diff options
Diffstat (limited to 'ext/standard/url_scanner_ex.re')
-rw-r--r-- | ext/standard/url_scanner_ex.re | 674 |
1 files changed, 536 insertions, 138 deletions
diff --git a/ext/standard/url_scanner_ex.re b/ext/standard/url_scanner_ex.re index 8bc77db4be..628a7fee58 100644 --- a/ext/standard/url_scanner_ex.re +++ b/ext/standard/url_scanner_ex.re @@ -2,7 +2,7 @@ +----------------------------------------------------------------------+ | PHP Version 7 | +----------------------------------------------------------------------+ - | Copyright (c) 1997-2017 The PHP Group | + | Copyright (c) 1997-2018 The PHP Group | +----------------------------------------------------------------------+ | This source file is subject to version 3.01 of the PHP license, | | that is bundled with this package in the file LICENSE, and is | @@ -13,6 +13,7 @@ | license@php.net so we can mail you a copy immediately. | +----------------------------------------------------------------------+ | Author: Sascha Schumann <sascha@schumann.cx> | + | Yasuo Ohgaki <yohgaki@ohgaki.net> | +----------------------------------------------------------------------+ */ @@ -31,12 +32,14 @@ #include <stdlib.h> #include <string.h> +#include "SAPI.h" #include "php_ini.h" #include "php_globals.h" #include "php_string.h" #define STATE_TAG SOME_OTHER_STATE_TAG #include "basic_functions.h" #include "url.h" +#include "html.h" #undef STATE_TAG #define url_scanner url_scanner_ex @@ -48,14 +51,18 @@ static void tag_dtor(zval *zv) free(Z_PTR_P(zv)); } -static PHP_INI_MH(OnUpdateTags) +static int php_ini_on_update_tags(zend_ini_entry *entry, zend_string *new_value, void *mh_arg1, void *mh_arg2, void *mh_arg3, int stage, int type) { url_adapt_state_ex_t *ctx; char *key; char *tmp; char *lasts = NULL; - ctx = &BG(url_adapt_state_ex); + if (type) { + ctx = &BG(url_adapt_session_ex); + } else { + ctx = &BG(url_adapt_output_ex); + } tmp = estrndup(ZSTR_VAL(new_value), ZSTR_LEN(new_value)); @@ -64,6 +71,7 @@ static PHP_INI_MH(OnUpdateTags) else { ctx->tags = malloc(sizeof(HashTable)); if (!ctx->tags) { + efree(tmp); return FAILURE; } } @@ -71,8 +79,8 @@ static PHP_INI_MH(OnUpdateTags) zend_hash_init(ctx->tags, 0, NULL, tag_dtor, 1); for (key = php_strtok_r(tmp, ",", &lasts); - key; - key = php_strtok_r(NULL, ",", &lasts)) { + key; + key = php_strtok_r(NULL, ",", &lasts)) { char *val; val = strchr(key, '='); @@ -81,11 +89,10 @@ static PHP_INI_MH(OnUpdateTags) size_t keylen; *val++ = '\0'; - for (q = key; *q; q++) + for (q = key; *q; q++) { *q = tolower(*q); + } keylen = q - key; - /* key is stored withOUT NUL - val is stored WITH NUL */ zend_hash_str_add_mem(ctx->tags, key, keylen, val, strlen(val)+1); } } @@ -95,8 +102,70 @@ static PHP_INI_MH(OnUpdateTags) return SUCCESS; } +static PHP_INI_MH(OnUpdateSessionTags) +{ + return php_ini_on_update_tags(entry, new_value, mh_arg1, mh_arg2, mh_arg3, stage, 1); +} + +static PHP_INI_MH(OnUpdateOutputTags) +{ + return php_ini_on_update_tags(entry, new_value, mh_arg1, mh_arg2, mh_arg3, stage, 0); +} + +static int php_ini_on_update_hosts(zend_ini_entry *entry, zend_string *new_value, void *mh_arg1, void *mh_arg2, void *mh_arg3, int stage, int type) +{ + HashTable *hosts; + char *key; + char *tmp; + char *lasts = NULL; + + if (type) { + hosts = &BG(url_adapt_session_hosts_ht); + } else { + hosts = &BG(url_adapt_output_hosts_ht); + } + zend_hash_clean(hosts); + + /* Use user supplied host whitelist */ + tmp = estrndup(ZSTR_VAL(new_value), ZSTR_LEN(new_value)); + for (key = php_strtok_r(tmp, ",", &lasts); + key; + key = php_strtok_r(NULL, ",", &lasts)) { + size_t keylen; + zend_string *tmp_key; + char *q; + + for (q = key; *q; q++) { + *q = tolower(*q); + } + keylen = q - key; + if (keylen > 0) { + tmp_key = zend_string_init(key, keylen, 0); + zend_hash_add_empty_element(hosts, tmp_key); + zend_string_release(tmp_key); + } + } + efree(tmp); + + return SUCCESS; +} + +static PHP_INI_MH(OnUpdateSessionHosts) +{ + return php_ini_on_update_hosts(entry, new_value, mh_arg1, mh_arg2, mh_arg3, stage, 1); +} + +static PHP_INI_MH(OnUpdateOutputHosts) +{ + return php_ini_on_update_hosts(entry, new_value, mh_arg1, mh_arg2, mh_arg3, stage, 0); +} + +/* FIXME: OnUpdate*Hosts cannot set default to $_SERVER['HTTP_HOST'] at startup */ PHP_INI_BEGIN() - STD_PHP_INI_ENTRY("url_rewriter.tags", "a=href,area=href,frame=src,form=,fieldset=", PHP_INI_ALL, OnUpdateTags, url_adapt_state_ex, php_basic_globals, basic_globals) + STD_PHP_INI_ENTRY("session.trans_sid_tags", "a=href,area=href,frame=src,form=", PHP_INI_ALL, OnUpdateSessionTags, url_adapt_session_ex, php_basic_globals, basic_globals) + STD_PHP_INI_ENTRY("session.trans_sid_hosts", "", PHP_INI_ALL, OnUpdateSessionHosts, url_adapt_session_hosts_ht, php_basic_globals, basic_globals) + STD_PHP_INI_ENTRY("url_rewriter.tags", "form=", PHP_INI_ALL, OnUpdateOutputTags, url_adapt_session_ex, php_basic_globals, basic_globals) + STD_PHP_INI_ENTRY("url_rewriter.hosts", "", PHP_INI_ALL, OnUpdateOutputHosts, url_adapt_session_hosts_ht, php_basic_globals, basic_globals) PHP_INI_END() /*!re2c @@ -115,69 +184,107 @@ alphadash = ([a-zA-Z] | "-"); static inline void append_modified_url(smart_str *url, smart_str *dest, smart_str *url_app, const char *separator) { - register const char *p, *q; - const char *bash = NULL; - const char *sep = "?"; + php_url *url_parts; + char *tmp; + size_t tmp_len; - /* - * Don't modify "//example.com" full path, unless - * HTTP_HOST matches. - */ - if (ZSTR_LEN(url->s) > 2 && ZSTR_VAL(url->s)[0] == '/' && ZSTR_VAL(url->s)[1] == '/') { - const char *end_chars = "/\"'?>\r\n"; - zval *tmp = NULL, *http_host = NULL; - size_t target_len, host_len; - if ((!(tmp = zend_hash_str_find(&EG(symbol_table), ZEND_STRL("_SERVER")))) - || Z_TYPE_P(tmp) != IS_ARRAY - || !(http_host = zend_hash_str_find(HASH_OF(tmp), ZEND_STRL("HTTP_HOST"))) - || Z_TYPE_P(http_host) != IS_STRING) { - smart_str_append_smart_str(dest, url); - return; - } + smart_str_0(url); /* FIXME: Bug #70480 php_url_parse_ex() crashes by processing chars exceed len */ + url_parts = php_url_parse_ex(ZSTR_VAL(url->s), ZSTR_LEN(url->s)); - /* HTTP_HOST could be "example.com:8888", etc. */ - /* Need to find end of URL in buffer */ - host_len = strcspn(Z_STRVAL_P(http_host), ":"); - target_len = php_strcspn( - ZSTR_VAL(url->s) + 2, (char *) end_chars, - ZSTR_VAL(url->s) + ZSTR_LEN(url->s), (char *) end_chars + strlen(end_chars)); - if (host_len - && host_len == target_len - && strncasecmp(Z_STRVAL_P(http_host), ZSTR_VAL(url->s)+2, host_len)) { - smart_str_append_smart_str(dest, url); - return; - } + /* Ignore malformed URLs */ + if (!url_parts) { + smart_str_append_smart_str(dest, url); + return; } - q = (p = ZSTR_VAL(url->s)) + ZSTR_LEN(url->s); - -scan: -/*!re2c - ":" { smart_str_append_smart_str(dest, url); return; } - "?" { sep = separator; goto scan; } - "#" { bash = p - 1; goto done; } - (any\[:?#])+ { goto scan; } -*/ -done: - /* Don't modify URLs of the format "#mark" */ - if (bash && bash - ZSTR_VAL(url->s) == 0) { + if (url_parts->fragment && '#' == ZSTR_VAL(url->s)[0]) { smart_str_append_smart_str(dest, url); + php_url_free(url_parts); return; } - if (bash) - smart_str_appendl(dest, ZSTR_VAL(url->s), bash - ZSTR_VAL(url->s)); - else + /* Check protocol. Only http/https is allowed. */ + if (url_parts->scheme + && strcasecmp("http", url_parts->scheme) + && strcasecmp("https", url_parts->scheme)) { smart_str_append_smart_str(dest, url); + php_url_free(url_parts); + return; + } + + /* Check host whitelist. If it's not listed, do nothing. */ + if (url_parts->host + && (tmp_len = strlen(url_parts->host)) + && (tmp = php_strtolower(url_parts->host, tmp_len)) + && !zend_hash_str_find(&BG(url_adapt_session_hosts_ht), tmp, tmp_len)) { + smart_str_append_smart_str(dest, url); + php_url_free(url_parts); + return; + } - smart_str_appends(dest, sep); - smart_str_append_smart_str(dest, url_app); + /* + * When URL does not have path and query string add "/?". + * i.e. If URL is only "?foo=bar", should not add "/?". + */ + if (!url_parts->path && !url_parts->query && !url_parts->fragment) { + /* URL is http://php.net or like */ + smart_str_append_smart_str(dest, url); + smart_str_appendc(dest, '/'); + smart_str_appendc(dest, '?'); + smart_str_append_smart_str(dest, url_app); + php_url_free(url_parts); + return; + } - if (bash) - smart_str_appendl(dest, bash, q - bash); + if (url_parts->scheme) { + smart_str_appends(dest, url_parts->scheme); + smart_str_appends(dest, "://"); + } else if (*(ZSTR_VAL(url->s)) == '/' && *(ZSTR_VAL(url->s)+1) == '/') { + smart_str_appends(dest, "//"); + } + if (url_parts->user) { + smart_str_appends(dest, url_parts->user); + if (url_parts->pass) { + smart_str_appends(dest, url_parts->pass); + smart_str_appendc(dest, ':'); + } + smart_str_appendc(dest, '@'); + } + if (url_parts->host) { + smart_str_appends(dest, url_parts->host); + } + if (url_parts->port) { + smart_str_appendc(dest, ':'); + smart_str_append_unsigned(dest, (long)url_parts->port); + } + if (url_parts->path) { + smart_str_appends(dest, url_parts->path); + } + smart_str_appendc(dest, '?'); + if (url_parts->query) { + smart_str_appends(dest, url_parts->query); + smart_str_appends(dest, separator); + smart_str_append_smart_str(dest, url_app); + } else { + smart_str_append_smart_str(dest, url_app); + } + if (url_parts->fragment) { + smart_str_appendc(dest, '#'); + smart_str_appends(dest, url_parts->fragment); + } + php_url_free(url_parts); } +enum { + TAG_NORMAL = 0, + TAG_FORM +}; + +enum { + ATTR_NORMAL = 0, + ATTR_ACTION +}; #undef YYFILL #undef YYCTYPE @@ -189,18 +296,24 @@ static inline void tag_arg(url_adapt_state_ex_t *ctx, char quotes, char type) { char f = 0; - if (strncasecmp(ZSTR_VAL(ctx->arg.s), ctx->lookup_data, ZSTR_LEN(ctx->arg.s)) == 0) + /* arg.s is string WITHOUT NUL. + To avoid partial match, NUL is added here */ + ZSTR_VAL(ctx->arg.s)[ZSTR_LEN(ctx->arg.s)] = '\0'; + if (!strcasecmp(ZSTR_VAL(ctx->arg.s), ctx->lookup_data)) { f = 1; + } - if (quotes) + if (quotes) { smart_str_appendc(&ctx->result, type); + } if (f) { append_modified_url(&ctx->val, &ctx->result, &ctx->url_app, PG(arg_separator).output); } else { smart_str_append_smart_str(&ctx->result, &ctx->val); } - if (quotes) + if (quotes) { smart_str_appendc(&ctx->result, type); + } } enum { @@ -234,11 +347,79 @@ static inline void passthru(STD_PARA) smart_str_appendl(&ctx->result, start, YYCURSOR - start); } + +static int check_http_host(char *target) +{ + zval *host, *tmp; + zend_string *host_tmp; + char *colon; + + if ((tmp = zend_hash_str_find(&EG(symbol_table), ZEND_STRL("_SERVER"))) && + (host = zend_hash_str_find(Z_ARRVAL_P(tmp), ZEND_STRL("HTTP_HOST"))) && + Z_TYPE_P(host) == IS_STRING) { + host_tmp = zend_string_init(Z_STRVAL_P(host), Z_STRLEN_P(host), 0); + /* HTTP_HOST could be 'localhost:8888' etc. */ + colon = strchr(ZSTR_VAL(host_tmp), ':'); + if (colon) { + ZSTR_LEN(host_tmp) = colon - ZSTR_VAL(host_tmp); + ZSTR_VAL(host_tmp)[ZSTR_LEN(host_tmp)] = '\0'; + } + if (!strcasecmp(ZSTR_VAL(host_tmp), target)) { + zend_string_release(host_tmp); + return SUCCESS; + } + zend_string_release(host_tmp); + } + return FAILURE; +} + +static int check_host_whitelist(url_adapt_state_ex_t *ctx) +{ + php_url *url_parts = NULL; + HashTable *allowed_hosts = ctx->type ? &BG(url_adapt_session_hosts_ht) : &BG(url_adapt_output_hosts_ht); + + ZEND_ASSERT(ctx->tag_type == TAG_FORM); + + if (ctx->attr_val.s && ZSTR_LEN(ctx->attr_val.s)) { + url_parts = php_url_parse_ex(ZSTR_VAL(ctx->attr_val.s), ZSTR_LEN(ctx->attr_val.s)); + } else { + return SUCCESS; /* empty URL is valid */ + } + + if (!url_parts) { + return FAILURE; + } + if (url_parts->scheme) { + /* Only http/https should be handled. + A bit hacky check this here, but saves a URL parse. */ + if (strcasecmp(url_parts->scheme, "http") && + strcasecmp(url_parts->scheme, "https")) { + php_url_free(url_parts); + return FAILURE; + } + } + if (!url_parts->host) { + php_url_free(url_parts); + return SUCCESS; + } + if (!zend_hash_num_elements(allowed_hosts) && + check_http_host(url_parts->host) == SUCCESS) { + php_url_free(url_parts); + return SUCCESS; + } + if (!zend_hash_str_find(allowed_hosts, + url_parts->host, + strlen(url_parts->host))) { + php_url_free(url_parts); + return FAILURE; + } + php_url_free(url_parts); + return SUCCESS; +} + /* - * This function appends a hidden input field after a <form> or - * <fieldset>. The latter is important for XHTML. + * This function appends a hidden input field after a <form>. */ - static void handle_form(STD_PARA) { int doit = 0; @@ -246,32 +427,16 @@ static void handle_form(STD_PARA) if (ZSTR_LEN(ctx->form_app.s) > 0) { switch (ZSTR_LEN(ctx->tag.s)) { case sizeof("form") - 1: - if (!strncasecmp(ZSTR_VAL(ctx->tag.s), "form", sizeof("form") - 1)) { - doit = 1; - } - if (doit && ctx->val.s && ctx->lookup_data && *ctx->lookup_data) { - char *e, *p = (char *)zend_memnstr(ZSTR_VAL(ctx->val.s), "://", sizeof("://") - 1, ZSTR_VAL(ctx->val.s) + ZSTR_LEN(ctx->val.s)); - if (p) { - e = memchr(p, '/', (ZSTR_VAL(ctx->val.s) + ZSTR_LEN(ctx->val.s)) - p); - if (!e) { - e = ZSTR_VAL(ctx->val.s) + ZSTR_LEN(ctx->val.s); - } - if ((e - p) && strncasecmp(p, ctx->lookup_data, (e - p))) { - doit = 0; - } - } - } - break; - - case sizeof("fieldset") - 1: - if (!strncasecmp(ZSTR_VAL(ctx->tag.s), "fieldset", sizeof("fieldset") - 1)) { + if (!strncasecmp(ZSTR_VAL(ctx->tag.s), "form", ZSTR_LEN(ctx->tag.s)) + && check_host_whitelist(ctx) == SUCCESS) { doit = 1; } break; } + } - if (doit) - smart_str_append_smart_str(&ctx->result, &ctx->form_app); + if (doit) { + smart_str_append_smart_str(&ctx->result, &ctx->form_app); } } @@ -294,8 +459,15 @@ static inline void handle_tag(STD_PARA) for (i = 0; i < ZSTR_LEN(ctx->tag.s); i++) ZSTR_VAL(ctx->tag.s)[i] = tolower((int)(unsigned char)ZSTR_VAL(ctx->tag.s)[i]); /* intentionally using str_find here, in case the hash value is set, but the string val is changed later */ - if ((ctx->lookup_data = zend_hash_str_find_ptr(ctx->tags, ZSTR_VAL(ctx->tag.s), ZSTR_LEN(ctx->tag.s))) != NULL) + if ((ctx->lookup_data = zend_hash_str_find_ptr(ctx->tags, ZSTR_VAL(ctx->tag.s), ZSTR_LEN(ctx->tag.s))) != NULL) { ok = 1; + if (ZSTR_LEN(ctx->tag.s) == sizeof("form")-1 + && !strncasecmp(ZSTR_VAL(ctx->tag.s), "form", ZSTR_LEN(ctx->tag.s))) { + ctx->tag_type = TAG_FORM; + } else { + ctx->tag_type = TAG_NORMAL; + } + } STATE = ok ? STATE_NEXT_ARG : STATE_PLAIN; } @@ -305,11 +477,20 @@ static inline void handle_arg(STD_PARA) ZSTR_LEN(ctx->arg.s) = 0; } smart_str_appendl(&ctx->arg, start, YYCURSOR - start); + if (ctx->tag_type == TAG_FORM && + strncasecmp(ZSTR_VAL(ctx->arg.s), "action", ZSTR_LEN(ctx->arg.s)) == 0) { + ctx->attr_type = ATTR_ACTION; + } else { + ctx->attr_type = ATTR_NORMAL; + } } static inline void handle_val(STD_PARA, char quotes, char type) { smart_str_setl(&ctx->val, start + quotes, YYCURSOR - start - quotes * 2); + if (ctx->tag_type == TAG_FORM && ctx->attr_type == ATTR_ACTION) { + smart_str_setl(&ctx->attr_val, start + quotes, YYCURSOR - start - quotes * 2); + } tag_arg(ctx, quotes, type); } @@ -402,7 +583,7 @@ stop: } -PHPAPI char *php_url_scanner_adapt_single_url(const char *url, size_t urllen, const char *name, const char *value, size_t *newlen, int urlencode) +PHPAPI char *php_url_scanner_adapt_single_url(const char *url, size_t urllen, const char *name, const char *value, size_t *newlen, int encode) { char *result; smart_str surl = {0}; @@ -412,7 +593,7 @@ PHPAPI char *php_url_scanner_adapt_single_url(const char *url, size_t urllen, co smart_str_appendl(&surl, url, urllen); - if (urlencode) { + if (encode) { encoded = php_raw_url_encode(name, strlen(name)); smart_str_appendl(&url_app, ZSTR_VAL(encoded), ZSTR_LEN(encoded)); zend_string_free(encoded); @@ -420,7 +601,7 @@ PHPAPI char *php_url_scanner_adapt_single_url(const char *url, size_t urllen, co smart_str_appends(&url_app, name); } smart_str_appendc(&url_app, '='); - if (urlencode) { + if (encode) { encoded = php_raw_url_encode(value, strlen(value)); smart_str_appendl(&url_app, ZSTR_VAL(encoded), ZSTR_LEN(encoded)); zend_string_free(encoded); @@ -441,13 +622,10 @@ PHPAPI char *php_url_scanner_adapt_single_url(const char *url, size_t urllen, co } -static char *url_adapt_ext(const char *src, size_t srclen, size_t *newlen, zend_bool do_flush) +static char *url_adapt_ext(const char *src, size_t srclen, size_t *newlen, zend_bool do_flush, url_adapt_state_ex_t *ctx) { - url_adapt_state_ex_t *ctx; char *retval; - ctx = &BG(url_adapt_state_ex); - xx_mainloop(ctx, src, srclen); if (!ctx->result.s) { @@ -462,50 +640,67 @@ static char *url_adapt_ext(const char *src, size_t srclen, size_t *newlen, zend_ *newlen += ZSTR_LEN(ctx->buf.s); smart_str_free(&ctx->buf); smart_str_free(&ctx->val); + smart_str_free(&ctx->attr_val); } retval = estrndup(ZSTR_VAL(ctx->result.s), ZSTR_LEN(ctx->result.s)); smart_str_free(&ctx->result); return retval; } -static int php_url_scanner_ex_activate(void) +static int php_url_scanner_ex_activate(int type) { url_adapt_state_ex_t *ctx; - ctx = &BG(url_adapt_state_ex); + if (type) { + ctx = &BG(url_adapt_session_ex); + } else { + ctx = &BG(url_adapt_output_ex); + } memset(ctx, 0, ((size_t) &((url_adapt_state_ex_t *)0)->tags)); return SUCCESS; } -static int php_url_scanner_ex_deactivate(void) +static int php_url_scanner_ex_deactivate(int type) { url_adapt_state_ex_t *ctx; - ctx = &BG(url_adapt_state_ex); + if (type) { + ctx = &BG(url_adapt_session_ex); + } else { + ctx = &BG(url_adapt_output_ex); + } smart_str_free(&ctx->result); smart_str_free(&ctx->buf); smart_str_free(&ctx->tag); smart_str_free(&ctx->arg); + smart_str_free(&ctx->attr_val); return SUCCESS; } -static void php_url_scanner_output_handler(char *output, size_t output_len, char **handled_output, size_t *handled_output_len, int mode) +static inline void php_url_scanner_session_handler_impl(char *output, size_t output_len, char **handled_output, size_t *handled_output_len, int mode, int type) { size_t len; + url_adapt_state_ex_t *url_state; + + if (type) { + url_state = &BG(url_adapt_session_ex); + } else { + url_state = &BG(url_adapt_output_ex); + } - if (ZSTR_LEN(BG(url_adapt_state_ex).url_app.s) != 0) { - *handled_output = url_adapt_ext(output, output_len, &len, (zend_bool) (mode & (PHP_OUTPUT_HANDLER_END | PHP_OUTPUT_HANDLER_CONT | PHP_OUTPUT_HANDLER_FLUSH | PHP_OUTPUT_HANDLER_FINAL) ? 1 : 0)); + if (ZSTR_LEN(url_state->url_app.s) != 0) { + *handled_output = url_adapt_ext(output, output_len, &len, (zend_bool) (mode & (PHP_OUTPUT_HANDLER_END | PHP_OUTPUT_HANDLER_CONT | PHP_OUTPUT_HANDLER_FLUSH | PHP_OUTPUT_HANDLER_FINAL) ? 1 : 0), url_state); if (sizeof(uint) < sizeof(size_t)) { if (len > UINT_MAX) len = UINT_MAX; } *handled_output_len = len; - } else if (ZSTR_LEN(BG(url_adapt_state_ex).url_app.s) == 0) { - url_adapt_state_ex_t *ctx = &BG(url_adapt_state_ex); + } else if (ZSTR_LEN(url_state->url_app.s) == 0) { + url_adapt_state_ex_t *ctx = url_state; if (ctx->buf.s && ZSTR_LEN(ctx->buf.s)) { smart_str_append(&ctx->result, ctx->buf.s); smart_str_appendl(&ctx->result, output, output_len); @@ -523,68 +718,257 @@ static void php_url_scanner_output_handler(char *output, size_t output_len, char } } -PHPAPI int php_url_scanner_add_var(char *name, size_t name_len, char *value, size_t value_len, int urlencode) +static void php_url_scanner_session_handler(char *output, size_t output_len, char **handled_output, size_t *handled_output_len, int mode) +{ + php_url_scanner_session_handler_impl(output, output_len, handled_output, handled_output_len, mode, 1); +} + +static void php_url_scanner_output_handler(char *output, size_t output_len, char **handled_output, size_t *handled_output_len, int mode) +{ + php_url_scanner_session_handler_impl(output, output_len, handled_output, handled_output_len, mode, 0); +} + +static inline int php_url_scanner_add_var_impl(char *name, size_t name_len, char *value, size_t value_len, int encode, int type) { smart_str sname = {0}; smart_str svalue = {0}; + smart_str hname = {0}; + smart_str hvalue = {0}; zend_string *encoded; + url_adapt_state_ex_t *url_state; + php_output_handler_func_t handler; - if (!BG(url_adapt_state_ex).active) { - php_url_scanner_ex_activate(); - php_output_start_internal(ZEND_STRL("URL-Rewriter"), php_url_scanner_output_handler, 0, PHP_OUTPUT_HANDLER_STDFLAGS); - BG(url_adapt_state_ex).active = 1; + if (type) { + url_state = &BG(url_adapt_session_ex); + handler = php_url_scanner_session_handler; + } else { + url_state = &BG(url_adapt_output_ex); + handler = php_url_scanner_output_handler; + } + + if (!url_state->active) { + php_url_scanner_ex_activate(type); + php_output_start_internal(ZEND_STRL("URL-Rewriter"), handler, 0, PHP_OUTPUT_HANDLER_STDFLAGS); + url_state->active = 1; } - if (BG(url_adapt_state_ex).url_app.s && ZSTR_LEN(BG(url_adapt_state_ex).url_app.s) != 0) { - smart_str_appends(&BG(url_adapt_state_ex).url_app, PG(arg_separator).output); + if (url_state->url_app.s && ZSTR_LEN(url_state->url_app.s) != 0) { + smart_str_appends(&url_state->url_app, PG(arg_separator).output); } - if (urlencode) { + if (encode) { encoded = php_raw_url_encode(name, name_len); - smart_str_appendl(&sname, ZSTR_VAL(encoded), ZSTR_LEN(encoded)); - zend_string_free(encoded); + smart_str_appendl(&sname, ZSTR_VAL(encoded), ZSTR_LEN(encoded)); zend_string_free(encoded); encoded = php_raw_url_encode(value, value_len); - smart_str_appendl(&svalue, ZSTR_VAL(encoded), ZSTR_LEN(encoded)); - zend_string_free(encoded); + smart_str_appendl(&svalue, ZSTR_VAL(encoded), ZSTR_LEN(encoded)); zend_string_free(encoded); + encoded = php_escape_html_entities_ex((unsigned char*)name, name_len, 0, ENT_QUOTES|ENT_SUBSTITUTE, SG(default_charset), 0); + smart_str_appendl(&hname, ZSTR_VAL(encoded), ZSTR_LEN(encoded)); zend_string_free(encoded); + encoded = php_escape_html_entities_ex((unsigned char*)value, value_len, 0, ENT_QUOTES|ENT_SUBSTITUTE, SG(default_charset), 0); + smart_str_appendl(&hvalue, ZSTR_VAL(encoded), ZSTR_LEN(encoded)); zend_string_free(encoded); } else { smart_str_appendl(&sname, name, name_len); smart_str_appendl(&svalue, value, value_len); + smart_str_appendl(&hname, name, name_len); + smart_str_appendl(&hvalue, value, value_len); } - smart_str_append_smart_str(&BG(url_adapt_state_ex).url_app, &sname); - smart_str_appendc(&BG(url_adapt_state_ex).url_app, '='); - smart_str_append_smart_str(&BG(url_adapt_state_ex).url_app, &svalue); + smart_str_append_smart_str(&url_state->url_app, &sname); + smart_str_appendc(&url_state->url_app, '='); + smart_str_append_smart_str(&url_state->url_app, &svalue); - smart_str_appends(&BG(url_adapt_state_ex).form_app, "<input type=\"hidden\" name=\""); - smart_str_append_smart_str(&BG(url_adapt_state_ex).form_app, &sname); - smart_str_appends(&BG(url_adapt_state_ex).form_app, "\" value=\""); - smart_str_append_smart_str(&BG(url_adapt_state_ex).form_app, &svalue); - smart_str_appends(&BG(url_adapt_state_ex).form_app, "\" />"); + smart_str_appends(&url_state->form_app, "<input type=\"hidden\" name=\""); + smart_str_append_smart_str(&url_state->form_app, &hname); + smart_str_appends(&url_state->form_app, "\" value=\""); + smart_str_append_smart_str(&url_state->form_app, &hvalue); + smart_str_appends(&url_state->form_app, "\" />"); smart_str_free(&sname); smart_str_free(&svalue); + smart_str_free(&hname); + smart_str_free(&hvalue); return SUCCESS; } -PHPAPI int php_url_scanner_reset_vars(void) + +PHPAPI int php_url_scanner_add_session_var(char *name, size_t name_len, char *value, size_t value_len, int encode) +{ + return php_url_scanner_add_var_impl(name, name_len, value, value_len, encode, 1); +} + + +PHPAPI int php_url_scanner_add_var(char *name, size_t name_len, char *value, size_t value_len, int encode) { - if (BG(url_adapt_state_ex).form_app.s) { - ZSTR_LEN(BG(url_adapt_state_ex).form_app.s) = 0; + return php_url_scanner_add_var_impl(name, name_len, value, value_len, encode, 0); +} + + +static inline void php_url_scanner_reset_vars_impl(int type) { + url_adapt_state_ex_t *url_state; + + if (type) { + url_state = &BG(url_adapt_session_ex); + } else { + url_state = &BG(url_adapt_output_ex); + } + + if (url_state->form_app.s) { + ZSTR_LEN(url_state->form_app.s) = 0; } - if (BG(url_adapt_state_ex).url_app.s) { - ZSTR_LEN(BG(url_adapt_state_ex).url_app.s) = 0; + if (url_state->url_app.s) { + ZSTR_LEN(url_state->url_app.s) = 0; } +} + +PHPAPI int php_url_scanner_reset_session_vars(void) +{ + php_url_scanner_reset_vars_impl(1); return SUCCESS; } -PHP_MINIT_FUNCTION(url_scanner) + +PHPAPI int php_url_scanner_reset_vars(void) +{ + php_url_scanner_reset_vars_impl(0); + return SUCCESS; +} + + +static inline int php_url_scanner_reset_var_impl(zend_string *name, int encode, int type) +{ + char *start, *end, *limit; + size_t separator_len; + smart_str sname = {0}; + smart_str hname = {0}; + smart_str url_app = {0}; + smart_str form_app = {0}; + zend_string *encoded; + int ret = SUCCESS; + zend_bool sep_removed = 0; + url_adapt_state_ex_t *url_state; + + if (type) { + url_state = &BG(url_adapt_session_ex); + } else { + url_state = &BG(url_adapt_output_ex); + } + + /* Short circuit check. Only check url_app. */ + if (!url_state->url_app.s || !ZSTR_LEN(url_state->url_app.s)) { + return SUCCESS; + } + + if (encode) { + encoded = php_raw_url_encode(ZSTR_VAL(name), ZSTR_LEN(name)); + smart_str_appendl(&sname, ZSTR_VAL(encoded), ZSTR_LEN(encoded)); + zend_string_free(encoded); + encoded = php_escape_html_entities_ex((unsigned char *)ZSTR_VAL(name), ZSTR_LEN(name), 0, ENT_QUOTES|ENT_SUBSTITUTE, SG(default_charset), 0); + smart_str_appendl(&hname, ZSTR_VAL(encoded), ZSTR_LEN(encoded)); + zend_string_free(encoded); + } else { + smart_str_appendl(&sname, ZSTR_VAL(name), ZSTR_LEN(name)); + smart_str_appendl(&hname, ZSTR_VAL(name), ZSTR_LEN(name)); + } + smart_str_0(&sname); + smart_str_0(&hname); + + smart_str_append_smart_str(&url_app, &sname); + smart_str_appendc(&url_app, '='); + smart_str_0(&url_app); + + smart_str_appends(&form_app, "<input type=\"hidden\" name=\""); + smart_str_append_smart_str(&form_app, &hname); + smart_str_appends(&form_app, "\" value=\""); + smart_str_0(&form_app); + + /* Short circuit check. Only check url_app. */ + start = (char *) php_memnstr(ZSTR_VAL(url_state->url_app.s), + ZSTR_VAL(url_app.s), ZSTR_LEN(url_app.s), + ZSTR_VAL(url_state->url_app.s) + ZSTR_LEN(url_state->url_app.s)); + if (!start) { + ret = FAILURE; + goto finish; + } + + /* Get end of url var */ + limit = ZSTR_VAL(url_state->url_app.s) + ZSTR_LEN(url_state->url_app.s); + end = start + ZSTR_LEN(url_app.s); + separator_len = strlen(PG(arg_separator).output); + while (end < limit) { + if (!memcmp(end, PG(arg_separator).output, separator_len)) { + end += separator_len; + sep_removed = 1; + break; + } + end++; + } + /* Remove all when this is the only rewrite var */ + if (ZSTR_LEN(url_state->url_app.s) == end - start) { + php_url_scanner_reset_vars_impl(type); + goto finish; + } + /* Check preceeding separator */ + if (!sep_removed + && start - PG(arg_separator).output >= separator_len + && !memcmp(start - separator_len, PG(arg_separator).output, separator_len)) { + start -= separator_len; + } + /* Remove partially */ + memmove(start, end, + ZSTR_LEN(url_state->url_app.s) - (end - ZSTR_VAL(url_state->url_app.s))); + ZSTR_LEN(url_state->url_app.s) -= end - start; + ZSTR_VAL(url_state->url_app.s)[ZSTR_LEN(url_state->url_app.s)] = '\0'; + + /* Remove form var */ + start = (char *) php_memnstr(ZSTR_VAL(url_state->form_app.s), + ZSTR_VAL(form_app.s), ZSTR_LEN(form_app.s), + ZSTR_VAL(url_state->form_app.s) + ZSTR_LEN(url_state->form_app.s)); + if (!start) { + /* Should not happen */ + ret = FAILURE; + php_url_scanner_reset_vars_impl(type); + goto finish; + } + /* Get end of form var */ + limit = ZSTR_VAL(url_state->form_app.s) + ZSTR_LEN(url_state->form_app.s); + end = start + ZSTR_LEN(form_app.s); + while (end < limit) { + if (*end == '>') { + end += 1; + break; + } + end++; + } + /* Remove partially */ + memmove(start, end, + ZSTR_LEN(url_state->form_app.s) - (end - ZSTR_VAL(url_state->form_app.s))); + ZSTR_LEN(url_state->form_app.s) -= end - start; + ZSTR_VAL(url_state->form_app.s)[ZSTR_LEN(url_state->form_app.s)] = '\0'; + +finish: + smart_str_free(&url_app); + smart_str_free(&form_app); + smart_str_free(&sname); + smart_str_free(&hname); + return ret; +} + + +PHPAPI int php_url_scanner_reset_session_var(zend_string *name, int encode) +{ + return php_url_scanner_reset_var_impl(name, encode, 1); +} + + +PHPAPI int php_url_scanner_reset_var(zend_string *name, int encode) { - BG(url_adapt_state_ex).tags = NULL; + return php_url_scanner_reset_var_impl(name, encode, 0); +} - BG(url_adapt_state_ex).form_app.s = BG(url_adapt_state_ex).url_app.s = NULL; +PHP_MINIT_FUNCTION(url_scanner) +{ REGISTER_INI_ENTRIES(); return SUCCESS; } @@ -598,20 +982,34 @@ PHP_MSHUTDOWN_FUNCTION(url_scanner) PHP_RINIT_FUNCTION(url_scanner) { - BG(url_adapt_state_ex).active = 0; - + BG(url_adapt_session_ex).active = 0; + BG(url_adapt_session_ex).tag_type = 0; + BG(url_adapt_session_ex).attr_type = 0; + BG(url_adapt_output_ex).active = 0; + BG(url_adapt_output_ex).tag_type = 0; + BG(url_adapt_output_ex).attr_type = 0; return SUCCESS; } PHP_RSHUTDOWN_FUNCTION(url_scanner) { - if (BG(url_adapt_state_ex).active) { - php_url_scanner_ex_deactivate(); - BG(url_adapt_state_ex).active = 0; + if (BG(url_adapt_session_ex).active) { + php_url_scanner_ex_deactivate(1); + BG(url_adapt_session_ex).active = 0; + BG(url_adapt_session_ex).tag_type = 0; + BG(url_adapt_session_ex).attr_type = 0; } - - smart_str_free(&BG(url_adapt_state_ex).form_app); - smart_str_free(&BG(url_adapt_state_ex).url_app); + smart_str_free(&BG(url_adapt_session_ex).form_app); + smart_str_free(&BG(url_adapt_session_ex).url_app); + + if (BG(url_adapt_output_ex).active) { + php_url_scanner_ex_deactivate(0); + BG(url_adapt_output_ex).active = 0; + BG(url_adapt_output_ex).tag_type = 0; + BG(url_adapt_output_ex).attr_type = 0; + } + smart_str_free(&BG(url_adapt_output_ex).form_app); + smart_str_free(&BG(url_adapt_output_ex).url_app); return SUCCESS; } |