/* +----------------------------------------------------------------------+ | PHP Version 5 | +----------------------------------------------------------------------+ | Copyright (c) 1997-2013 The PHP Group | +----------------------------------------------------------------------+ | This source file is subject to version 3.01 of the PHP license, | | that is bundled with this package in the file LICENSE, and is | | available through the world-wide-web at the following url: | | http://www.php.net/license/3_01.txt | | If you did not receive a copy of the PHP license and are unable to | | obtain it through the world-wide-web, please send a note to | | license@php.net so we can mail you a copy immediately. | +----------------------------------------------------------------------+ | Authors: Rasmus Lerdorf | | Zeev Suraski | +----------------------------------------------------------------------+ */ /* $Id$ */ #include #include "php.h" #include "ext/standard/php_standard.h" #include "ext/standard/credits.h" #include "php_variables.h" #include "php_globals.h" #include "php_content_types.h" #include "SAPI.h" #include "php_logos.h" #include "zend_globals.h" /* for systems that need to override reading of environment variables */ void _php_import_environment_variables(zval *array_ptr TSRMLS_DC); PHPAPI void (*php_import_environment_variables)(zval *array_ptr TSRMLS_DC) = _php_import_environment_variables; PHPAPI void php_register_variable(char *var, char *strval, zval *track_vars_array TSRMLS_DC) { php_register_variable_safe(var, strval, strlen(strval), track_vars_array TSRMLS_CC); } /* binary-safe version */ PHPAPI void php_register_variable_safe(char *var, char *strval, int str_len, zval *track_vars_array TSRMLS_DC) { zval new_entry; assert(strval != NULL); /* Prepare value */ Z_STRLEN(new_entry) = str_len; if (PG(magic_quotes_gpc)) { Z_STRVAL(new_entry) = php_addslashes(strval, Z_STRLEN(new_entry), &Z_STRLEN(new_entry), 0 TSRMLS_CC); } else { Z_STRVAL(new_entry) = estrndup(strval, Z_STRLEN(new_entry)); } Z_TYPE(new_entry) = IS_STRING; php_register_variable_ex(var, &new_entry, track_vars_array TSRMLS_CC); } PHPAPI void php_register_variable_ex(char *var_name, zval *val, zval *track_vars_array TSRMLS_DC) { char *p = NULL; char *ip; /* index pointer */ char *index, *escaped_index = NULL; char *var, *var_orig; int var_len, index_len; zval *gpc_element, **gpc_element_p; zend_bool is_array = 0; HashTable *symtable1 = NULL; assert(var_name != NULL); if (track_vars_array) { symtable1 = Z_ARRVAL_P(track_vars_array); } else if (PG(register_globals)) { if (!EG(active_symbol_table)) { zend_rebuild_symbol_table(TSRMLS_C); } symtable1 = EG(active_symbol_table); } if (!symtable1) { /* Nothing to do */ zval_dtor(val); return; } /* * Prepare variable name */ var_orig = estrdup(var_name); var = var_orig; /* ignore leading spaces in the variable name */ while (*var && *var==' ') { var++; } /* ensure that we don't have spaces or dots in the variable name (not binary safe) */ for (p = var; *p; p++) { if (*p == ' ' || *p == '.') { *p='_'; } else if (*p == '[') { is_array = 1; ip = p; *p = 0; break; } } var_len = p - var; if (var_len==0) { /* empty variable name, or variable name with a space in it */ zval_dtor(val); efree(var_orig); return; } /* GLOBALS hijack attempt, reject parameter */ if (symtable1 == EG(active_symbol_table) && var_len == sizeof("GLOBALS")-1 && !memcmp(var, "GLOBALS", sizeof("GLOBALS")-1)) { zval_dtor(val); efree(var_orig); return; } index = var; index_len = var_len; if (is_array) { int nest_level = 0; while (1) { char *index_s; int new_idx_len = 0; if(++nest_level > PG(max_input_nesting_level)) { HashTable *ht; /* too many levels of nesting */ if (track_vars_array) { ht = Z_ARRVAL_P(track_vars_array); zend_symtable_del(ht, var, var_len + 1); } else if (PG(register_globals)) { ht = EG(active_symbol_table); zend_symtable_del(ht, var, var_len + 1); } zval_dtor(val); /* do not output the error message to the screen, this helps us to to avoid "information disclosure" */ if (!PG(display_errors)) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variable nesting level exceeded %ld. To increase the limit change max_input_nesting_level in php.ini.", PG(max_input_nesting_level)); } efree(var_orig); return; } ip++; index_s = ip; if (isspace(*ip)) { ip++; } if (*ip==']') { index_s = NULL; } else { ip = strchr(ip, ']'); if (!ip) { /* PHP variables cannot contain '[' in their names, so we replace the character with a '_' */ *(index_s - 1) = '_'; index_len = 0; if (index) { index_len = strlen(index); } goto plain_var; return; } *ip = 0; new_idx_len = strlen(index_s); } if (!index) { MAKE_STD_ZVAL(gpc_element); array_init(gpc_element); if (zend_hash_next_index_insert(symtable1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p) == FAILURE) { zval_ptr_dtor(&gpc_element); zval_dtor(val); efree(var_orig); return; } } else { if (PG(magic_quotes_gpc)) { escaped_index = php_addslashes(index, index_len, &index_len, 0 TSRMLS_CC); } else { escaped_index = index; } if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE || Z_TYPE_PP(gpc_element_p) != IS_ARRAY) { MAKE_STD_ZVAL(gpc_element); array_init(gpc_element); zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); } if (index != escaped_index) { efree(escaped_index); } } symtable1 = Z_ARRVAL_PP(gpc_element_p); /* ip pointed to the '[' character, now obtain the key */ index = index_s; index_len = new_idx_len; ip++; if (*ip == '[') { is_array = 1; *ip = 0; } else { goto plain_var; } } } else { plain_var: MAKE_STD_ZVAL(gpc_element); gpc_element->value = val->value; Z_TYPE_P(gpc_element) = Z_TYPE_P(val); if (!index) { if (zend_hash_next_index_insert(symtable1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p) == FAILURE) { zval_ptr_dtor(&gpc_element); } } else { if (PG(magic_quotes_gpc)) { escaped_index = php_addslashes(index, index_len, &index_len, 0 TSRMLS_CC); } else { escaped_index = index; } /* * According to rfc2965, more specific paths are listed above the less specific ones. * If we encounter a duplicate cookie name, we should skip it, since it is not possible * to have the same (plain text) cookie name for the same path and we should not overwrite * more specific cookies with the less specific ones. */ if (PG(http_globals)[TRACK_VARS_COOKIE] && symtable1 == Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_COOKIE]) && zend_symtable_exists(symtable1, escaped_index, index_len + 1)) { zval_ptr_dtor(&gpc_element); } else { zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); } if (escaped_index != index) { efree(escaped_index); } } } efree(var_orig); } SAPI_API SAPI_POST_HANDLER_FUNC(php_std_post_handler) { char *var, *val, *e, *s, *p; zval *array_ptr = (zval *) arg; long count = 0; if (SG(request_info).post_data == NULL) { return; } s = SG(request_info).post_data; e = s + SG(request_info).post_data_length; while (s < e && (p = memchr(s, '&', (e - s)))) { last_value: if ((val = memchr(s, '=', (p - s)))) { /* have a value */ unsigned int val_len, new_val_len; if (++count > PG(max_input_vars)) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); return; } var = s; php_url_decode(var, (val - s)); val++; val_len = php_url_decode(val, (p - val)); val = estrndup(val, val_len); if (sapi_module.input_filter(PARSE_POST, var, &val, val_len, &new_val_len TSRMLS_CC)) { php_register_variable_safe(var, val, new_val_len, array_ptr TSRMLS_CC); } efree(val); } s = p + 1; } if (s < e) { p = e; goto last_value; } } SAPI_API SAPI_INPUT_FILTER_FUNC(php_default_input_filter) { /* TODO: check .ini setting here and apply user-defined input filter */ if(new_val_len) *new_val_len = val_len; return 1; } SAPI_API SAPI_TREAT_DATA_FUNC(php_default_treat_data) { char *res = NULL, *var, *val, *separator = NULL; const char *c_var; zval *array_ptr; int free_buffer = 0; char *strtok_buf = NULL; long count = 0; switch (arg) { case PARSE_POST: case PARSE_GET: case PARSE_COOKIE: ALLOC_ZVAL(array_ptr); array_init(array_ptr); INIT_PZVAL(array_ptr); switch (arg) { case PARSE_POST: if (PG(http_globals)[TRACK_VARS_POST]) { zval_ptr_dtor(&PG(http_globals)[TRACK_VARS_POST]); } PG(http_globals)[TRACK_VARS_POST] = array_ptr; break; case PARSE_GET: if (PG(http_globals)[TRACK_VARS_GET]) { zval_ptr_dtor(&PG(http_globals)[TRACK_VARS_GET]); } PG(http_globals)[TRACK_VARS_GET] = array_ptr; break; case PARSE_COOKIE: if (PG(http_globals)[TRACK_VARS_COOKIE]) { zval_ptr_dtor(&PG(http_globals)[TRACK_VARS_COOKIE]); } PG(http_globals)[TRACK_VARS_COOKIE] = array_ptr; break; } break; default: array_ptr = destArray; break; } if (arg == PARSE_POST) { sapi_handle_post(array_ptr TSRMLS_CC); return; } if (arg == PARSE_GET) { /* GET data */ c_var = SG(request_info).query_string; if (c_var && *c_var) { res = (char *) estrdup(c_var); free_buffer = 1; } else { free_buffer = 0; } } else if (arg == PARSE_COOKIE) { /* Cookie data */ c_var = SG(request_info).cookie_data; if (c_var && *c_var) { res = (char *) estrdup(c_var); free_buffer = 1; } else { free_buffer = 0; } } else if (arg == PARSE_STRING) { /* String data */ res = str; free_buffer = 1; } if (!res) { return; } switch (arg) { case PARSE_GET: case PARSE_STRING: separator = (char *) estrdup(PG(arg_separator).input); break; case PARSE_COOKIE: separator = ";\0"; break; } var = php_strtok_r(res, separator, &strtok_buf); while (var) { val = strchr(var, '='); if (arg == PARSE_COOKIE) { /* Remove leading spaces from cookie names, needed for multi-cookie header where ; can be followed by a space */ while (isspace(*var)) { var++; } if (var == val || *var == '\0') { goto next_cookie; } } if (++count > PG(max_input_vars)) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); break; } if (val) { /* have a value */ int val_len; unsigned int new_val_len; *val++ = '\0'; php_url_decode(var, strlen(var)); val_len = php_url_decode(val, strlen(val)); val = estrndup(val, val_len); if (sapi_module.input_filter(arg, var, &val, val_len, &new_val_len TSRMLS_CC)) { php_register_variable_safe(var, val, new_val_len, array_ptr TSRMLS_CC); } efree(val); } else { int val_len; unsigned int new_val_len; php_url_decode(var, strlen(var)); val_len = 0; val = estrndup("", val_len); if (sapi_module.input_filter(arg, var, &val, val_len, &new_val_len TSRMLS_CC)) { php_register_variable_safe(var, val, new_val_len, array_ptr TSRMLS_CC); } efree(val); } next_cookie: var = php_strtok_r(NULL, separator, &strtok_buf); } if (arg != PARSE_COOKIE) { efree(separator); } if (free_buffer) { efree(res); } } void _php_import_environment_variables(zval *array_ptr TSRMLS_DC) { char buf[128]; char **env, *p, *t = buf; size_t alloc_size = sizeof(buf); unsigned long nlen; /* ptrdiff_t is not portable */ /* turn off magic_quotes while importing environment variables */ int magic_quotes_gpc = PG(magic_quotes_gpc); if (magic_quotes_gpc) { zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "0", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC); } for (env = environ; env != NULL && *env != NULL; env++) { p = strchr(*env, '='); if (!p) { /* malformed entry? */ continue; } nlen = p - *env; if (nlen >= alloc_size) { alloc_size = nlen + 64; t = (t == buf ? emalloc(alloc_size): erealloc(t, alloc_size)); } memcpy(t, *env, nlen); t[nlen] = '\0'; php_register_variable(t, p + 1, array_ptr TSRMLS_CC); } if (t != buf && t != NULL) { efree(t); } if (magic_quotes_gpc) { zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "1", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC); } } zend_bool php_std_auto_global_callback(char *name, uint name_len TSRMLS_DC) { zend_printf("%s\n", name); return 0; /* don't rearm */ } /* {{{ php_build_argv */ static void php_build_argv(char *s, zval *track_vars_array TSRMLS_DC) { zval *arr, *argc, *tmp; int count = 0; char *ss, *space; if (!(PG(register_globals) || SG(request_info).argc || track_vars_array)) { return; } ALLOC_INIT_ZVAL(arr); array_init(arr); /* Prepare argv */ if (SG(request_info).argc) { /* are we in cli sapi? */ int i; for (i = 0; i < SG(request_info).argc; i++) { ALLOC_ZVAL(tmp); Z_TYPE_P(tmp) = IS_STRING; Z_STRLEN_P(tmp) = strlen(SG(request_info).argv[i]); Z_STRVAL_P(tmp) = estrndup(SG(request_info).argv[i], Z_STRLEN_P(tmp)); INIT_PZVAL(tmp); if (zend_hash_next_index_insert(Z_ARRVAL_P(arr), &tmp, sizeof(zval *), NULL) == FAILURE) { if (Z_TYPE_P(tmp) == IS_STRING) { efree(Z_STRVAL_P(tmp)); } } } } else if (s && *s) { ss = s; while (ss) { space = strchr(ss, '+'); if (space) { *space = '\0'; } /* auto-type */ ALLOC_ZVAL(tmp); Z_TYPE_P(tmp) = IS_STRING; Z_STRLEN_P(tmp) = strlen(ss); Z_STRVAL_P(tmp) = estrndup(ss, Z_STRLEN_P(tmp)); INIT_PZVAL(tmp); count++; if (zend_hash_next_index_insert(Z_ARRVAL_P(arr), &tmp, sizeof(zval *), NULL) == FAILURE) { if (Z_TYPE_P(tmp) == IS_STRING) { efree(Z_STRVAL_P(tmp)); } } if (space) { *space = '+'; ss = space + 1; } else { ss = space; } } } /* prepare argc */ ALLOC_INIT_ZVAL(argc); if (SG(request_info).argc) { Z_LVAL_P(argc) = SG(request_info).argc; } else { Z_LVAL_P(argc) = count; } Z_TYPE_P(argc) = IS_LONG; if (PG(register_globals) || SG(request_info).argc) { Z_ADDREF_P(arr); Z_ADDREF_P(argc); zend_hash_update(&EG(symbol_table), "argv", sizeof("argv"), &arr, sizeof(zval *), NULL); zend_hash_add(&EG(symbol_table), "argc", sizeof("argc"), &argc, sizeof(zval *), NULL); } if (track_vars_array) { Z_ADDREF_P(arr); Z_ADDREF_P(argc); zend_hash_update(Z_ARRVAL_P(track_vars_array), "argv", sizeof("argv"), &arr, sizeof(zval *), NULL); zend_hash_update(Z_ARRVAL_P(track_vars_array), "argc", sizeof("argc"), &argc, sizeof(zval *), NULL); } zval_ptr_dtor(&arr); zval_ptr_dtor(&argc); } /* }}} */ /* {{{ php_handle_special_queries */ PHPAPI int php_handle_special_queries(TSRMLS_D) { if (PG(expose_php) && SG(request_info).query_string && SG(request_info).query_string[0] == '=') { if (php_info_logos(SG(request_info).query_string + 1 TSRMLS_CC)) { return 1; } else if (!strcmp(SG(request_info).query_string + 1, PHP_CREDITS_GUID)) { php_print_credits(PHP_CREDITS_ALL TSRMLS_CC); return 1; } } return 0; } /* }}} */ /* {{{ php_register_server_variables */ static inline void php_register_server_variables(TSRMLS_D) { zval *array_ptr = NULL; /* turn off magic_quotes while importing server variables */ int magic_quotes_gpc = PG(magic_quotes_gpc); ALLOC_ZVAL(array_ptr); array_init(array_ptr); INIT_PZVAL(array_ptr); if (PG(http_globals)[TRACK_VARS_SERVER]) { zval_ptr_dtor(&PG(http_globals)[TRACK_VARS_SERVER]); } PG(http_globals)[TRACK_VARS_SERVER] = array_ptr; if (magic_quotes_gpc) { zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "0", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC); } /* Server variables */ if (sapi_module.register_server_variables) { sapi_module.register_server_variables(array_ptr TSRMLS_CC); } /* PHP Authentication support */ if (SG(request_info).auth_user) { php_register_variable("PHP_AUTH_USER", SG(request_info).auth_user, array_ptr TSRMLS_CC); } if (SG(request_info).auth_password) { php_register_variable("PHP_AUTH_PW", SG(request_info).auth_password, array_ptr TSRMLS_CC); } if (SG(request_info).auth_digest) { php_register_variable("PHP_AUTH_DIGEST", SG(request_info).auth_digest, array_ptr TSRMLS_CC); } /* store request init time */ { zval new_entry; Z_TYPE(new_entry) = IS_LONG; Z_LVAL(new_entry) = sapi_get_request_time(TSRMLS_C); php_register_variable_ex("REQUEST_TIME", &new_entry, array_ptr TSRMLS_CC); } if (magic_quotes_gpc) { zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "1", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC); } } /* }}} */ /* {{{ php_autoglobal_merge */ static void php_autoglobal_merge(HashTable *dest, HashTable *src TSRMLS_DC) { zval **src_entry, **dest_entry; char *string_key; uint string_key_len; ulong num_key; HashPosition pos; int key_type; int globals_check = (PG(register_globals) && (dest == (&EG(symbol_table)))); zend_hash_internal_pointer_reset_ex(src, &pos); while (zend_hash_get_current_data_ex(src, (void **)&src_entry, &pos) == SUCCESS) { key_type = zend_hash_get_current_key_ex(src, &string_key, &string_key_len, &num_key, 0, &pos); if (Z_TYPE_PP(src_entry) != IS_ARRAY || (key_type == HASH_KEY_IS_STRING && zend_hash_find(dest, string_key, string_key_len, (void **) &dest_entry) != SUCCESS) || (key_type == HASH_KEY_IS_LONG && zend_hash_index_find(dest, num_key, (void **)&dest_entry) != SUCCESS) || Z_TYPE_PP(dest_entry) != IS_ARRAY ) { Z_ADDREF_PP(src_entry); if (key_type == HASH_KEY_IS_STRING) { /* if register_globals is on and working with main symbol table, prevent overwriting of GLOBALS */ if (!globals_check || string_key_len != sizeof("GLOBALS") || memcmp(string_key, "GLOBALS", sizeof("GLOBALS") - 1)) { zend_hash_update(dest, string_key, string_key_len, src_entry, sizeof(zval *), NULL); } else { Z_DELREF_PP(src_entry); } } else { zend_hash_index_update(dest, num_key, src_entry, sizeof(zval *), NULL); } } else { SEPARATE_ZVAL(dest_entry); php_autoglobal_merge(Z_ARRVAL_PP(dest_entry), Z_ARRVAL_PP(src_entry) TSRMLS_CC); } zend_hash_move_forward_ex(src, &pos); } } /* }}} */ static zend_bool php_auto_globals_create_server(char *name, uint name_len TSRMLS_DC); static zend_bool php_auto_globals_create_env(char *name, uint name_len TSRMLS_DC); static zend_bool php_auto_globals_create_request(char *name, uint name_len TSRMLS_DC); /* {{{ php_hash_environment */ int php_hash_environment(TSRMLS_D) { char *p; unsigned char _gpc_flags[5] = {0, 0, 0, 0, 0}; zend_bool jit_initialization = (PG(auto_globals_jit) && !PG(register_globals) && !PG(register_long_arrays)); struct auto_global_record { char *name; uint name_len; char *long_name; uint long_name_len; zend_bool jit_initialization; } auto_global_records[] = { { "_POST", sizeof("_POST"), "HTTP_POST_VARS", sizeof("HTTP_POST_VARS"), 0 }, { "_GET", sizeof("_GET"), "HTTP_GET_VARS", sizeof("HTTP_GET_VARS"), 0 }, { "_COOKIE", sizeof("_COOKIE"), "HTTP_COOKIE_VARS", sizeof("HTTP_COOKIE_VARS"), 0 }, { "_SERVER", sizeof("_SERVER"), "HTTP_SERVER_VARS", sizeof("HTTP_SERVER_VARS"), 1 }, { "_ENV", sizeof("_ENV"), "HTTP_ENV_VARS", sizeof("HTTP_ENV_VARS"), 1 }, { "_FILES", sizeof("_FILES"), "HTTP_POST_FILES", sizeof("HTTP_POST_FILES"), 0 }, }; size_t num_track_vars = sizeof(auto_global_records)/sizeof(struct auto_global_record); size_t i; /* jit_initialization = 0; */ for (i=0; i