tony2001                Tue May 22 14:32:40 2007 UTC

  Added files:                 
    /php-src/ext/standard/tests/general_functions       import_request1.phpt 
                                                        import_request2.phpt 
                                                        import_request3.phpt 

  Modified files:              
    /php-src/ext/standard       basic_functions.c php_var.h 
  Log:
  improve variable name checks
  add more tests
  
  
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/basic_functions.c?r1=1.857&r2=1.858&diff_format=u
Index: php-src/ext/standard/basic_functions.c
diff -u php-src/ext/standard/basic_functions.c:1.857 
php-src/ext/standard/basic_functions.c:1.858
--- php-src/ext/standard/basic_functions.c:1.857        Fri May 18 12:15:01 2007
+++ php-src/ext/standard/basic_functions.c      Tue May 22 14:32:39 2007
@@ -17,7 +17,7 @@
    +----------------------------------------------------------------------+
  */
 
-/* $Id: basic_functions.c,v 1.857 2007/05/18 12:15:01 rasmus Exp $ */
+/* $Id: basic_functions.c,v 1.858 2007/05/22 14:32:39 tony2001 Exp $ */
 
 #include "php.h"
 #include "php_streams.h"
@@ -6321,16 +6321,10 @@
        prefix = va_arg(args, zval *);
        prefix_len = Z_UNILEN_P(prefix);
 
-       if (!prefix_len) {
-               if (!hash_key->nKeyLength) {
-                       php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric 
key detected - possible security hazard");
-                       return 0;
-               } else if (hash_key->nKeyLength == sizeof("GLOBALS") &&
-                          ZEND_U_EQUAL(hash_key->type, hash_key->arKey, 
hash_key->nKeyLength-1, "GLOBALS", sizeof("GLOBALS")-1)) {
-                       php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted 
GLOBALS variable overwrite");
-                       return 0; 
-               }
-       }
+       if (!prefix_len && !hash_key->nKeyLength) {
+               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric key 
detected - possible security hazard");
+               return 0;
+       } 
 
        if (hash_key->nKeyLength) {
                php_prefix_varname(&new_key, prefix, hash_key->arKey, 
hash_key->nKeyLength-1, hash_key->type, 0 TSRMLS_CC);
@@ -6342,6 +6336,11 @@
                zval_dtor(&num);
        }
 
+       if (php_varname_check(Z_TYPE(new_key), Z_UNIVAL(new_key), 
Z_UNILEN(new_key), 0 TSRMLS_CC) == FAILURE) {
+               zval_dtor(&new_key);
+               return 0;
+       }
+
        zend_u_delete_global_variable(Z_TYPE(new_key), Z_UNIVAL(new_key), 
Z_UNILEN(new_key) TSRMLS_CC);
        ZEND_U_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), Z_TYPE(new_key), 
Z_UNIVAL(new_key), Z_UNILEN(new_key) + 1, *var, (*var)->refcount+1, 0);
 
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/php_var.h?r1=1.37&r2=1.38&diff_format=u
Index: php-src/ext/standard/php_var.h
diff -u php-src/ext/standard/php_var.h:1.37 php-src/ext/standard/php_var.h:1.38
--- php-src/ext/standard/php_var.h:1.37 Mon Jan  1 09:29:32 2007
+++ php-src/ext/standard/php_var.h      Tue May 22 14:32:39 2007
@@ -16,7 +16,7 @@
    +----------------------------------------------------------------------+
 */
 
-/* $Id: php_var.h,v 1.37 2007/01/01 09:29:32 sebastian Exp $ */
+/* $Id: php_var.h,v 1.38 2007/05/22 14:32:39 tony2001 Exp $ */
 
 #ifndef PHP_VAR_H
 #define PHP_VAR_H
@@ -68,4 +68,101 @@
        
 PHPAPI zend_class_entry *php_create_empty_class(char *class_name, int len);
 
+static inline int php_varname_check_string(char * name, int name_len, 
zend_bool silent TSRMLS_DC) /* {{{ */
+{
+       if (name_len == sizeof("GLOBALS")-1 && !memcmp(name, "GLOBALS", 
sizeof("GLOBALS")-1)) {
+               if (!silent) {
+                       php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted 
GLOBALS variable overwrite");
+               }
+               return FAILURE;
+       } else if (name[0] == '_' &&
+                               (
+                                (name_len == sizeof("_GET")-1 && !memcmp(name, 
"_GET", sizeof("_GET"))) ||
+                                (name_len == sizeof("_POST")-1 && 
!memcmp(name, "_POST", sizeof("_POST"))) ||
+                                (name_len == sizeof("_COOKIE")-1 && 
!memcmp(name, "_COOKIE", sizeof("_COOKIE"))) ||
+                                (name_len == sizeof("_ENV")-1 && !memcmp(name, 
"_ENV", sizeof("_ENV"))) ||
+                                (name_len == sizeof("_SERVER")-1 && 
!memcmp(name, "_SERVER", sizeof("_SERVER"))) ||
+                                (name_len == sizeof("_SESSION")-1 && 
!memcmp(name, "_SESSION", sizeof("_SESSION"))) ||
+                                (name_len == sizeof("_FILES")-1 && 
!memcmp(name, "_FILES", sizeof("_FILES"))) ||
+                                (name_len == sizeof("_REQUEST")-1 && 
!memcmp(name, "_REQUEST", sizeof("_REQUEST")))
+                               )
+                  ) {
+                       if (!silent) {
+                               php_error_docref(NULL TSRMLS_CC, E_WARNING, 
"Attempted super-global (%s) variable overwrite", name);
+                       }
+                       return FAILURE;
+       } else if (name[0] == 'H' &&
+                       (
+                        (name_len == sizeof("HTTP_POST_VARS")-1 && 
!memcmp(name, "HTTP_POST_VARS", sizeof("HTTP_POST_VARS"))) ||
+                        (name_len == sizeof("HTTP_GET_VARS")-1 && 
!memcmp(name, "HTTP_GET_VARS", sizeof("HTTP_GET_VARS"))) ||
+                        (name_len == sizeof("HTTP_COOKIE_VARS")-1 && 
!memcmp(name, "HTTP_COOKIE_VARS", sizeof("HTTP_COOKIE_VARS"))) ||
+                        (name_len == sizeof("HTTP_ENV_VARS")-1 && 
!memcmp(name, "HTTP_ENV_VARS", sizeof("HTTP_ENV_VARS"))) ||
+                        (name_len == sizeof("HTTP_SESSION_VARS")-1 && 
!memcmp(name, "HTTP_SESSION_VARS", sizeof("HTTP_SESSION_VARS"))) ||
+                        (name_len == sizeof("HTTP_SERVER_VARS")-1 && 
!memcmp(name, "HTTP_SERVER_VARS", sizeof("HTTP_SERVER_VARS"))) ||
+                        (name_len == sizeof("HTTP_RAW_POST_DATA")-1 && 
!memcmp(name, "HTTP_RAW_POST_DATA", sizeof("HTTP_RAW_POST_DATA"))) ||
+                        (name_len == sizeof("HTTP_POST_VARS")-1 && 
!memcmp(name, "HTTP_POST_FILES", sizeof("HTTP_POST_FILES")))
+                       )
+                       ) {
+               if (!silent) {
+                       php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted 
long input array (%s) overwrite", name);
+               }
+               return FAILURE;
+       }
+       return SUCCESS;
+}
+/* }}} */
+
+static inline int php_varname_check_unicode(UChar *name, int name_len, 
zend_bool silent TSRMLS_DC) /* {{{ */
+{
+       if (name_len == sizeof("GLOBALS")-1 && 
!zend_cmp_unicode_and_literal(name, name_len, "GLOBALS", sizeof("GLOBALS")-1)) {
+               if (!silent) {
+                       php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted 
GLOBALS variable overwrite");
+               }
+               return FAILURE;
+       } else if (name[0] == 0x5f /* '_' */ &&
+                       (
+                        (name_len == sizeof("_GET")-1 && 
!zend_cmp_unicode_and_literal(name, name_len, "_GET", sizeof("_GET")-1)) ||
+                        (name_len == sizeof("_POST")-1 && 
!zend_cmp_unicode_and_literal(name, name_len, "_POST", sizeof("_POST")-1)) ||
+                        (name_len == sizeof("_COOKIE")-1 && 
!zend_cmp_unicode_and_literal(name, name_len, "_COOKIE", sizeof("_COOKIE")-1)) 
||
+                        (name_len == sizeof("_ENV")-1 && 
!zend_cmp_unicode_and_literal(name, name_len, "_ENV", sizeof("_ENV")-1)) ||
+                        (name_len == sizeof("_SERVER")-1 && 
!zend_cmp_unicode_and_literal(name, name_len, "_SERVER", sizeof("_SERVER")-1)) 
||
+                        (name_len == sizeof("_SESSION")-1 && 
!zend_cmp_unicode_and_literal(name, name_len, "_SESSION", 
sizeof("_SESSION")-1)) ||
+                        (name_len == sizeof("_FILES")-1 && 
!zend_cmp_unicode_and_literal(name, name_len, "_FILES", sizeof("_FILES")-1)) ||
+                        (name_len == sizeof("_REQUEST")-1 && 
!zend_cmp_unicode_and_literal(name, name_len, "_REQUEST", sizeof("_REQUEST")-1))
+                       )
+                       ) {
+               if (!silent) {
+                       php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted 
super-global (%r) variable overwrite", name);
+               }
+               return FAILURE;
+       } else if (name[0] == 0x48 /* 'H' */ &&
+                       (
+                        (name_len == sizeof("HTTP_POST_VARS")-1 && 
!zend_cmp_unicode_and_literal(name, name_len, "HTTP_POST_VARS", 
sizeof("HTTP_POST_VARS")-1)) ||
+                        (name_len == sizeof("HTTP_GET_VARS")-1 && 
!zend_cmp_unicode_and_literal(name, name_len, "HTTP_GET_VARS", 
sizeof("HTTP_GET_VARS")-1)) ||
+                        (name_len == sizeof("HTTP_COOKIE_VARS")-1 && 
!zend_cmp_unicode_and_literal(name, name_len, "HTTP_COOKIE_VARS", 
sizeof("HTTP_COOKIE_VARS")-1)) ||
+                        (name_len == sizeof("HTTP_ENV_VARS")-1 && 
!zend_cmp_unicode_and_literal(name, name_len, "HTTP_ENV_VARS", 
sizeof("HTTP_ENV_VARS")-1)) ||
+                        (name_len == sizeof("HTTP_SESSION_VARS")-1 && 
!zend_cmp_unicode_and_literal(name, name_len, "HTTP_SESSION_VARS", 
sizeof("HTTP_SESSION_VARS")-1)) ||
+                        (name_len == sizeof("HTTP_SERVER_VARS")-1 && 
!zend_cmp_unicode_and_literal(name, name_len, "HTTP_SERVER_VARS", 
sizeof("HTTP_SERVER_VARS")-1)) ||
+                        (name_len == sizeof("HTTP_RAW_POST_DATA")-1 && 
!zend_cmp_unicode_and_literal(name, name_len, "HTTP_RAW_POST_DATA", 
sizeof("HTTP_RAW_POST_DATA")-1)) ||
+                        (name_len == sizeof("HTTP_POST_FILES")-1 && 
!zend_cmp_unicode_and_literal(name, name_len, "HTTP_POST_FILES", 
sizeof("HTTP_POST_FILES")-1))
+                       )
+                       ) {
+               if (!silent) {
+                       php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted 
long input array (%r) overwrite", name);
+               }
+               return FAILURE;
+       }
+       return SUCCESS;
+}
+/* }}} */
+
+static inline int php_varname_check(zend_uchar type, zstr name, int name_len, 
zend_bool silent TSRMLS_DC) /* {{{ */
+{
+       if (type == IS_UNICODE) {
+               return php_varname_check_unicode(name.u, name_len, silent 
TSRMLS_CC);
+       }
+       return php_varname_check_string(name.s, name_len, silent TSRMLS_CC);
+}
+/* }}} */
+
 #endif /* PHP_VAR_H */

http://cvs.php.net/viewvc.cgi/php-src/ext/standard/tests/general_functions/import_request1.phpt?view=markup&rev=1.1
Index: php-src/ext/standard/tests/general_functions/import_request1.phpt
+++ php-src/ext/standard/tests/general_functions/import_request1.phpt
--TEST--
import_request_variables() test (overwrite super-globals)
--GET--
GET=0&POST=1&COOKIE=2&FILES=3&REQUEST=4
--POST--
GET=5&POST=6&COOKIE=7&FILES=8&REQUEST=9
--COOKIE--
GET=10;POST=11;COOKIE=12;FILES=13;REQUEST=14
--INI--
variables_order=CGP
--FILE--
<?php

import_request_variables("gpc", "_");
var_dump($_GET, $_POST, $_COOKIE, $_FILES, $_REQUEST);

echo "Done\n";
?>
--EXPECTF--
Warning: import_request_variables(): Attempted super-global (_GET) variable 
overwrite in %s on line %d

Warning: import_request_variables(): Attempted super-global (_POST) variable 
overwrite in %s on line %d

Warning: import_request_variables(): Attempted super-global (_COOKIE) variable 
overwrite in %s on line %d

Warning: import_request_variables(): Attempted super-global (_FILES) variable 
overwrite in %s on line %d

Warning: import_request_variables(): Attempted super-global (_REQUEST) variable 
overwrite in %s on line %d

Warning: import_request_variables(): Attempted super-global (_GET) variable 
overwrite in %s on line %d

Warning: import_request_variables(): Attempted super-global (_POST) variable 
overwrite in %s on line %d

Warning: import_request_variables(): Attempted super-global (_COOKIE) variable 
overwrite in %s on line %d

Warning: import_request_variables(): Attempted super-global (_FILES) variable 
overwrite in %s on line %d

Warning: import_request_variables(): Attempted super-global (_REQUEST) variable 
overwrite in %s on line %d

Warning: import_request_variables(): Attempted super-global (_GET) variable 
overwrite in %s on line %d

Warning: import_request_variables(): Attempted super-global (_POST) variable 
overwrite in %s on line %d

Warning: import_request_variables(): Attempted super-global (_COOKIE) variable 
overwrite in %s on line %d

Warning: import_request_variables(): Attempted super-global (_FILES) variable 
overwrite in %s on line %d

Warning: import_request_variables(): Attempted super-global (_REQUEST) variable 
overwrite in %s on line %d
array(5) {
  ["GET"]=>
  string(1) "0"
  ["POST"]=>
  string(1) "1"
  ["COOKIE"]=>
  string(1) "2"
  ["FILES"]=>
  string(1) "3"
  ["REQUEST"]=>
  string(1) "4"
}
array(5) {
  ["GET"]=>
  string(1) "5"
  ["POST"]=>
  string(1) "6"
  ["COOKIE"]=>
  string(1) "7"
  ["FILES"]=>
  string(1) "8"
  ["REQUEST"]=>
  string(1) "9"
}
array(5) {
  ["GET"]=>
  string(2) "10"
  ["POST"]=>
  string(2) "11"
  ["COOKIE"]=>
  string(2) "12"
  ["FILES"]=>
  string(2) "13"
  ["REQUEST"]=>
  string(2) "14"
}
array(0) {
}
array(5) {
  ["GET"]=>
  string(1) "5"
  ["POST"]=>
  string(1) "6"
  ["COOKIE"]=>
  string(1) "7"
  ["FILES"]=>
  string(1) "8"
  ["REQUEST"]=>
  string(1) "9"
}
Done
--UEXPECTF--
Warning: import_request_variables(): Attempted super-global (_GET) variable 
overwrite in %s on line %d

Warning: import_request_variables(): Attempted super-global (_POST) variable 
overwrite in %s on line %d

Warning: import_request_variables(): Attempted super-global (_COOKIE) variable 
overwrite in %s on line %d

Warning: import_request_variables(): Attempted super-global (_FILES) variable 
overwrite in %s on line %d

Warning: import_request_variables(): Attempted super-global (_REQUEST) variable 
overwrite in %s on line %d

Warning: import_request_variables(): Attempted super-global (_GET) variable 
overwrite in %s on line %d

Warning: import_request_variables(): Attempted super-global (_POST) variable 
overwrite in %s on line %d

Warning: import_request_variables(): Attempted super-global (_COOKIE) variable 
overwrite in %s on line %d

Warning: import_request_variables(): Attempted super-global (_FILES) variable 
overwrite in %s on line %d

Warning: import_request_variables(): Attempted super-global (_REQUEST) variable 
overwrite in %s on line %d

Warning: import_request_variables(): Attempted super-global (_GET) variable 
overwrite in %s on line %d

Warning: import_request_variables(): Attempted super-global (_POST) variable 
overwrite in %s on line %d

Warning: import_request_variables(): Attempted super-global (_COOKIE) variable 
overwrite in %s on line %d

Warning: import_request_variables(): Attempted super-global (_FILES) variable 
overwrite in %s on line %d

Warning: import_request_variables(): Attempted super-global (_REQUEST) variable 
overwrite in %s on line %d
array(5) {
  [u"GET"]=>
  unicode(1) "0"
  [u"POST"]=>
  unicode(1) "1"
  [u"COOKIE"]=>
  unicode(1) "2"
  [u"FILES"]=>
  unicode(1) "3"
  [u"REQUEST"]=>
  unicode(1) "4"
}
array(5) {
  [u"GET"]=>
  unicode(1) "5"
  [u"POST"]=>
  unicode(1) "6"
  [u"COOKIE"]=>
  unicode(1) "7"
  [u"FILES"]=>
  unicode(1) "8"
  [u"REQUEST"]=>
  unicode(1) "9"
}
array(5) {
  [u"GET"]=>
  unicode(2) "10"
  [u"POST"]=>
  unicode(2) "11"
  [u"COOKIE"]=>
  unicode(2) "12"
  [u"FILES"]=>
  unicode(2) "13"
  [u"REQUEST"]=>
  unicode(2) "14"
}
array(0) {
}
array(5) {
  [u"GET"]=>
  unicode(1) "5"
  [u"POST"]=>
  unicode(1) "6"
  [u"COOKIE"]=>
  unicode(1) "7"
  [u"FILES"]=>
  unicode(1) "8"
  [u"REQUEST"]=>
  unicode(1) "9"
}
Done

http://cvs.php.net/viewvc.cgi/php-src/ext/standard/tests/general_functions/import_request2.phpt?view=markup&rev=1.1
Index: php-src/ext/standard/tests/general_functions/import_request2.phpt
+++ php-src/ext/standard/tests/general_functions/import_request2.phpt
--TEST--
import_request_variables() test (numeric keys)
--GET--
1=0&2=1&3=2&4=3&5=4
--POST--
1=5&2=6&3=7&4=8&5=9
--COOKIE--
1=10;2=11;3=12;4=13;5=14
--INI--
variables_order=CGP
--FILE--
<?php

import_request_variables("gpc", "_");
var_dump($_1, $_2, $_3, $_4, $_5);

echo "Done\n";
?>
--EXPECTF--
string(2) "10"
string(2) "11"
string(2) "12"
string(2) "13"
string(2) "14"
Done
--UEXPECTF--
unicode(2) "10"
unicode(2) "11"
unicode(2) "12"
unicode(2) "13"
unicode(2) "14"
Done

http://cvs.php.net/viewvc.cgi/php-src/ext/standard/tests/general_functions/import_request3.phpt?view=markup&rev=1.1
Index: php-src/ext/standard/tests/general_functions/import_request3.phpt
+++ php-src/ext/standard/tests/general_functions/import_request3.phpt
--TEST--
import_request_variables() test (numeric keys, different order)
--GET--
1=0&2=1&3=2&4=3&5=4
--POST--
1=5&2=6&3=7&4=8&5=9
--COOKIE--
1=10;2=11;3=12;4=13;5=14
--INI--
variables_order=CGP
--FILE--
<?php

import_request_variables("gcp", "_");
var_dump($_1, $_2, $_3, $_4, $_5);

echo "Done\n";
?>
--EXPECTF--
string(1) "5"
string(1) "6"
string(1) "7"
string(1) "8"
string(1) "9"
Done
--UEXPECTF--
unicode(1) "5"
unicode(1) "6"
unicode(1) "7"
unicode(1) "8"
unicode(1) "9"
Done

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to