From: Antony Dovgal Date: Tue, 22 May 2007 14:32:40 +0000 (+0000) Subject: improve variable name checks X-Git-Tag: RELEASE_1_4~99 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f996452e8ba67e5a241202b6a743df9c136706a3;p=php improve variable name checks add more tests --- diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c index 0cbb06db7b..0d42473bdf 100644 --- a/ext/standard/basic_functions.c +++ b/ext/standard/basic_functions.c @@ -6321,16 +6321,10 @@ static int copy_request_variable(void *pDest, int num_args, va_list args, zend_h prefix = va_arg(args, zval *); prefix_len = Z_UNILEN_P(prefix); - if (!prefix_len) { - if (!hash_key->nKeyLength) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric key detected - possible security hazard"); - return 0; - } else if (hash_key->nKeyLength == sizeof("GLOBALS") && - ZEND_U_EQUAL(hash_key->type, hash_key->arKey, hash_key->nKeyLength-1, "GLOBALS", sizeof("GLOBALS")-1)) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted GLOBALS variable overwrite"); - return 0; - } - } + if (!prefix_len && !hash_key->nKeyLength) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric key detected - possible security hazard"); + return 0; + } if (hash_key->nKeyLength) { php_prefix_varname(&new_key, prefix, hash_key->arKey, hash_key->nKeyLength-1, hash_key->type, 0 TSRMLS_CC); @@ -6342,6 +6336,11 @@ static int copy_request_variable(void *pDest, int num_args, va_list args, zend_h zval_dtor(&num); } + if (php_varname_check(Z_TYPE(new_key), Z_UNIVAL(new_key), Z_UNILEN(new_key), 0 TSRMLS_CC) == FAILURE) { + zval_dtor(&new_key); + return 0; + } + zend_u_delete_global_variable(Z_TYPE(new_key), Z_UNIVAL(new_key), Z_UNILEN(new_key) TSRMLS_CC); ZEND_U_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), Z_TYPE(new_key), Z_UNIVAL(new_key), Z_UNILEN(new_key) + 1, *var, (*var)->refcount+1, 0); diff --git a/ext/standard/php_var.h b/ext/standard/php_var.h index c2d7997ff7..95e7747156 100644 --- a/ext/standard/php_var.h +++ b/ext/standard/php_var.h @@ -68,4 +68,101 @@ PHPAPI void var_destroy(php_unserialize_data_t *var_hash); PHPAPI zend_class_entry *php_create_empty_class(char *class_name, int len); +static inline int php_varname_check_string(char * name, int name_len, zend_bool silent TSRMLS_DC) /* {{{ */ +{ + if (name_len == sizeof("GLOBALS")-1 && !memcmp(name, "GLOBALS", sizeof("GLOBALS")-1)) { + if (!silent) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted GLOBALS variable overwrite"); + } + return FAILURE; + } else if (name[0] == '_' && + ( + (name_len == sizeof("_GET")-1 && !memcmp(name, "_GET", sizeof("_GET"))) || + (name_len == sizeof("_POST")-1 && !memcmp(name, "_POST", sizeof("_POST"))) || + (name_len == sizeof("_COOKIE")-1 && !memcmp(name, "_COOKIE", sizeof("_COOKIE"))) || + (name_len == sizeof("_ENV")-1 && !memcmp(name, "_ENV", sizeof("_ENV"))) || + (name_len == sizeof("_SERVER")-1 && !memcmp(name, "_SERVER", sizeof("_SERVER"))) || + (name_len == sizeof("_SESSION")-1 && !memcmp(name, "_SESSION", sizeof("_SESSION"))) || + (name_len == sizeof("_FILES")-1 && !memcmp(name, "_FILES", sizeof("_FILES"))) || + (name_len == sizeof("_REQUEST")-1 && !memcmp(name, "_REQUEST", sizeof("_REQUEST"))) + ) + ) { + if (!silent) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted super-global (%s) variable overwrite", name); + } + return FAILURE; + } else if (name[0] == 'H' && + ( + (name_len == sizeof("HTTP_POST_VARS")-1 && !memcmp(name, "HTTP_POST_VARS", sizeof("HTTP_POST_VARS"))) || + (name_len == sizeof("HTTP_GET_VARS")-1 && !memcmp(name, "HTTP_GET_VARS", sizeof("HTTP_GET_VARS"))) || + (name_len == sizeof("HTTP_COOKIE_VARS")-1 && !memcmp(name, "HTTP_COOKIE_VARS", sizeof("HTTP_COOKIE_VARS"))) || + (name_len == sizeof("HTTP_ENV_VARS")-1 && !memcmp(name, "HTTP_ENV_VARS", sizeof("HTTP_ENV_VARS"))) || + (name_len == sizeof("HTTP_SESSION_VARS")-1 && !memcmp(name, "HTTP_SESSION_VARS", sizeof("HTTP_SESSION_VARS"))) || + (name_len == sizeof("HTTP_SERVER_VARS")-1 && !memcmp(name, "HTTP_SERVER_VARS", sizeof("HTTP_SERVER_VARS"))) || + (name_len == sizeof("HTTP_RAW_POST_DATA")-1 && !memcmp(name, "HTTP_RAW_POST_DATA", sizeof("HTTP_RAW_POST_DATA"))) || + (name_len == sizeof("HTTP_POST_VARS")-1 && !memcmp(name, "HTTP_POST_FILES", sizeof("HTTP_POST_FILES"))) + ) + ) { + if (!silent) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted long input array (%s) overwrite", name); + } + return FAILURE; + } + return SUCCESS; +} +/* }}} */ + +static inline int php_varname_check_unicode(UChar *name, int name_len, zend_bool silent TSRMLS_DC) /* {{{ */ +{ + if (name_len == sizeof("GLOBALS")-1 && !zend_cmp_unicode_and_literal(name, name_len, "GLOBALS", sizeof("GLOBALS")-1)) { + if (!silent) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted GLOBALS variable overwrite"); + } + return FAILURE; + } else if (name[0] == 0x5f /* '_' */ && + ( + (name_len == sizeof("_GET")-1 && !zend_cmp_unicode_and_literal(name, name_len, "_GET", sizeof("_GET")-1)) || + (name_len == sizeof("_POST")-1 && !zend_cmp_unicode_and_literal(name, name_len, "_POST", sizeof("_POST")-1)) || + (name_len == sizeof("_COOKIE")-1 && !zend_cmp_unicode_and_literal(name, name_len, "_COOKIE", sizeof("_COOKIE")-1)) || + (name_len == sizeof("_ENV")-1 && !zend_cmp_unicode_and_literal(name, name_len, "_ENV", sizeof("_ENV")-1)) || + (name_len == sizeof("_SERVER")-1 && !zend_cmp_unicode_and_literal(name, name_len, "_SERVER", sizeof("_SERVER")-1)) || + (name_len == sizeof("_SESSION")-1 && !zend_cmp_unicode_and_literal(name, name_len, "_SESSION", sizeof("_SESSION")-1)) || + (name_len == sizeof("_FILES")-1 && !zend_cmp_unicode_and_literal(name, name_len, "_FILES", sizeof("_FILES")-1)) || + (name_len == sizeof("_REQUEST")-1 && !zend_cmp_unicode_and_literal(name, name_len, "_REQUEST", sizeof("_REQUEST")-1)) + ) + ) { + if (!silent) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted super-global (%r) variable overwrite", name); + } + return FAILURE; + } else if (name[0] == 0x48 /* 'H' */ && + ( + (name_len == sizeof("HTTP_POST_VARS")-1 && !zend_cmp_unicode_and_literal(name, name_len, "HTTP_POST_VARS", sizeof("HTTP_POST_VARS")-1)) || + (name_len == sizeof("HTTP_GET_VARS")-1 && !zend_cmp_unicode_and_literal(name, name_len, "HTTP_GET_VARS", sizeof("HTTP_GET_VARS")-1)) || + (name_len == sizeof("HTTP_COOKIE_VARS")-1 && !zend_cmp_unicode_and_literal(name, name_len, "HTTP_COOKIE_VARS", sizeof("HTTP_COOKIE_VARS")-1)) || + (name_len == sizeof("HTTP_ENV_VARS")-1 && !zend_cmp_unicode_and_literal(name, name_len, "HTTP_ENV_VARS", sizeof("HTTP_ENV_VARS")-1)) || + (name_len == sizeof("HTTP_SESSION_VARS")-1 && !zend_cmp_unicode_and_literal(name, name_len, "HTTP_SESSION_VARS", sizeof("HTTP_SESSION_VARS")-1)) || + (name_len == sizeof("HTTP_SERVER_VARS")-1 && !zend_cmp_unicode_and_literal(name, name_len, "HTTP_SERVER_VARS", sizeof("HTTP_SERVER_VARS")-1)) || + (name_len == sizeof("HTTP_RAW_POST_DATA")-1 && !zend_cmp_unicode_and_literal(name, name_len, "HTTP_RAW_POST_DATA", sizeof("HTTP_RAW_POST_DATA")-1)) || + (name_len == sizeof("HTTP_POST_FILES")-1 && !zend_cmp_unicode_and_literal(name, name_len, "HTTP_POST_FILES", sizeof("HTTP_POST_FILES")-1)) + ) + ) { + if (!silent) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted long input array (%r) overwrite", name); + } + return FAILURE; + } + return SUCCESS; +} +/* }}} */ + +static inline int php_varname_check(zend_uchar type, zstr name, int name_len, zend_bool silent TSRMLS_DC) /* {{{ */ +{ + if (type == IS_UNICODE) { + return php_varname_check_unicode(name.u, name_len, silent TSRMLS_CC); + } + return php_varname_check_string(name.s, name_len, silent TSRMLS_CC); +} +/* }}} */ + #endif /* PHP_VAR_H */ diff --git a/ext/standard/tests/general_functions/import_request1.phpt b/ext/standard/tests/general_functions/import_request1.phpt new file mode 100644 index 0000000000..027949d387 --- /dev/null +++ b/ext/standard/tests/general_functions/import_request1.phpt @@ -0,0 +1,180 @@ +--TEST-- +import_request_variables() test (overwrite super-globals) +--GET-- +GET=0&POST=1&COOKIE=2&FILES=3&REQUEST=4 +--POST-- +GET=5&POST=6&COOKIE=7&FILES=8&REQUEST=9 +--COOKIE-- +GET=10;POST=11;COOKIE=12;FILES=13;REQUEST=14 +--INI-- +variables_order=CGP +--FILE-- + +--EXPECTF-- +Warning: import_request_variables(): Attempted super-global (_GET) variable overwrite in %s on line %d + +Warning: import_request_variables(): Attempted super-global (_POST) variable overwrite in %s on line %d + +Warning: import_request_variables(): Attempted super-global (_COOKIE) variable overwrite in %s on line %d + +Warning: import_request_variables(): Attempted super-global (_FILES) variable overwrite in %s on line %d + +Warning: import_request_variables(): Attempted super-global (_REQUEST) variable overwrite in %s on line %d + +Warning: import_request_variables(): Attempted super-global (_GET) variable overwrite in %s on line %d + +Warning: import_request_variables(): Attempted super-global (_POST) variable overwrite in %s on line %d + +Warning: import_request_variables(): Attempted super-global (_COOKIE) variable overwrite in %s on line %d + +Warning: import_request_variables(): Attempted super-global (_FILES) variable overwrite in %s on line %d + +Warning: import_request_variables(): Attempted super-global (_REQUEST) variable overwrite in %s on line %d + +Warning: import_request_variables(): Attempted super-global (_GET) variable overwrite in %s on line %d + +Warning: import_request_variables(): Attempted super-global (_POST) variable overwrite in %s on line %d + +Warning: import_request_variables(): Attempted super-global (_COOKIE) variable overwrite in %s on line %d + +Warning: import_request_variables(): Attempted super-global (_FILES) variable overwrite in %s on line %d + +Warning: import_request_variables(): Attempted super-global (_REQUEST) variable overwrite in %s on line %d +array(5) { + ["GET"]=> + string(1) "0" + ["POST"]=> + string(1) "1" + ["COOKIE"]=> + string(1) "2" + ["FILES"]=> + string(1) "3" + ["REQUEST"]=> + string(1) "4" +} +array(5) { + ["GET"]=> + string(1) "5" + ["POST"]=> + string(1) "6" + ["COOKIE"]=> + string(1) "7" + ["FILES"]=> + string(1) "8" + ["REQUEST"]=> + string(1) "9" +} +array(5) { + ["GET"]=> + string(2) "10" + ["POST"]=> + string(2) "11" + ["COOKIE"]=> + string(2) "12" + ["FILES"]=> + string(2) "13" + ["REQUEST"]=> + string(2) "14" +} +array(0) { +} +array(5) { + ["GET"]=> + string(1) "5" + ["POST"]=> + string(1) "6" + ["COOKIE"]=> + string(1) "7" + ["FILES"]=> + string(1) "8" + ["REQUEST"]=> + string(1) "9" +} +Done +--UEXPECTF-- +Warning: import_request_variables(): Attempted super-global (_GET) variable overwrite in %s on line %d + +Warning: import_request_variables(): Attempted super-global (_POST) variable overwrite in %s on line %d + +Warning: import_request_variables(): Attempted super-global (_COOKIE) variable overwrite in %s on line %d + +Warning: import_request_variables(): Attempted super-global (_FILES) variable overwrite in %s on line %d + +Warning: import_request_variables(): Attempted super-global (_REQUEST) variable overwrite in %s on line %d + +Warning: import_request_variables(): Attempted super-global (_GET) variable overwrite in %s on line %d + +Warning: import_request_variables(): Attempted super-global (_POST) variable overwrite in %s on line %d + +Warning: import_request_variables(): Attempted super-global (_COOKIE) variable overwrite in %s on line %d + +Warning: import_request_variables(): Attempted super-global (_FILES) variable overwrite in %s on line %d + +Warning: import_request_variables(): Attempted super-global (_REQUEST) variable overwrite in %s on line %d + +Warning: import_request_variables(): Attempted super-global (_GET) variable overwrite in %s on line %d + +Warning: import_request_variables(): Attempted super-global (_POST) variable overwrite in %s on line %d + +Warning: import_request_variables(): Attempted super-global (_COOKIE) variable overwrite in %s on line %d + +Warning: import_request_variables(): Attempted super-global (_FILES) variable overwrite in %s on line %d + +Warning: import_request_variables(): Attempted super-global (_REQUEST) variable overwrite in %s on line %d +array(5) { + [u"GET"]=> + unicode(1) "0" + [u"POST"]=> + unicode(1) "1" + [u"COOKIE"]=> + unicode(1) "2" + [u"FILES"]=> + unicode(1) "3" + [u"REQUEST"]=> + unicode(1) "4" +} +array(5) { + [u"GET"]=> + unicode(1) "5" + [u"POST"]=> + unicode(1) "6" + [u"COOKIE"]=> + unicode(1) "7" + [u"FILES"]=> + unicode(1) "8" + [u"REQUEST"]=> + unicode(1) "9" +} +array(5) { + [u"GET"]=> + unicode(2) "10" + [u"POST"]=> + unicode(2) "11" + [u"COOKIE"]=> + unicode(2) "12" + [u"FILES"]=> + unicode(2) "13" + [u"REQUEST"]=> + unicode(2) "14" +} +array(0) { +} +array(5) { + [u"GET"]=> + unicode(1) "5" + [u"POST"]=> + unicode(1) "6" + [u"COOKIE"]=> + unicode(1) "7" + [u"FILES"]=> + unicode(1) "8" + [u"REQUEST"]=> + unicode(1) "9" +} +Done diff --git a/ext/standard/tests/general_functions/import_request2.phpt b/ext/standard/tests/general_functions/import_request2.phpt new file mode 100644 index 0000000000..dbaf0e4ff5 --- /dev/null +++ b/ext/standard/tests/general_functions/import_request2.phpt @@ -0,0 +1,32 @@ +--TEST-- +import_request_variables() test (numeric keys) +--GET-- +1=0&2=1&3=2&4=3&5=4 +--POST-- +1=5&2=6&3=7&4=8&5=9 +--COOKIE-- +1=10;2=11;3=12;4=13;5=14 +--INI-- +variables_order=CGP +--FILE-- + +--EXPECTF-- +string(2) "10" +string(2) "11" +string(2) "12" +string(2) "13" +string(2) "14" +Done +--UEXPECTF-- +unicode(2) "10" +unicode(2) "11" +unicode(2) "12" +unicode(2) "13" +unicode(2) "14" +Done diff --git a/ext/standard/tests/general_functions/import_request3.phpt b/ext/standard/tests/general_functions/import_request3.phpt new file mode 100644 index 0000000000..4a146dbfbb --- /dev/null +++ b/ext/standard/tests/general_functions/import_request3.phpt @@ -0,0 +1,32 @@ +--TEST-- +import_request_variables() test (numeric keys, different order) +--GET-- +1=0&2=1&3=2&4=3&5=4 +--POST-- +1=5&2=6&3=7&4=8&5=9 +--COOKIE-- +1=10;2=11;3=12;4=13;5=14 +--INI-- +variables_order=CGP +--FILE-- + +--EXPECTF-- +string(1) "5" +string(1) "6" +string(1) "7" +string(1) "8" +string(1) "9" +Done +--UEXPECTF-- +unicode(1) "5" +unicode(1) "6" +unicode(1) "7" +unicode(1) "8" +unicode(1) "9" +Done