From 33f9ada0389639293f36ffc7ddd64926e07b8f68 Mon Sep 17 00:00:00 2001 From: Pierre Joye Date: Tue, 5 Dec 2006 01:24:18 +0000 Subject: [PATCH] - MFH: invalid filter id should not return unsafe values --- ext/filter/filter.c | 23 ++++++++++++ ext/filter/filter_private.h | 7 ++++ ext/filter/tests/010.phpt | 4 +- ext/filter/tests/039.phpt | 74 +++++++++++++------------------------ 4 files changed, 58 insertions(+), 50 deletions(-) diff --git a/ext/filter/filter.c b/ext/filter/filter.c index fffb1273f6..1b87db2e2d 100644 --- a/ext/filter/filter.c +++ b/ext/filter/filter.c @@ -645,6 +645,11 @@ static void php_filter_array_handler(zval *input, zval **op, zval *return_value zval_dtor(return_value); RETURN_FALSE; } + if (arg_key_len < 2) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Empty keys are not allowed in the definition array"); + zval_dtor(return_value); + RETURN_FALSE; + } if (zend_hash_find(Z_ARRVAL_P(input), arg_key, arg_key_len, (void **)&tmp) != SUCCESS) { add_assoc_null_ex(return_value, arg_key, arg_key_len); } else { @@ -680,6 +685,10 @@ PHP_FUNCTION(filter_input) return; } + if (!PHP_FILTER_ID_EXISTS(filter)) { + RETURN_FALSE; + } + input = php_filter_get_storage(fetch_from TSRMLS_CC); if (!input || !HASH_OF(input) || zend_hash_find(HASH_OF(input), var, var_len + 1, (void **)&tmp) != SUCCESS) { @@ -726,6 +735,10 @@ PHP_FUNCTION(filter_var) return; } + if (!PHP_FILTER_ID_EXISTS(filter)) { + RETURN_FALSE; + } + *return_value = *data; zval_copy_ctor(data); @@ -745,6 +758,11 @@ PHP_FUNCTION(filter_input_array) return; } + if (op && ( (Z_TYPE_PP(op) == IS_LONG && !PHP_FILTER_ID_EXISTS(Z_LVAL_PP(op))) + || Z_TYPE_PP(op) != IS_ARRAY)) { + RETURN_FALSE; + } + array_input = php_filter_get_storage(fetch_from TSRMLS_CC); if (!array_input || !HASH_OF(array_input)) { @@ -780,6 +798,11 @@ PHP_FUNCTION(filter_var_array) return; } + if (op && ( (Z_TYPE_PP(op) == IS_LONG && !PHP_FILTER_ID_EXISTS(Z_LVAL_PP(op))) + || Z_TYPE_PP(op) != IS_ARRAY)) { + RETURN_FALSE; + } + php_filter_array_handler(array_input, op, return_value TSRMLS_CC); } /* }}} */ diff --git a/ext/filter/filter_private.h b/ext/filter/filter_private.h index d782c2dfbf..af3aef4fe4 100644 --- a/ext/filter/filter_private.h +++ b/ext/filter/filter_private.h @@ -62,6 +62,7 @@ #define FILTER_VALIDATE_URL 0x0111 #define FILTER_VALIDATE_EMAIL 0x0112 #define FILTER_VALIDATE_IP 0x0113 +#define FILTER_VALIDATE_LAST 0x0113 #define FILTER_VALIDATE_ALL 0x0100 @@ -76,11 +77,17 @@ #define FILTER_SANITIZE_NUMBER_INT 0x0207 #define FILTER_SANITIZE_NUMBER_FLOAT 0x0208 #define FILTER_SANITIZE_MAGIC_QUOTES 0x0209 +#define FILTER_SANITIZE_LAST 0x0209 #define FILTER_SANITIZE_ALL 0x0200 #define FILTER_CALLBACK 0x0400 +#define PHP_FILTER_ID_EXISTS(id) \ +((id >= FILTER_SANITIZE_ALL && id <= FILTER_SANITIZE_LAST) \ +|| (id >= FILTER_VALIDATE_ALL && id <= FILTER_VALIDATE_LAST) \ +|| id == FILTER_CALLBACK) + #define PHP_FILTER_TRIM_DEFAULT(p, len, end) { \ while (*p == ' ' || *p == '\t' || *p == '\r' || *p == '\v') { \ p++; \ diff --git a/ext/filter/tests/010.phpt b/ext/filter/tests/010.phpt index b1cf124f24..ba6dea19ea 100644 --- a/ext/filter/tests/010.phpt +++ b/ext/filter/tests/010.phpt @@ -55,6 +55,6 @@ NULL string(1) "1" string(1) "1" string(1) "1" -string(1) "1" -string(1) "1" +bool(false) +bool(false) Done diff --git a/ext/filter/tests/039.phpt b/ext/filter/tests/039.phpt index 8b2d31e213..ae883db3e3 100644 --- a/ext/filter/tests/039.phpt +++ b/ext/filter/tests/039.phpt @@ -5,6 +5,7 @@ filter_var_array() and different arguments --FILE-- "hoho"))); @@ -12,19 +13,24 @@ var_dump(filter_var_array(array(), -1)); var_dump(filter_var_array(array(), 1000000)); var_dump(filter_var_array(array(), "")); +echo "-- (2)\n"; var_dump(filter_var_array(array(""=>""), -1)); var_dump(filter_var_array(array(""=>""), 1000000)); var_dump(filter_var_array(array(""=>""), "")); +echo "-- (3)\n"; var_dump(filter_var_array(array("aaa"=>"bbb"), -1)); var_dump(filter_var_array(array("aaa"=>"bbb"), 1000000)); var_dump(filter_var_array(array("aaa"=>"bbb"), "")); +echo "-- (4)\n"; var_dump(filter_var_array(array(), new stdclass)); var_dump(filter_var_array(array(), array())); var_dump(filter_var_array(array(), array("var_name"=>1))); var_dump(filter_var_array(array(), array("var_name"=>-1))); var_dump(filter_var_array(array("var_name"=>""), array("var_name"=>-1))); + +echo "-- (5)\n"; var_dump(filter_var_array(array("var_name"=>""), array("var_name"=>-1, "asdas"=>"asdasd", "qwe"=>"rty", ""=>""))); var_dump(filter_var_array(array("asdas"=>"text"), array("var_name"=>-1, "asdas"=>"asdasd", "qwe"=>"rty", ""=>""))); @@ -44,6 +50,8 @@ var_dump($a, $b); echo "Done\n"; ?> --EXPECTF-- +-- (1) + Warning: filter_var_array() expects parameter 1 to be array, null given in %s on line %d NULL array(0) { @@ -54,30 +62,19 @@ array(2) { ["blah"]=> string(4) "hoho" } -array(0) { -} -array(0) { -} bool(false) -array(1) { - [""]=> - string(0) "" -} -array(1) { - [""]=> - string(0) "" -} bool(false) -array(1) { - ["aaa"]=> - string(3) "bbb" -} -array(1) { - ["aaa"]=> - string(3) "bbb" -} +bool(false) +-- (2) +bool(false) bool(false) bool(false) +-- (3) +bool(false) +bool(false) +bool(false) +-- (4) +bool(false) array(0) { } array(1) { @@ -92,39 +89,20 @@ array(1) { ["var_name"]=> string(0) "" } -array(4) { - ["var_name"]=> - string(0) "" - ["asdas"]=> - NULL - ["qwe"]=> - NULL - [""]=> - NULL -} -array(4) { - ["var_name"]=> - NULL - ["asdas"]=> - string(4) "text" - ["qwe"]=> - NULL - [""]=> - NULL -} -array(1) { - [""]=> - string(0) "" -} +-- (5) + +Warning: filter_var_array(): Empty keys are not allowed in the definition array in %s on line %d +bool(false) + +Warning: filter_var_array(): Empty keys are not allowed in the definition array in %s on line %d +bool(false) +bool(false) array(1) { [""]=> string(0) "" } int(-1) -array(1) { - [""]=> - string(0) "" -} +bool(false) array(1) { [""]=> string(0) "" -- 2.40.0