Fixed possbile injections against pg_insert()/pg_delete()/pg_update()/pg_select()

diff --git a/NEWS b/NEWS
index 4277e806ca51286adf9beb84d1be4bfa7d78cecd..5069cc7a983e1786af5b34524be5f2b202d5bbdf 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -11,8 +11,8 @@ PHP                                                                        NEWS
   (Mark Zedwood)
 
 - Pgsql:
-  . Added warning for dangerous client encoding with pg_insert()/pg_update()
-    pg_delete()/pg_select(). (Yasuo)
+  . Added warning for dangerous client encoding and remove possible injections
+    for pg_insert()/pg_update()/pg_delete()/pg_select(). (Yasuo)
 
 ?? ??? 2014, PHP 5.4.25
 

diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c
index e6f6a6b674b33212fcb3797cdcab8b3272c7f877..c91677c9612e1f8c3e53c7cfb963f088c398904a 100644 (file)
--- a/ext/pgsql/pgsql.c
+++ b/ext/pgsql/pgsql.c
@@ -5309,12 +5309,22 @@ static php_pgsql_data_type php_pgsql_get_data_type(const char *type_name, size_t
 /* {{{ php_pgsql_convert_match
  * test field value with regular expression specified.
  */
-static int php_pgsql_convert_match(const char *str, const char *regex , int icase TSRMLS_DC)
+static int php_pgsql_convert_match(const char *str, size_t str_len, const char *regex , int icase TSRMLS_DC)
 {
        regex_t re;
        regmatch_t *subs;
        int regopt = REG_EXTENDED;
        int regerr, ret = SUCCESS;
+       int i;
+
+       /* Check invalid chars for POSIX regex */
+       for (i = 0; i < str_len; i++) {
+               if (str[i] == '\n' ||
+                       str[i] == '\r' ||
+                       str[i] == '\0' ) {
+                       return FAILURE;
+               }
+       }
 
        if (icase) {
                regopt |= REG_ICASE;
@@ -5538,7 +5548,7 @@ PHP_PGSQL_API int php_pgsql_convert(PGconn *pg_link, const char *table_name, con
                                                }
                                                else {
                                                        /* FIXME: better regex must be used */
-                                                       if (php_pgsql_convert_match(Z_STRVAL_PP(val), "^([+-]{0,1}[0-9]+)$", 0 TSRMLS_CC) == FAILURE) {
+                                                       if (php_pgsql_convert_match(Z_STRVAL_PP(val), Z_STRLEN_PP(val), "^([+-]{0,1}[0-9]+)$", 0 TSRMLS_CC) == FAILURE) {
                                                                err = 1;
                                                        }
                                                        else {
@@ -5580,7 +5590,7 @@ PHP_PGSQL_API int php_pgsql_convert(PGconn *pg_link, const char *table_name, con
                                                }
                                                else {
                                                        /* FIXME: better regex must be used */
-                                                       if (php_pgsql_convert_match(Z_STRVAL_PP(val), "^([+-]{0,1}[0-9]+)|([+-]{0,1}[0-9]*[\\.][0-9]+)|([+-]{0,1}[0-9]+[\\.][0-9]*)$", 0 TSRMLS_CC) == FAILURE) {
+                                                       if (php_pgsql_convert_match(Z_STRVAL_PP(val), Z_STRLEN_PP(val), "^([+-]{0,1}[0-9]+)|([+-]{0,1}[0-9]*[\\.][0-9]+)|([+-]{0,1}[0-9]+[\\.][0-9]*)$", 0 TSRMLS_CC) == FAILURE) {
                                                                err = 1;
                                                        }
                                                        else {
@@ -5665,7 +5675,7 @@ PHP_PGSQL_API int php_pgsql_convert(PGconn *pg_link, const char *table_name, con
                                                }
                                                else {
                                                        /* FIXME: Better regex must be used */
-                                                       if (php_pgsql_convert_match(Z_STRVAL_PP(val), "^[0-9]+$", 0 TSRMLS_CC) == FAILURE) {
+                                                       if (php_pgsql_convert_match(Z_STRVAL_PP(val), Z_STRLEN_PP(val), "^[0-9]+$", 0 TSRMLS_CC) == FAILURE) {
                                                                err = 1;
                                                        }
                                                        else {
@@ -5706,7 +5716,7 @@ PHP_PGSQL_API int php_pgsql_convert(PGconn *pg_link, const char *table_name, con
                                                }
                                                else {
                                                        /* FIXME: Better regex must be used */
-                                                       if (php_pgsql_convert_match(Z_STRVAL_PP(val), "^([0-9]{1,3}\\.){3}[0-9]{1,3}(/[0-9]{1,2}){0,1}$", 0 TSRMLS_CC) == FAILURE) {
+                                                       if (php_pgsql_convert_match(Z_STRVAL_PP(val), Z_STRLEN_PP(val), "^([0-9]{1,3}\\.){3}[0-9]{1,3}(/[0-9]{1,2}){0,1}$", 0 TSRMLS_CC) == FAILURE) {
                                                                err = 1;
                                                        }
                                                        else {
@@ -5740,7 +5750,7 @@ PHP_PGSQL_API int php_pgsql_convert(PGconn *pg_link, const char *table_name, con
                                                        ZVAL_STRINGL(new_val, "NOW()", sizeof("NOW()")-1, 1);
                                                } else {
                                                        /* FIXME: better regex must be used */
-                                                       if (php_pgsql_convert_match(Z_STRVAL_PP(val), "^([0-9]{4}[/-][0-9]{1,2}[/-][0-9]{1,2})([ \\t]+(([0-9]{1,2}:[0-9]{1,2}){1}(:[0-9]{1,2}){0,1}(\\.[0-9]+){0,1}([ \\t]*([+-][0-9]{1,4}(:[0-9]{1,2}){0,1}|[-a-zA-Z_/+]{1,50})){0,1})){0,1}$", 1 TSRMLS_CC) == FAILURE) {
+                                                       if (php_pgsql_convert_match(Z_STRVAL_PP(val), Z_STRLEN_PP(val), "^([0-9]{4}[/-][0-9]{1,2}[/-][0-9]{1,2})([ \\t]+(([0-9]{1,2}:[0-9]{1,2}){1}(:[0-9]{1,2}){0,1}(\\.[0-9]+){0,1}([ \\t]*([+-][0-9]{1,4}(:[0-9]{1,2}){0,1}|[-a-zA-Z_/+]{1,50})){0,1})){0,1}$", 1 TSRMLS_CC) == FAILURE) {
                                                                err = 1;
                                                        } else {
                                                                ZVAL_STRING(new_val, Z_STRVAL_PP(val), 1);
@@ -5770,7 +5780,7 @@ PHP_PGSQL_API int php_pgsql_convert(PGconn *pg_link, const char *table_name, con
                                                }
                                                else {
                                                        /* FIXME: better regex must be used */
-                                                       if (php_pgsql_convert_match(Z_STRVAL_PP(val), "^([0-9]{4}[/-][0-9]{1,2}[/-][0-9]{1,2})$", 1 TSRMLS_CC) == FAILURE) {
+                                                       if (php_pgsql_convert_match(Z_STRVAL_PP(val), Z_STRLEN_PP(val), "^([0-9]{4}[/-][0-9]{1,2}[/-][0-9]{1,2})$", 1 TSRMLS_CC) == FAILURE) {
                                                                err = 1;
                                                        }
                                                        else {
@@ -5801,7 +5811,7 @@ PHP_PGSQL_API int php_pgsql_convert(PGconn *pg_link, const char *table_name, con
                                                }
                                                else {
                                                        /* FIXME: better regex must be used */
-                                                       if (php_pgsql_convert_match(Z_STRVAL_PP(val), "^(([0-9]{1,2}:[0-9]{1,2}){1}(:[0-9]{1,2}){0,1})){0,1}$", 1 TSRMLS_CC) == FAILURE) {
+                                                       if (php_pgsql_convert_match(Z_STRVAL_PP(val), Z_STRLEN_PP(val), "^(([0-9]{1,2}:[0-9]{1,2}){1}(:[0-9]{1,2}){0,1})){0,1}$", 1 TSRMLS_CC) == FAILURE) {
                                                                err = 1;
                                                        }
                                                        else {
@@ -5848,7 +5858,7 @@ PHP_PGSQL_API int php_pgsql_convert(PGconn *pg_link, const char *table_name, con
                                                           unit markings. For example, '1 12:59:10' is read the same as '1 day 12 hours 59 min 10
                                                           sec'.
                                                        */
-                                                       if (php_pgsql_convert_match(Z_STRVAL_PP(val),
+                                                       if (php_pgsql_convert_match(Z_STRVAL_PP(val), Z_STRLEN_PP(val),
                                                                                                                "^(@?[ \\t]+)?("
 
                                                                                                                /* Textual time units and their abbreviations: */
@@ -5963,7 +5973,7 @@ PHP_PGSQL_API int php_pgsql_convert(PGconn *pg_link, const char *table_name, con
                                                        ZVAL_STRING(new_val, "NULL", 1);
                                                }
                                                else {
-                                                       if (php_pgsql_convert_match(Z_STRVAL_PP(val), "^([0-9a-f]{2,2}:){5,5}[0-9a-f]{2,2}$", 1 TSRMLS_CC) == FAILURE) {
+                                                       if (php_pgsql_convert_match(Z_STRVAL_PP(val), Z_STRLEN_PP(val), "^([0-9a-f]{2,2}:){5,5}[0-9a-f]{2,2}$", 1 TSRMLS_CC) == FAILURE) {
                                                                err = 1;
                                                        }
                                                        else {