diff options
| author | Yasuo Ohgaki <yohgaki@php.net> | 2014-02-16 10:45:50 +0900 |
|---|---|---|
| committer | Yasuo Ohgaki <yohgaki@php.net> | 2014-02-16 10:45:50 +0900 |
| commit | 3fcdecf658e1da937581caae8de9998c3303addf (patch) | |
| tree | a284ca6e765c5b5345c5905e426a90491e37587a | |
| parent | f9537c2a0bf324a892182ff2dd3ec3218dba812a (diff) | |
| parent | f275fdcf0095a108c33f2843011c6fac54216121 (diff) | |
| download | php-git-3fcdecf658e1da937581caae8de9998c3303addf.tar.gz | |
Merge branch 'PHP-5.4' into PHP-5.5
* PHP-5.4:
Fixed possbile injections against pg_insert()/pg_delete()/pg_update()/pg_select()
| -rw-r--r-- | ext/pgsql/pgsql.c | 30 |
1 files changed, 20 insertions, 10 deletions
diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c index 18960d1b37..be915ae5ae 100644 --- a/ext/pgsql/pgsql.c +++ b/ext/pgsql/pgsql.c @@ -5310,12 +5310,22 @@ static php_pgsql_data_type php_pgsql_get_data_type(const char *type_name, size_t /* {{{ php_pgsql_convert_match * test field value with regular expression specified. */ -static int php_pgsql_convert_match(const char *str, const char *regex , int icase TSRMLS_DC) +static int php_pgsql_convert_match(const char *str, size_t str_len, const char *regex , int icase TSRMLS_DC) { regex_t re; regmatch_t *subs; int regopt = REG_EXTENDED; int regerr, ret = SUCCESS; + int i; + + /* Check invalid chars for POSIX regex */ + for (i = 0; i < str_len; i++) { + if (str[i] == '\n' || + str[i] == '\r' || + str[i] == '\0' ) { + return FAILURE; + } + } if (icase) { regopt |= REG_ICASE; @@ -5539,7 +5549,7 @@ PHP_PGSQL_API int php_pgsql_convert(PGconn *pg_link, const char *table_name, con } else { /* FIXME: better regex must be used */ - if (php_pgsql_convert_match(Z_STRVAL_PP(val), "^([+-]{0,1}[0-9]+)$", 0 TSRMLS_CC) == FAILURE) { + if (php_pgsql_convert_match(Z_STRVAL_PP(val), Z_STRLEN_PP(val), "^([+-]{0,1}[0-9]+)$", 0 TSRMLS_CC) == FAILURE) { err = 1; } else { @@ -5581,7 +5591,7 @@ PHP_PGSQL_API int php_pgsql_convert(PGconn *pg_link, const char *table_name, con } else { /* FIXME: better regex must be used */ - if (php_pgsql_convert_match(Z_STRVAL_PP(val), "^([+-]{0,1}[0-9]+)|([+-]{0,1}[0-9]*[\\.][0-9]+)|([+-]{0,1}[0-9]+[\\.][0-9]*)$", 0 TSRMLS_CC) == FAILURE) { + if (php_pgsql_convert_match(Z_STRVAL_PP(val), Z_STRLEN_PP(val), "^([+-]{0,1}[0-9]+)|([+-]{0,1}[0-9]*[\\.][0-9]+)|([+-]{0,1}[0-9]+[\\.][0-9]*)$", 0 TSRMLS_CC) == FAILURE) { err = 1; } else { @@ -5666,7 +5676,7 @@ PHP_PGSQL_API int php_pgsql_convert(PGconn *pg_link, const char *table_name, con } else { /* FIXME: Better regex must be used */ - if (php_pgsql_convert_match(Z_STRVAL_PP(val), "^[0-9]+$", 0 TSRMLS_CC) == FAILURE) { + if (php_pgsql_convert_match(Z_STRVAL_PP(val), Z_STRLEN_PP(val), "^[0-9]+$", 0 TSRMLS_CC) == FAILURE) { err = 1; } else { @@ -5707,7 +5717,7 @@ PHP_PGSQL_API int php_pgsql_convert(PGconn *pg_link, const char *table_name, con } else { /* FIXME: Better regex must be used */ - if (php_pgsql_convert_match(Z_STRVAL_PP(val), "^([0-9]{1,3}\\.){3}[0-9]{1,3}(/[0-9]{1,2}){0,1}$", 0 TSRMLS_CC) == FAILURE) { + if (php_pgsql_convert_match(Z_STRVAL_PP(val), Z_STRLEN_PP(val), "^([0-9]{1,3}\\.){3}[0-9]{1,3}(/[0-9]{1,2}){0,1}$", 0 TSRMLS_CC) == FAILURE) { err = 1; } else { @@ -5741,7 +5751,7 @@ PHP_PGSQL_API int php_pgsql_convert(PGconn *pg_link, const char *table_name, con ZVAL_STRINGL(new_val, "NOW()", sizeof("NOW()")-1, 1); } else { /* FIXME: better regex must be used */ - if (php_pgsql_convert_match(Z_STRVAL_PP(val), "^([0-9]{4}[/-][0-9]{1,2}[/-][0-9]{1,2})([ \\t]+(([0-9]{1,2}:[0-9]{1,2}){1}(:[0-9]{1,2}){0,1}(\\.[0-9]+){0,1}([ \\t]*([+-][0-9]{1,4}(:[0-9]{1,2}){0,1}|[-a-zA-Z_/+]{1,50})){0,1})){0,1}$", 1 TSRMLS_CC) == FAILURE) { + if (php_pgsql_convert_match(Z_STRVAL_PP(val), Z_STRLEN_PP(val), "^([0-9]{4}[/-][0-9]{1,2}[/-][0-9]{1,2})([ \\t]+(([0-9]{1,2}:[0-9]{1,2}){1}(:[0-9]{1,2}){0,1}(\\.[0-9]+){0,1}([ \\t]*([+-][0-9]{1,4}(:[0-9]{1,2}){0,1}|[-a-zA-Z_/+]{1,50})){0,1})){0,1}$", 1 TSRMLS_CC) == FAILURE) { err = 1; } else { ZVAL_STRING(new_val, Z_STRVAL_PP(val), 1); @@ -5771,7 +5781,7 @@ PHP_PGSQL_API int php_pgsql_convert(PGconn *pg_link, const char *table_name, con } else { /* FIXME: better regex must be used */ - if (php_pgsql_convert_match(Z_STRVAL_PP(val), "^([0-9]{4}[/-][0-9]{1,2}[/-][0-9]{1,2})$", 1 TSRMLS_CC) == FAILURE) { + if (php_pgsql_convert_match(Z_STRVAL_PP(val), Z_STRLEN_PP(val), "^([0-9]{4}[/-][0-9]{1,2}[/-][0-9]{1,2})$", 1 TSRMLS_CC) == FAILURE) { err = 1; } else { @@ -5802,7 +5812,7 @@ PHP_PGSQL_API int php_pgsql_convert(PGconn *pg_link, const char *table_name, con } else { /* FIXME: better regex must be used */ - if (php_pgsql_convert_match(Z_STRVAL_PP(val), "^(([0-9]{1,2}:[0-9]{1,2}){1}(:[0-9]{1,2}){0,1})){0,1}$", 1 TSRMLS_CC) == FAILURE) { + if (php_pgsql_convert_match(Z_STRVAL_PP(val), Z_STRLEN_PP(val), "^(([0-9]{1,2}:[0-9]{1,2}){1}(:[0-9]{1,2}){0,1})){0,1}$", 1 TSRMLS_CC) == FAILURE) { err = 1; } else { @@ -5849,7 +5859,7 @@ PHP_PGSQL_API int php_pgsql_convert(PGconn *pg_link, const char *table_name, con unit markings. For example, '1 12:59:10' is read the same as '1 day 12 hours 59 min 10 sec'. */ - if (php_pgsql_convert_match(Z_STRVAL_PP(val), + if (php_pgsql_convert_match(Z_STRVAL_PP(val), Z_STRLEN_PP(val), "^(@?[ \\t]+)?(" /* Textual time units and their abbreviations: */ @@ -5964,7 +5974,7 @@ PHP_PGSQL_API int php_pgsql_convert(PGconn *pg_link, const char *table_name, con ZVAL_STRING(new_val, "NULL", 1); } else { - if (php_pgsql_convert_match(Z_STRVAL_PP(val), "^([0-9a-f]{2,2}:){5,5}[0-9a-f]{2,2}$", 1 TSRMLS_CC) == FAILURE) { + if (php_pgsql_convert_match(Z_STRVAL_PP(val), Z_STRLEN_PP(val), "^([0-9a-f]{2,2}:){5,5}[0-9a-f]{2,2}$", 1 TSRMLS_CC) == FAILURE) { err = 1; } else { |