@added possible encoding attack detection by mb_get_info('illegalchars').

6 files changed, 30 insertions, 1 deletions

diff --git a/ext/mbstring/libmbfl/mbfl/mbfilter.c b/ext/mbstring/libmbfl/mbfl/mbfilter.c
index ec3409d8ea..9f16331874 100644
--- a/ext/mbstring/libmbfl/mbfl/mbfilter.c
+++ b/ext/mbstring/libmbfl/mbfl/mbfilter.c
@@ -331,6 +331,20 @@ mbfl_buffer_converter_feed_result(mbfl_buffer_converter *convd, mbfl_string *str
 	return mbfl_memory_device_result(&convd->device, result);
 }
 
+int mbfl_buffer_illegalchars(mbfl_buffer_converter *convd)
+{
+	int num_illegalchars = 0;
+
+	if (convd->filter1 != NULL) {
+		num_illegalchars += convd->filter1->num_illegalchar;
+	}
+
+	if (convd->filter2 != NULL) {
+		num_illegalchars += convd->filter2->num_illegalchar;
+	}
+
+	return (num_illegalchars);
+}
 
 /*
  * encoding detector
diff --git a/ext/mbstring/libmbfl/mbfl/mbfilter.h b/ext/mbstring/libmbfl/mbfl/mbfilter.h
index 702079ac45..f958e936ab 100644
--- a/ext/mbstring/libmbfl/mbfl/mbfilter.h
+++ b/ext/mbstring/libmbfl/mbfl/mbfilter.h
@@ -129,6 +129,7 @@ MBFLAPI extern int mbfl_buffer_converter_flush(mbfl_buffer_converter *convd);
 MBFLAPI extern mbfl_string * mbfl_buffer_converter_getbuffer(mbfl_buffer_converter *convd, mbfl_string *result);
 MBFLAPI extern mbfl_string * mbfl_buffer_converter_result(mbfl_buffer_converter *convd, mbfl_string *result);
 MBFLAPI extern mbfl_string * mbfl_buffer_converter_feed_result(mbfl_buffer_converter *convd, mbfl_string *string, mbfl_string *result);
+MBFLAPI extern int mbfl_buffer_illegalchars(mbfl_buffer_converter *convd);
 
 /*
  * encoding detector
diff --git a/ext/mbstring/libmbfl/mbfl/mbfl_convert.c b/ext/mbstring/libmbfl/mbfl/mbfl_convert.c
index 981bba6af9..78a995cd25 100644
--- a/ext/mbstring/libmbfl/mbfl/mbfl_convert.c
+++ b/ext/mbstring/libmbfl/mbfl/mbfl_convert.c
@@ -250,6 +250,7 @@ mbfl_convert_filter_new(
 	filter->data = data;
 	filter->illegal_mode = MBFL_OUTPUTFILTER_ILLEGAL_MODE_CHAR;
 	filter->illegal_substchar = 0x3f;		/* '?' */
+	filter->num_illegalchar = 0;
 
 	/* setup the function table */
 	mbfl_convert_filter_reset_vtbl(filter);
@@ -317,6 +318,7 @@ mbfl_convert_filter_copy(
 	dist->to = src->to;
 	dist->illegal_mode = src->illegal_mode;
 	dist->illegal_substchar = src->illegal_substchar;
+	dist->num_illegalchar = src->num_illegalchar;
 }
 
 int mbfl_convert_filter_devcat(mbfl_convert_filter *filter, mbfl_memory_device *src) 
@@ -432,7 +434,7 @@ mbfl_filt_conv_illegal_output(int c, mbfl_convert_filter *filter)
 		break;
 	}
 	filter->illegal_mode = mode_backup;
-
+	filter->num_illegalchar++;
 	return ret;
 }
 
diff --git a/ext/mbstring/libmbfl/mbfl/mbfl_convert.h b/ext/mbstring/libmbfl/mbfl/mbfl_convert.h
index afec8f0627..bf8b3bd630 100644
--- a/ext/mbstring/libmbfl/mbfl/mbfl_convert.h
+++ b/ext/mbstring/libmbfl/mbfl/mbfl_convert.h
@@ -51,6 +51,7 @@ struct _mbfl_convert_filter {
 	const mbfl_encoding *to;
 	int illegal_mode;
 	int illegal_substchar;
+	int num_illegalchar;
 	void *opaque;
 };
 
diff --git a/ext/mbstring/mbstring.c b/ext/mbstring/mbstring.c
index 06490d4dd4..86c620f4ff 100644
--- a/ext/mbstring/mbstring.c
+++ b/ext/mbstring/mbstring.c
@@ -927,6 +927,7 @@ PHP_RINIT_FUNCTION(mbstring)
 	MBSTRG(current_http_output_encoding) = MBSTRG(http_output_encoding);
 	MBSTRG(current_filter_illegal_mode) = MBSTRG(filter_illegal_mode);
 	MBSTRG(current_filter_illegal_substchar) = MBSTRG(filter_illegal_substchar);
+	MBSTRG(illegalchars) = 0;
 
 	n = 0;
 	if (MBSTRG(detect_order_list)) {
@@ -995,6 +996,7 @@ PHP_RSHUTDOWN_FUNCTION(mbstring)
 		MBSTRG(current_detect_order_list_size) = 0;
 	}
 	if (MBSTRG(outconv) != NULL) {
+		MBSTRG(illegalchars) += mbfl_buffer_illegalchars(MBSTRG(outconv));
 		mbfl_buffer_converter_delete(MBSTRG(outconv));
 		MBSTRG(outconv) = NULL;
 	}
@@ -1451,6 +1453,7 @@ PHP_FUNCTION(mb_output_handler)
  	if ((arg_status & PHP_OUTPUT_HANDLER_START) != 0) {
  		/* delete the converter just in case. */
  		if (MBSTRG(outconv)) {
+			MBSTRG(illegalchars) += mbfl_buffer_illegalchars(MBSTRG(outconv));
  			mbfl_buffer_converter_delete(MBSTRG(outconv));
  			MBSTRG(outconv) = NULL;
   		}
@@ -1515,6 +1518,7 @@ PHP_FUNCTION(mb_output_handler)
  
  	/* delete the converter if it is the last feed. */
  	if (last_feed) {
+		MBSTRG(illegalchars) += mbfl_buffer_illegalchars(MBSTRG(outconv));
 		mbfl_buffer_converter_delete(MBSTRG(outconv));
 		MBSTRG(outconv) = NULL;
 	}
@@ -2079,6 +2083,7 @@ MBSTRING_API char * php_mb_convert_encoding(char *input, size_t length, char *_t
 		output = (char *)ret->val;
 	}
 
+	MBSTRG(illegalchars) += mbfl_buffer_illegalchars(convd);
 	mbfl_buffer_converter_delete(convd);
 	return output;
 }
@@ -2725,6 +2730,7 @@ detect_end:
 		}
 		efree(stack);
 
+		MBSTRG(illegalchars) += mbfl_buffer_illegalchars(convd);
 		mbfl_buffer_converter_delete(convd);
 	}
 
@@ -3422,6 +3428,8 @@ PHP_FUNCTION(mb_get_info)
 		if (lang != NULL && (name = (char *)mbfl_no_encoding2name(lang->mail_body_encoding)) != NULL) {
 			RETVAL_STRING(name, 1);
 		}
+	} else if (!strcasecmp("illegalchars", typ)) {
+		RETVAL_LONG(MBSTRG(illegalchars));
 	} else {
 		RETURN_FALSE;
 	}
@@ -3588,6 +3596,7 @@ MBSTRING_API int php_mb_gpc_encoding_converter(char **str, int *len, int num, co
 			str[i] = ret->val;
 			len[i] = ret->len;
 		}
+		MBSTRG(illegalchars) += mbfl_buffer_illegalchars(convd);
 		mbfl_buffer_converter_delete(convd);
 	}
 
@@ -3804,6 +3813,7 @@ int php_mb_encoding_converter(char **to, int *to_length, const char *from,
 		*to = ret->val;
 		*to_length = ret->len;
 	}
+	MBSTRG(illegalchars) += mbfl_buffer_illegalchars(convd);
 	mbfl_buffer_converter_delete(convd);
 
 	return ret ? 0 : -1;
diff --git a/ext/mbstring/mbstring.h b/ext/mbstring/mbstring.h
index 5f960ca3d6..4eecb32c8a 100644
--- a/ext/mbstring/mbstring.h
+++ b/ext/mbstring/mbstring.h
@@ -181,6 +181,7 @@ ZEND_BEGIN_MODULE_GLOBALS(mbstring)
 	long func_overload;
 	zend_bool encoding_translation;
 	long strict_detection;
+	long illegalchars;
 	mbfl_buffer_converter *outconv;
 #if HAVE_MBREGEX && defined(PHP_MBREGEX_GLOBALS)
 	PHP_MBREGEX_GLOBALS