GET) variable overwrite in %s on line %d Warning: import_request_variables(): Attempted super-global (_POST) variable overwrite in %s on line %d Warning: import_request_variables(): Attempted super-global (_COOKIE) variable overwrite in %s on line %d Warning: import_request_variables(): Attempted super-global (_FILES) variable overwrite in %s on line %d Warning: import_request_variables(): Attempted super-global (_REQUEST) variable overwrite in %s on line %d Warning: import_request_variables(): Attempted super-global (_GET) variable overwrite in %s on line %d Warning: import_request_variables(): Attempted super-global (_POST) variable overwrite in %s on line %d Warning: import_request_variables(): Attempted super-global (_COOKIE) variable overwrite in %s on line %d Warning: import_request_variables(): Attempted super-global (_FILES) variable overwrite in %s on line %d Warning: import_request_variables(): Attempted super-global (_REQUEST) variable overwrite in %s on line %d Warning: import_request_variables(): Attempted super-global (_GET) variable overwrite in %s on line %d Warning: import_request_variables(): Attempted super-global (_POST) variable overwrite in %s on line %d Warning: import_request_variables(): Attempted super-global (_COOKIE) variable overwrite in %s on line %d Warning: import_request_variables(): Attempted super-global (_FILES) variable overwrite in %s on line %d Warning: import_request_variables(): Attempted super-global (_REQUEST) variable overwrite in %s on line %d array(5) { ["GET"]=> string(1) "0" ["POST"]=> string(1) "1" ["COOKIE"]=> string(1) "2" ["FILES"]=> string(1) "3" ["REQUEST"]=> string(1) "4" } array(5) { ["GET"]=> string(1) "5" ["POST"]=> string(1) "6" ["COOKIE"]=> string(1) "7" ["FILES"]=> string(1) "8" ["REQUEST"]=> string(1) "9" } array(5) { ["GET"]=> string(2) "10" ["POST"]=> string(2) "11" ["COOKIE"]=> string(2) "12" ["FILES"]=> string(2) "13" ["REQUEST"]=> string(2) "14" } array(0) { } array(5) { ["GET"]=> string(1) "5" ["POST"]=> string(1) "6" ["COOKIE"]=> string(1) "7" ["FILES"]=> string(1) "8" ["REQUEST"]=> string(1) "9" } Done --UEXPECTF-- Warning: import_request_variables(): Attempted super-global (_GET) variable overwrite in %s on line %d Warning: import_request_variables(): Attempted super-global (_POST) variable overwrite in %s on line %d Warning: import_request_variables(): Attempted super-global (_COOKIE) variable overwrite in %s on line %d Warning: import_request_variables(): Attempted super-global (_FILES) variable overwrite in %s on line %d Warning: import_request_variables(): Attempted super-global (_REQUEST) variable overwrite in %s on line %d Warning: import_request_variables(): Attempted super-global (_GET) variable overwrite in %s on line %d Warning: import_request_variables(): Attempted super-global (_POST) variable overwrite in %s on line %d Warning: import_request_variables(): Attempted super-global (_COOKIE) variable overwrite in %s on line %d Warning: import_request_variables(): Attempted super-global (_FILES) variable overwrite in %s on line %d Warning: import_request_variables(): Attempted super-global (_REQUEST) variable overwrite in %s on line %d Warning: import_request_variables(): Attempted super-global (_GET) variable overwrite in %s on line %d Warning: import_request_variables(): Attempted super-global (_POST) variable overwrite in %s on line %d Warning: import_request_variables(): Attempted super-global (_COOKIE) variable overwrite in %s on line %d Warning: import_request_variables(): Attempted super-global (_FILES) variable overwrite in %s on line %d Warning: import_request_variables(): Attempted super-global (_REQUEST) variable overwrite in %s on line %d array(5) { [u"GET"]=> unicode(1) "0" [u"POST"]=> unicode(1) "1" [u"COOKIE"]=> unicode(1) "2" [u"FILES"]=> unicode(1) "3" [u"REQUEST"]=> unicode(1) "4" } array(5) { [u"GET"]=> unicode(1) "5" [u"POST"]=> unicode(1) "6" [u"COOKIE"]=> unicode(1) "7" [u"FILES"]=> unicode(1) "8" [u"REQUEST"]=> unicode(1) "9" } array(5) { [u"GET"]=> unicode(2) "10" [u"POST"]=> unicode(2) "11" [u"COOKIE"]=> unicode(2) "12" [u"FILES"]=> unicode(2) "13" [u"REQUEST"]=> unicode(2) "14" } array(0) { } array(5) { [u"GET"]=> unicode(1) "5" [u"POST"]=> unicode(1) "6" [u"COOKIE"]=> unicode(1) "7" [u"FILES"]=> unicode(1) "8" [u"REQUEST"]=> unicode(1) "9" } Done http://cvs.php.net/viewvc.cgi/php-src/ext/standard/tests/general_functions/import_request2.phpt?view=markup&rev=1.1 Index: php-src/ext/standard/tests/general_functions/import_request2.phpt +++ php-src/ext/standard/tests/general_functions/import_request2.phpt --TEST-- import_request_variables() test (numeric keys) --GET-- 1=0&2=1&3=2&4=3&5=4 --POST-- 1=5&2=6&3=7&4=8&5=9 --COOKIE-- 1=10;2=11;3=12;4=13;5=14 --INI-- variables_order=CGP --FILE-- <?php import_request_variables("gpc", "_"); var_dump($_1, $_2, $_3, $_4, $_5); echo "Done\n"; ?> --EXPECTF-- string(2) "10" string(2) "11" string(2) "12" string(2) "13" string(2) "14" Done --UEXPECTF-- unicode(2) "10" unicode(2) "11" unicode(2) "12" unicode(2) "13" unicode(2) "14" Done http://cvs.php.net/viewvc.cgi/php-src/ext/standard/tests/general_functions/import_request3.phpt?view=markup&rev=1.1 Index: php-src/ext/standard/tests/general_functions/import_request3.phpt +++ php-src/ext/standard/tests/general_functions/import_request3.phpt --TEST-- import_request_variables() test (numeric keys, different order) --GET-- 1=0&2=1&3=2&4=3&5=4 --POST-- 1=5&2=6&3=7&4=8&5=9 --COOKIE-- 1=10;2=11;3=12;4=13;5=14 --INI-- variables_order=CGP --FILE-- <?php import_request_variables("gcp", "_"); var_dump($_1, $_2, $_3, $_4, $_5); echo "Done\n"; ?> --EXPECTF-- string(1) "5" string(1) "6" string(1) "7" string(1) "8" string(1) "9" Done --UEXPECTF-- unicode(1) "5" unicode(1) "6" unicode(1) "7" unicode(1) "8" unicode(1) "9" Done
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php