From: Derick Rethans Date: Tue, 20 Sep 2005 15:01:42 +0000 (+0000) Subject: - Moved constants to private .h file X-Git-Tag: RELEASE_0_9_0~163 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=bc0308b2e44013986a6e639a97b6d2b4648f30e3;p=php - Moved constants to private .h file - Added comments to filter stubs as per discussion with Ilia - Renamed regexp to validate_regexp filter - Added stubs for validate_url, validate_email and validate_ip filters. - Implemented "string" (stripped) filter --- diff --git a/ext/filter/filter.c b/ext/filter/filter.c index d032c9ebad..9974e6b8f5 100644 --- a/ext/filter/filter.c +++ b/ext/filter/filter.c @@ -27,44 +27,7 @@ ZEND_DECLARE_MODULE_GLOBALS(filter) -#define FILTER_FLAG_NONE 0x0000 - -#define FILTER_FLAG_ALLOW_OCTAL 0x0001 -#define FILTER_FLAG_ALLOW_HEX 0x0002 - -#define FILTER_FLAG_STRIP_LOW 0x0004 -#define FILTER_FLAG_STRIP_HIGH 0x0008 -#define FILTER_FLAG_ENCODE_LOW 0x0010 -#define FILTER_FLAG_ENCODE_HIGH 0x0020 -#define FILTER_FLAG_ENCODE_AMP 0x0040 -#define FILTER_FLAG_EMPTY_STRING_NULL 0x0080 - -#define FILTER_FLAG_ALLOW_SIGN 0x0100 -#define FILTER_FLAG_ALLOW_FRACTION 0x0200 -#define FILTER_FLAG_ALLOW_THOUSAND 0x0400 - -#define FL_INT 0x0101 -#define FL_BOOLEAN 0x0102 -#define FL_FLOAT 0x0103 -#define FL_REGEXP 0x0104 - -#define FL_ALL 0x0100 - -#define FS_DEFAULT 0x0201 - -#define FS_STRING 0x0201 -#define FS_ENCODED 0x0202 -#define FS_SPECIAL_CHARS 0x0203 -#define FS_UNSAFE_RAW 0x0204 -#define FS_EMAIL 0x0205 -#define FS_URL 0x0206 -#define FS_NUMBER_INT 0x0207 -#define FS_NUMBER_FLOAT 0x0208 -#define FS_MAGIC_QUOTES 0x0209 - -#define FS_ALL 0x0200 - -#define FC_CALLBACK 0x0400 +#include "filter_private.h" typedef struct filter_list_entry { char *name; @@ -73,23 +36,27 @@ typedef struct filter_list_entry { } filter_list_entry; filter_list_entry filter_list[] = { - { "int", FL_INT, php_filter_int }, - { "boolean", FL_BOOLEAN, php_filter_boolean }, - { "float", FL_FLOAT, php_filter_float }, - { "regexp", FL_REGEXP, php_filter_regexp }, - - { "string", FS_STRING, php_filter_string }, - { "stripped", FS_STRING, php_filter_string }, - { "encoded", FS_ENCODED, php_filter_encoded }, - { "special_chars", FS_SPECIAL_CHARS, php_filter_special_chars }, - { "unsafe_raw", FS_UNSAFE_RAW, php_filter_unsafe_raw }, - { "email", FS_EMAIL, php_filter_email }, - { "url", FS_URL, php_filter_url }, - { "number_int", FS_NUMBER_INT, php_filter_number_int }, - { "number_float", FS_NUMBER_FLOAT, php_filter_number_float }, - { "magic_quotes", FS_MAGIC_QUOTES, php_filter_magic_quotes }, - - { "callback", FC_CALLBACK, php_filter_callback }, + { "int", FL_INT, php_filter_int }, + { "boolean", FL_BOOLEAN, php_filter_boolean }, + { "float", FL_FLOAT, php_filter_float }, + + { "validate_regexp", FL_REGEXP, php_filter_validate_regexp }, + { "validate_url", FL_URL, php_filter_validate_url }, + { "validate_email", FL_EMAIL, php_filter_validate_email }, + { "validate_ip", FL_IP, php_filter_validate_url }, + + { "string", FS_STRING, php_filter_string }, + { "stripped", FS_STRING, php_filter_string }, + { "encoded", FS_ENCODED, php_filter_encoded }, + { "special_chars", FS_SPECIAL_CHARS, php_filter_special_chars }, + { "unsafe_raw", FS_UNSAFE_RAW, php_filter_unsafe_raw }, + { "email", FS_EMAIL, php_filter_email }, + { "url", FS_URL, php_filter_url }, + { "number_int", FS_NUMBER_INT, php_filter_number_int }, + { "number_float", FS_NUMBER_FLOAT, php_filter_number_float }, + { "magic_quotes", FS_MAGIC_QUOTES, php_filter_magic_quotes }, + + { "callback", FC_CALLBACK, php_filter_callback }, }; #ifndef PARSE_ENV @@ -198,7 +165,12 @@ PHP_MINIT_FUNCTION(filter) REGISTER_LONG_CONSTANT("FL_INT", FL_INT, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT("FL_BOOLEAN", FL_BOOLEAN, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT("FL_FLOAT", FL_FLOAT, CONST_CS | CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("FL_REGEXP", FL_REGEXP, CONST_CS | CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("FL_URL", FL_URL, CONST_CS | CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("FL_EMAIL", FL_EMAIL, CONST_CS | CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("FL_IP", FL_IP, CONST_CS | CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("FS_DEFAULT", FS_DEFAULT, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT("FS_STRING", FS_STRING, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT("FS_STRIPPED", FS_STRING, CONST_CS | CONST_PERSISTENT); @@ -220,6 +192,7 @@ PHP_MINIT_FUNCTION(filter) REGISTER_LONG_CONSTANT("FILTER_FLAG_ENCODE_LOW", FILTER_FLAG_ENCODE_LOW, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT("FILTER_FLAG_ENCODE_HIGH", FILTER_FLAG_ENCODE_HIGH, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT("FILTER_FLAG_ENCODE_AMP", FILTER_FLAG_ENCODE_AMP, CONST_CS | CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("FILTER_FLAG_NO_ENCODE_QUOTES", FILTER_FLAG_NO_ENCODE_QUOTES, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT("FILTER_FLAG_EMPTY_STRING_NULL", FILTER_FLAG_EMPTY_STRING_NULL, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT("FILTER_FLAG_ALLOW_SIGN", FILTER_FLAG_ALLOW_SIGN, CONST_CS | CONST_PERSISTENT); @@ -298,7 +271,7 @@ static void php_zval_filter(zval *value, long filter, long flags, zval *options, filter_func = php_find_filter(filter); - if (filter_func.id) { + if (!filter_func.id) { /* Find default filter */ filter_func = php_find_filter(FS_DEFAULT); } diff --git a/ext/filter/filter_private.h b/ext/filter/filter_private.h new file mode 100644 index 0000000000..58b9d18123 --- /dev/null +++ b/ext/filter/filter_private.h @@ -0,0 +1,44 @@ +#define FILTER_FLAG_NONE 0x0000 + +#define FILTER_FLAG_ALLOW_OCTAL 0x0001 +#define FILTER_FLAG_ALLOW_HEX 0x0002 + +#define FILTER_FLAG_STRIP_LOW 0x0004 +#define FILTER_FLAG_STRIP_HIGH 0x0008 +#define FILTER_FLAG_ENCODE_LOW 0x0010 +#define FILTER_FLAG_ENCODE_HIGH 0x0020 +#define FILTER_FLAG_ENCODE_AMP 0x0040 +#define FILTER_FLAG_NO_ENCODE_QUOTES 0x0080 +#define FILTER_FLAG_EMPTY_STRING_NULL 0x0100 + +#define FILTER_FLAG_ALLOW_SIGN 0x1000 +#define FILTER_FLAG_ALLOW_FRACTION 0x2000 +#define FILTER_FLAG_ALLOW_THOUSAND 0x4000 + +#define FL_INT 0x0101 +#define FL_BOOLEAN 0x0102 +#define FL_FLOAT 0x0103 + +#define FL_REGEXP 0x0110 +#define FL_URL 0x0111 +#define FL_EMAIL 0x0112 +#define FL_IP 0x0113 + +#define FL_ALL 0x0100 + +#define FS_DEFAULT 0x0201 + +#define FS_STRING 0x0201 +#define FS_ENCODED 0x0202 +#define FS_SPECIAL_CHARS 0x0203 +#define FS_UNSAFE_RAW 0x0204 +#define FS_EMAIL 0x0205 +#define FS_URL 0x0206 +#define FS_NUMBER_INT 0x0207 +#define FS_NUMBER_FLOAT 0x0208 +#define FS_MAGIC_QUOTES 0x0209 + +#define FS_ALL 0x0200 + +#define FC_CALLBACK 0x0400 + diff --git a/ext/filter/php_filter.h b/ext/filter/php_filter.h index 97f50dac0e..c6b373d658 100644 --- a/ext/filter/php_filter.h +++ b/ext/filter/php_filter.h @@ -73,7 +73,10 @@ ZEND_END_MODULE_GLOBALS(filter) void php_filter_int(PHP_INPUT_FILTER_PARAM_DECL); void php_filter_boolean(PHP_INPUT_FILTER_PARAM_DECL); void php_filter_float(PHP_INPUT_FILTER_PARAM_DECL); -void php_filter_regexp(PHP_INPUT_FILTER_PARAM_DECL); +void php_filter_validate_regexp(PHP_INPUT_FILTER_PARAM_DECL); +void php_filter_validate_url(PHP_INPUT_FILTER_PARAM_DECL); +void php_filter_validate_email(PHP_INPUT_FILTER_PARAM_DECL); +void php_filter_validate_ip(PHP_INPUT_FILTER_PARAM_DECL); void php_filter_string(PHP_INPUT_FILTER_PARAM_DECL); void php_filter_encoded(PHP_INPUT_FILTER_PARAM_DECL); diff --git a/ext/filter/sanitizing_filters.c b/ext/filter/sanitizing_filters.c index 198fabc8aa..faa033a3cd 100644 --- a/ext/filter/sanitizing_filters.c +++ b/ext/filter/sanitizing_filters.c @@ -17,24 +17,111 @@ */ #include "php_filter.h" +#include "filter_private.h" +#include "ext/standard/php_smart_str.h" -void php_filter_string(PHP_INPUT_FILTER_PARAM_DECL) +static void php_filter_encode_html(zval *value, char* chars) { + register int x, y; + smart_str str = {0}; + int len = Z_STRLEN_P(value); + char *s = Z_STRVAL_P(value); + + for (x = 0, y = 0; len--; x++, y++) { + if (strchr(chars, s[x])) { + smart_str_appendl(&str, "&#", 2); + smart_str_append_long(&str, s[x]); + smart_str_appendc(&str, ';'); + } else { + smart_str_appendc(&str, s[x]); + } + } + smart_str_0(&str); efree(Z_STRVAL_P(value)); - Z_STRVAL_P(value) = estrdup("42"); - Z_STRLEN_P(value) = strlen("42"); - Z_TYPE_P(value) = IS_STRING; + Z_STRVAL_P(value) = str.c; + Z_STRLEN_P(value) = str.len; } -void php_filter_encoded(PHP_INPUT_FILTER_PARAM_DECL) +static unsigned char hexchars[] = "0123456789ABCDEF"; + +static void php_filter_encode_url(zval *value, char* chars) { + register int x, y; + unsigned char *str; + int len = Z_STRLEN_P(value); + char *s = Z_STRVAL_P(value); + + str = (unsigned char *) safe_emalloc(3, len, 1); + for (x = 0, y = 0; len--; x++, y++) { + str[y] = (unsigned char) s[x]; + + if (strchr(chars, str[y])) { + str[y++] = '%'; + str[y++] = hexchars[(unsigned char) s[x] >> 4]; + str[y] = hexchars[(unsigned char) s[x] & 15]; + } + } + str[y] = '\0'; + efree(Z_STRVAL_P(value)); + Z_STRVAL_P(value) = str; + Z_STRLEN_P(value) = y; +} + +static void php_filter_strip(zval *value, long flags) +{ + unsigned char *buf, *str; + int i, c; + + /* Optimization for if no strip flags are set */ + if (! ((flags & FILTER_FLAG_STRIP_LOW) || (flags & FILTER_FLAG_STRIP_HIGH)) ) { + return; + } + + str = Z_STRVAL_P(value); + buf = safe_emalloc(1, Z_STRLEN_P(value) + 1, 1); + c = 0; + for (i = 0; i < Z_STRLEN_P(value); i++) { + if ((str[i] > 127) && (flags & FILTER_FLAG_STRIP_HIGH)) { + } else if ((str[i] < 32) && (flags & FILTER_FLAG_STRIP_LOW)) { + } else { + buf[c] = str[i]; + ++c; + } + } + /* update zval string data */ + buf[c] = '\0'; efree(Z_STRVAL_P(value)); - Z_LVAL_P(value) = flags; - Z_TYPE_P(value) = IS_LONG; + Z_STRVAL_P(value) = buf; + Z_STRLEN_P(value) = c; +} + +void php_filter_string(PHP_INPUT_FILTER_PARAM_DECL) +{ + size_t new_len; + + /* strip tags */ + new_len = php_strip_tags(Z_STRVAL_P(value), Z_STRLEN_P(value), NULL, NULL, 0); + Z_STRLEN_P(value) = new_len; + + if (! (flags & FILTER_FLAG_NO_ENCODE_QUOTES)) { + /* encode ' and " to numerical entity */ + php_filter_encode_html(value, "'\""); + } + /* strip high/strip low ( see flags )*/ + php_filter_strip(value, flags); +} + +void php_filter_encoded(PHP_INPUT_FILTER_PARAM_DECL) +{ + /* urlencode */ + /* also all the flags - & encode as %xx */ } void php_filter_special_chars(PHP_INPUT_FILTER_PARAM_DECL) { + /* encodes ' " < > & \0 to numerical entities */ + /* if strip low is not set, then we encode them as %xx */ + /* encode_low doesn. tmake sense - update specs */ } void php_filter_unsafe_raw(PHP_INPUT_FILTER_PARAM_DECL) @@ -43,20 +130,41 @@ void php_filter_unsafe_raw(PHP_INPUT_FILTER_PARAM_DECL) void php_filter_email(PHP_INPUT_FILTER_PARAM_DECL) { + /* Check section 6 of rfc 822 http://www.faqs.org/rfcs/rfc822.html */ } +#define LOWALPHA "abcdefghijklmnopqrstuvwxyz" +#define HIALPHA "ABCDEFGHIJKLMNOPQRSTUVWXYZ" +#define DIGIT "0123456789" +#define SAFE "$-_.+" +#define EXTRA "!*'()," +#define NATIONAL "{}|\\^~[]`" +#define PUNCTUATION "<>#%\"" + +#define RESERVED ";/?:@&=" + void php_filter_url(PHP_INPUT_FILTER_PARAM_DECL) { + /* Strip all chars not part of section 5 of + * http://www.faqs.org/rfcs/rfc1738.html */ + char *allowed_list = LOWALPHA HIALPHA DIGIT SAFE EXTRA NATIONAL PUNCTUATION RESERVED; } void php_filter_number_int(PHP_INPUT_FILTER_PARAM_DECL) { + /* strip everything [^0-9+-] */ + char *allowed_list = "+-" DIGIT; } void php_filter_number_float(PHP_INPUT_FILTER_PARAM_DECL) { + /* strip everything [^0-9+-] */ + char *allowed_list = "+-" DIGIT; + /* depending on flags, strip '.', 'e', ",", "'" */ } void php_filter_magic_quotes(PHP_INPUT_FILTER_PARAM_DECL) { + /* just call magic quotes */ } +