xref: /php-src/ext/standard/url_scanner_ex.re (revision c5bce0d8)
1/*
2  +----------------------------------------------------------------------+
3  | Copyright (c) The PHP Group                                          |
4  +----------------------------------------------------------------------+
5  | This source file is subject to version 3.01 of the PHP license,      |
6  | that is bundled with this package in the file LICENSE, and is        |
7  | available through the world-wide-web at the following url:           |
8  | https://www.php.net/license/3_01.txt                                 |
9  | If you did not receive a copy of the PHP license and are unable to   |
10  | obtain it through the world-wide-web, please send a note to          |
11  | license@php.net so we can mail you a copy immediately.               |
12  +----------------------------------------------------------------------+
13  | Author: Sascha Schumann <sascha@schumann.cx>                         |
14  |         Yasuo Ohgaki <yohgaki@ohgaki.net>                            |
15  +----------------------------------------------------------------------+
16*/
17
18#include "php.h"
19
20#ifdef HAVE_UNISTD_H
21#include <unistd.h>
22#endif
23
24#include <limits.h>
25#include <stdio.h>
26#include <stdlib.h>
27#include <string.h>
28
29#include "SAPI.h"
30#include "php_ini.h"
31#include "php_globals.h"
32#include "php_string.h"
33#define STATE_TAG SOME_OTHER_STATE_TAG
34#include "basic_functions.h"
35#include "url.h"
36#include "html.h"
37#undef STATE_TAG
38
39#define url_scanner url_scanner_ex
40
41#include "zend_smart_str.h"
42
43static void tag_dtor(zval *zv)
44{
45	free(Z_PTR_P(zv));
46}
47
48static zend_result php_ini_on_update_tags(zend_ini_entry *entry, zend_string *new_value, void *mh_arg1, void *mh_arg2, void *mh_arg3, int stage, bool is_session)
49{
50	url_adapt_state_ex_t *ctx;
51	char *key;
52	char *tmp;
53	char *lasts = NULL;
54
55	if (is_session) {
56		ctx = &BG(url_adapt_session_ex);
57	} else {
58		ctx = &BG(url_adapt_output_ex);
59	}
60
61	tmp = estrndup(ZSTR_VAL(new_value), ZSTR_LEN(new_value));
62
63	if (ctx->tags)
64		zend_hash_destroy(ctx->tags);
65	else {
66		ctx->tags = malloc(sizeof(HashTable));
67		if (!ctx->tags) {
68			efree(tmp);
69			return FAILURE;
70		}
71	}
72
73	zend_hash_init(ctx->tags, 0, NULL, tag_dtor, 1);
74
75	for (key = php_strtok_r(tmp, ",", &lasts);
76		 key;
77		 key = php_strtok_r(NULL, ",", &lasts)) {
78		char *val;
79
80		val = strchr(key, '=');
81		if (val) {
82			char *q;
83			size_t keylen;
84			zend_string *str;
85
86			*val++ = '\0';
87			for (q = key; *q; q++) {
88				*q = tolower(*q);
89			}
90			keylen = q - key;
91			str = zend_string_init(key, keylen, 1);
92			GC_MAKE_PERSISTENT_LOCAL(str);
93			zend_hash_add_mem(ctx->tags, str, val, strlen(val)+1);
94			zend_string_release_ex(str, 1);
95		}
96	}
97
98	efree(tmp);
99
100	return SUCCESS;
101}
102
103static PHP_INI_MH(OnUpdateSessionTags)
104{
105	if (!zend_string_starts_with_literal(new_value, "a=href,area=href,frame=src,form=")) {
106		php_error_docref("session.configuration", E_DEPRECATED, "Usage of session.trans_sid_tags INI setting is deprecated");
107	}
108	return php_ini_on_update_tags(entry, new_value, mh_arg1, mh_arg2, mh_arg3, stage, /* is_session */ true);
109}
110
111static PHP_INI_MH(OnUpdateOutputTags)
112{
113	return php_ini_on_update_tags(entry, new_value, mh_arg1, mh_arg2, mh_arg3, stage, /* is_session */ false);
114}
115
116static zend_result php_ini_on_update_hosts(zend_ini_entry *entry, zend_string *new_value, void *mh_arg1, void *mh_arg2, void *mh_arg3, int stage, bool is_session)
117{
118	HashTable *hosts;
119	char *key;
120	char *tmp;
121	char *lasts = NULL;
122
123	if (is_session) {
124		hosts = &BG(url_adapt_session_hosts_ht);
125	} else {
126		hosts = &BG(url_adapt_output_hosts_ht);
127	}
128	zend_hash_clean(hosts);
129
130	/* Use user supplied host whitelist */
131	tmp = estrndup(ZSTR_VAL(new_value), ZSTR_LEN(new_value));
132	for (key = php_strtok_r(tmp, ",", &lasts);
133		 key;
134		 key = php_strtok_r(NULL, ",", &lasts)) {
135		size_t keylen;
136		zend_string *tmp_key;
137		char *q;
138
139		for (q = key; *q; q++) {
140			*q = tolower(*q);
141		}
142		keylen = q - key;
143		if (keylen > 0) {
144			/* Note: the hash table is persistently allocated, so the strings must be too! */
145			tmp_key = zend_string_init(key, keylen, true);
146			GC_MAKE_PERSISTENT_LOCAL(tmp_key);
147			zend_hash_add_empty_element(hosts, tmp_key);
148			zend_string_release_ex(tmp_key, true);
149		}
150	}
151	efree(tmp);
152
153	return SUCCESS;
154}
155
156static PHP_INI_MH(OnUpdateSessionHosts)
157{
158	if (ZSTR_LEN(new_value) != 0) {
159		php_error_docref("session.configuration", E_DEPRECATED, "Usage of session.trans_sid_hosts INI setting is deprecated");
160	}
161	return php_ini_on_update_hosts(entry, new_value, mh_arg1, mh_arg2, mh_arg3, stage, /* is_session */ true);
162}
163
164static PHP_INI_MH(OnUpdateOutputHosts)
165{
166	return php_ini_on_update_hosts(entry, new_value, mh_arg1, mh_arg2, mh_arg3, stage, /* is_session */ false);
167}
168
169/* FIXME: OnUpdate*Hosts cannot set default to $_SERVER['HTTP_HOST'] at startup */
170PHP_INI_BEGIN()
171	STD_PHP_INI_ENTRY("session.trans_sid_tags", "a=href,area=href,frame=src,form=", PHP_INI_ALL, OnUpdateSessionTags, url_adapt_session_ex, php_basic_globals, basic_globals)
172	STD_PHP_INI_ENTRY("session.trans_sid_hosts", "", PHP_INI_ALL, OnUpdateSessionHosts, url_adapt_session_hosts_ht, php_basic_globals, basic_globals)
173	STD_PHP_INI_ENTRY("url_rewriter.tags", "form=", PHP_INI_ALL, OnUpdateOutputTags, url_adapt_session_ex, php_basic_globals, basic_globals)
174	STD_PHP_INI_ENTRY("url_rewriter.hosts", "", PHP_INI_ALL, OnUpdateOutputHosts, url_adapt_session_hosts_ht, php_basic_globals, basic_globals)
175PHP_INI_END()
176
177/*!re2c
178any = [\000-\377];
179N = (any\[<]);
180alpha = [a-zA-Z];
181alphanamespace = [a-zA-Z:];
182alphadash = ([a-zA-Z] | "-");
183*/
184
185#define YYFILL(n) goto done
186#define YYCTYPE unsigned char
187#define YYCURSOR p
188#define YYLIMIT q
189#define YYMARKER r
190
191static inline void append_modified_url(smart_str *url, smart_str *dest, smart_str *url_app, const char *separator, int type)
192{
193	php_url *url_parts;
194
195	smart_str_0(url); /* FIXME: Bug #70480 php_url_parse_ex() crashes by processing chars exceed len */
196	url_parts = php_url_parse_ex(ZSTR_VAL(url->s), ZSTR_LEN(url->s));
197
198	/* Ignore malformed URLs */
199	if (!url_parts) {
200		smart_str_append_smart_str(dest, url);
201		return;
202	}
203
204	/* Don't modify URLs of the format "#mark" */
205	if (url_parts->fragment && '#' == ZSTR_VAL(url->s)[0]) {
206		smart_str_append_smart_str(dest, url);
207		php_url_free(url_parts);
208		return;
209	}
210
211	/* Check protocol. Only http/https is allowed. */
212	if (url_parts->scheme
213		&& !zend_string_equals_literal_ci(url_parts->scheme, "http")
214		&& !zend_string_equals_literal_ci(url_parts->scheme, "https")) {
215		smart_str_append_smart_str(dest, url);
216		php_url_free(url_parts);
217		return;
218	}
219
220	/* Check host whitelist. If it's not listed, do nothing. */
221	if (url_parts->host) {
222		zend_string *tmp = zend_string_tolower(url_parts->host);
223		HashTable *allowed_hosts = type ? &BG(url_adapt_session_hosts_ht) : &BG(url_adapt_output_hosts_ht);
224		if (!zend_hash_exists(allowed_hosts, tmp)) {
225			zend_string_release_ex(tmp, 0);
226			smart_str_append_smart_str(dest, url);
227			php_url_free(url_parts);
228			return;
229		}
230		zend_string_release_ex(tmp, 0);
231	}
232
233	/*
234	 * When URL does not have path and query string add "/?".
235	 * i.e. If URL is only "?foo=bar", should not add "/?".
236	 */
237	if (!url_parts->path && !url_parts->query && !url_parts->fragment) {
238		/* URL is http://php.net or like */
239		smart_str_append_smart_str(dest, url);
240		smart_str_appendc(dest, '/');
241		smart_str_appendc(dest, '?');
242		smart_str_append_smart_str(dest, url_app);
243		php_url_free(url_parts);
244		return;
245	}
246
247	if (url_parts->scheme) {
248		smart_str_appends(dest, ZSTR_VAL(url_parts->scheme));
249		smart_str_appends(dest, "://");
250	} else if (*(ZSTR_VAL(url->s)) == '/' && *(ZSTR_VAL(url->s)+1) == '/') {
251		smart_str_appends(dest, "//");
252	}
253	if (url_parts->user) {
254		smart_str_appends(dest, ZSTR_VAL(url_parts->user));
255		if (url_parts->pass) {
256			smart_str_appends(dest, ZSTR_VAL(url_parts->pass));
257			smart_str_appendc(dest, ':');
258		}
259		smart_str_appendc(dest, '@');
260	}
261	if (url_parts->host) {
262		smart_str_appends(dest, ZSTR_VAL(url_parts->host));
263	}
264	if (url_parts->port) {
265		smart_str_appendc(dest, ':');
266		smart_str_append_unsigned(dest, (long)url_parts->port);
267	}
268	if (url_parts->path) {
269		smart_str_appends(dest, ZSTR_VAL(url_parts->path));
270	}
271	smart_str_appendc(dest, '?');
272	if (url_parts->query) {
273		smart_str_appends(dest, ZSTR_VAL(url_parts->query));
274		smart_str_appends(dest, separator);
275		smart_str_append_smart_str(dest, url_app);
276	} else {
277		smart_str_append_smart_str(dest, url_app);
278	}
279	if (url_parts->fragment) {
280		smart_str_appendc(dest, '#');
281		smart_str_appends(dest, ZSTR_VAL(url_parts->fragment));
282	}
283	php_url_free(url_parts);
284}
285
286enum {
287	TAG_NORMAL = 0,
288	TAG_FORM
289};
290
291enum {
292	ATTR_NORMAL = 0,
293	ATTR_ACTION
294};
295
296#undef YYFILL
297#undef YYCTYPE
298#undef YYCURSOR
299#undef YYLIMIT
300#undef YYMARKER
301
302static inline void tag_arg(url_adapt_state_ex_t *ctx, char quotes, char type)
303{
304	char f = 0;
305
306	/* arg.s is string WITHOUT NUL.
307	   To avoid partial match, NUL is added here */
308	ZSTR_VAL(ctx->arg.s)[ZSTR_LEN(ctx->arg.s)] = '\0';
309	if (!strcasecmp(ZSTR_VAL(ctx->arg.s), ctx->lookup_data)) {
310		f = 1;
311	}
312
313	if (quotes) {
314		smart_str_appendc(&ctx->result, type);
315	}
316	if (f) {
317		append_modified_url(&ctx->val, &ctx->result, &ctx->url_app, PG(arg_separator).output, ctx->type);
318	} else {
319		smart_str_append_smart_str(&ctx->result, &ctx->val);
320	}
321	if (quotes) {
322		smart_str_appendc(&ctx->result, type);
323	}
324}
325
326enum {
327	STATE_PLAIN = 0,
328	STATE_TAG,
329	STATE_NEXT_ARG,
330	STATE_ARG,
331	STATE_BEFORE_VAL,
332	STATE_VAL
333};
334
335#define YYFILL(n) goto stop
336#define YYCTYPE unsigned char
337#define YYCURSOR xp
338#define YYLIMIT end
339#define YYMARKER q
340#define STATE ctx->state
341
342#define STD_PARA url_adapt_state_ex_t *ctx, char *start, char *YYCURSOR
343#define STD_ARGS ctx, start, xp
344
345#ifdef SCANNER_DEBUG
346#define scdebug(x) printf x
347#else
348#define scdebug(x)
349#endif
350
351static inline void passthru(STD_PARA)
352{
353	scdebug(("appending %d chars, starting with %c\n", YYCURSOR-start, *start));
354	smart_str_appendl(&ctx->result, start, YYCURSOR - start);
355}
356
357
358static zend_result check_http_host(char *target)
359{
360	zval *host, *tmp;
361	zend_string *host_tmp;
362	char *colon;
363
364	if ((tmp = zend_hash_find(&EG(symbol_table), ZSTR_KNOWN(ZEND_STR_AUTOGLOBAL_SERVER))) &&
365		Z_TYPE_P(tmp) == IS_ARRAY &&
366		(host = zend_hash_str_find(Z_ARRVAL_P(tmp), ZEND_STRL("HTTP_HOST"))) &&
367		Z_TYPE_P(host) == IS_STRING) {
368		host_tmp = zend_string_init(Z_STRVAL_P(host), Z_STRLEN_P(host), 0);
369		/* HTTP_HOST could be 'localhost:8888' etc. */
370		colon = strchr(ZSTR_VAL(host_tmp), ':');
371		if (colon) {
372			ZSTR_LEN(host_tmp) = colon - ZSTR_VAL(host_tmp);
373			ZSTR_VAL(host_tmp)[ZSTR_LEN(host_tmp)] = '\0';
374		}
375		if (!strcasecmp(ZSTR_VAL(host_tmp), target)) {
376			zend_string_release_ex(host_tmp, 0);
377			return SUCCESS;
378		}
379		zend_string_release_ex(host_tmp, 0);
380	}
381	return FAILURE;
382}
383
384static zend_result check_host_whitelist(url_adapt_state_ex_t *ctx)
385{
386	php_url *url_parts = NULL;
387	HashTable *allowed_hosts = ctx->type ? &BG(url_adapt_session_hosts_ht) : &BG(url_adapt_output_hosts_ht);
388
389	ZEND_ASSERT(ctx->tag_type == TAG_FORM);
390
391	if (ctx->attr_val.s && ZSTR_LEN(ctx->attr_val.s)) {
392		url_parts = php_url_parse_ex(ZSTR_VAL(ctx->attr_val.s), ZSTR_LEN(ctx->attr_val.s));
393	} else {
394		return SUCCESS; /* empty URL is valid */
395	}
396
397	if (!url_parts) {
398		return FAILURE;
399	}
400	if (url_parts->scheme) {
401		/* Only http/https should be handled.
402		   A bit hacky check this here, but saves a URL parse. */
403		if (!zend_string_equals_literal_ci(url_parts->scheme, "http") &&
404			!zend_string_equals_literal_ci(url_parts->scheme, "https")) {
405		php_url_free(url_parts);
406		return FAILURE;
407		}
408	}
409	if (!url_parts->host) {
410		php_url_free(url_parts);
411		return SUCCESS;
412	}
413	if (!zend_hash_num_elements(allowed_hosts) &&
414		check_http_host(ZSTR_VAL(url_parts->host)) == SUCCESS) {
415		php_url_free(url_parts);
416		return SUCCESS;
417	}
418	if (!zend_hash_find(allowed_hosts, url_parts->host)) {
419		php_url_free(url_parts);
420		return FAILURE;
421	}
422	php_url_free(url_parts);
423	return SUCCESS;
424}
425
426/*
427 * This function appends a hidden input field after a <form>.
428 */
429static void handle_form(STD_PARA)
430{
431	int doit = 0;
432
433	if (ZSTR_LEN(ctx->form_app.s) > 0) {
434		switch (ZSTR_LEN(ctx->tag.s)) {
435			case sizeof("form") - 1:
436				if (!strncasecmp(ZSTR_VAL(ctx->tag.s), "form", ZSTR_LEN(ctx->tag.s))
437					&& check_host_whitelist(ctx) == SUCCESS) {
438					doit = 1;
439				}
440				break;
441		}
442	}
443
444	if (doit) {
445		smart_str_append_smart_str(&ctx->result, &ctx->form_app);
446	}
447}
448
449/*
450 *  HANDLE_TAG copies the HTML Tag and checks whether we
451 *  have that tag in our table. If we might modify it,
452 *  we continue to scan the tag, otherwise we simply copy the complete
453 *  HTML stuff to the result buffer.
454 */
455
456static inline void handle_tag(STD_PARA)
457{
458	int ok = 0;
459	unsigned int i;
460
461	if (ctx->tag.s) {
462		ZSTR_LEN(ctx->tag.s) = 0;
463	}
464	smart_str_appendl(&ctx->tag, start, YYCURSOR - start);
465	for (i = 0; i < ZSTR_LEN(ctx->tag.s); i++)
466		ZSTR_VAL(ctx->tag.s)[i] = tolower((int)(unsigned char)ZSTR_VAL(ctx->tag.s)[i]);
467    /* intentionally using str_find here, in case the hash value is set, but the string val is changed later */
468	if ((ctx->lookup_data = zend_hash_str_find_ptr(ctx->tags, ZSTR_VAL(ctx->tag.s), ZSTR_LEN(ctx->tag.s))) != NULL) {
469		ok = 1;
470		if (ZSTR_LEN(ctx->tag.s) == sizeof("form")-1
471			&& !strncasecmp(ZSTR_VAL(ctx->tag.s), "form", ZSTR_LEN(ctx->tag.s))) {
472			ctx->tag_type = TAG_FORM;
473		} else {
474			ctx->tag_type = TAG_NORMAL;
475		}
476	}
477	STATE = ok ? STATE_NEXT_ARG : STATE_PLAIN;
478}
479
480static inline void handle_arg(STD_PARA)
481{
482	if (ctx->arg.s) {
483		ZSTR_LEN(ctx->arg.s) = 0;
484	}
485	smart_str_appendl(&ctx->arg, start, YYCURSOR - start);
486	if (ctx->tag_type == TAG_FORM &&
487		strncasecmp(ZSTR_VAL(ctx->arg.s), "action", ZSTR_LEN(ctx->arg.s)) == 0) {
488		ctx->attr_type = ATTR_ACTION;
489	} else {
490		ctx->attr_type = ATTR_NORMAL;
491	}
492}
493
494static inline void handle_val(STD_PARA, char quotes, char type)
495{
496	smart_str_setl(&ctx->val, start + quotes, YYCURSOR - start - quotes * 2);
497	if (ctx->tag_type == TAG_FORM && ctx->attr_type == ATTR_ACTION) {
498		smart_str_setl(&ctx->attr_val, start + quotes, YYCURSOR - start - quotes * 2);
499	}
500	tag_arg(ctx, quotes, type);
501}
502
503static inline void xx_mainloop(url_adapt_state_ex_t *ctx, const char *newdata, size_t newlen)
504{
505	char *end, *q;
506	char *xp;
507	char *start;
508	size_t rest;
509
510	smart_str_appendl(&ctx->buf, newdata, newlen);
511
512	YYCURSOR = ZSTR_VAL(ctx->buf.s);
513	YYLIMIT = ZSTR_VAL(ctx->buf.s) + ZSTR_LEN(ctx->buf.s);
514
515	switch (STATE) {
516		case STATE_PLAIN: goto state_plain;
517		case STATE_TAG: goto state_tag;
518		case STATE_NEXT_ARG: goto state_next_arg;
519		case STATE_ARG: goto state_arg;
520		case STATE_BEFORE_VAL: goto state_before_val;
521		case STATE_VAL: goto state_val;
522	}
523
524
525state_plain_begin:
526	STATE = STATE_PLAIN;
527
528state_plain:
529	start = YYCURSOR;
530/*!re2c
531  "<"				{ passthru(STD_ARGS); STATE = STATE_TAG; goto state_tag; }
532  N+ 				{ passthru(STD_ARGS); goto state_plain; }
533*/
534
535state_tag:
536	start = YYCURSOR;
537/*!re2c
538  alphanamespace+	{ handle_tag(STD_ARGS); /* Sets STATE */; passthru(STD_ARGS); if (STATE == STATE_PLAIN) goto state_plain; else goto state_next_arg; }
539  any		{ passthru(STD_ARGS); goto state_plain_begin; }
540*/
541
542state_next_arg_begin:
543	STATE = STATE_NEXT_ARG;
544
545state_next_arg:
546	start = YYCURSOR;
547/*!re2c
548  [/]? [>]		{ passthru(STD_ARGS); handle_form(STD_ARGS); goto state_plain_begin; }
549  [ \v\r\t\n]+	{ passthru(STD_ARGS); goto state_next_arg; }
550  alpha		{ --YYCURSOR; STATE = STATE_ARG; goto state_arg; }
551  any		{ passthru(STD_ARGS); goto state_plain_begin; }
552*/
553
554state_arg:
555	start = YYCURSOR;
556/*!re2c
557  alpha alphadash*	{ passthru(STD_ARGS); handle_arg(STD_ARGS); STATE = STATE_BEFORE_VAL; goto state_before_val; }
558  any		{ passthru(STD_ARGS); STATE = STATE_NEXT_ARG; goto state_next_arg; }
559*/
560
561state_before_val:
562	start = YYCURSOR;
563/*!re2c
564  [ ]* "=" [ ]*		{ passthru(STD_ARGS); STATE = STATE_VAL; goto state_val; }
565  any				{ --YYCURSOR; goto state_next_arg_begin; }
566*/
567
568
569state_val:
570	start = YYCURSOR;
571/*!re2c
572  ["] (any\[">])* ["]	{ handle_val(STD_ARGS, 1, '"'); goto state_next_arg_begin; }
573  ['] (any\['>])* [']	{ handle_val(STD_ARGS, 1, '\''); goto state_next_arg_begin; }
574  (any\[ \r\t\n>'"])+	{ handle_val(STD_ARGS, 0, ' '); goto state_next_arg_begin; }
575  any					{ passthru(STD_ARGS); goto state_next_arg_begin; }
576*/
577
578stop:
579	if (YYLIMIT < start) {
580		/* XXX: Crash avoidance. Need to work with reporter to figure out what goes wrong */
581		rest = 0;
582	} else {
583		rest = YYLIMIT - start;
584		scdebug(("stopped in state %d at pos %d (%d:%c) %d\n", STATE, YYCURSOR - ctx->buf.c, *YYCURSOR, *YYCURSOR, rest));
585	}
586
587	if (rest) memmove(ZSTR_VAL(ctx->buf.s), start, rest);
588	ZSTR_LEN(ctx->buf.s) = rest;
589}
590
591
592PHPAPI char *php_url_scanner_adapt_single_url(const char *url, size_t urllen, const char *name, const char *value, size_t *newlen, bool encode)
593{
594	char *result;
595	smart_str surl = {0};
596	smart_str buf = {0};
597	smart_str url_app = {0};
598	zend_string *encoded;
599
600	smart_str_appendl(&surl, url, urllen);
601
602	if (encode) {
603		encoded = php_raw_url_encode(name, strlen(name));
604		smart_str_appendl(&url_app, ZSTR_VAL(encoded), ZSTR_LEN(encoded));
605		zend_string_free(encoded);
606	} else {
607		smart_str_appends(&url_app, name);
608	}
609	smart_str_appendc(&url_app, '=');
610	if (encode) {
611		encoded = php_raw_url_encode(value, strlen(value));
612		smart_str_appendl(&url_app, ZSTR_VAL(encoded), ZSTR_LEN(encoded));
613		zend_string_free(encoded);
614	} else {
615		smart_str_appends(&url_app, value);
616	}
617
618	append_modified_url(&surl, &buf, &url_app, PG(arg_separator).output, 1);
619
620	smart_str_0(&buf);
621	if (newlen) *newlen = ZSTR_LEN(buf.s);
622	result = estrndup(ZSTR_VAL(buf.s), ZSTR_LEN(buf.s));
623
624	smart_str_free(&url_app);
625	smart_str_free(&buf);
626
627	return result;
628}
629
630
631static char *url_adapt_ext(const char *src, size_t srclen, size_t *newlen, bool do_flush, url_adapt_state_ex_t *ctx)
632{
633	char *retval;
634
635	xx_mainloop(ctx, src, srclen);
636
637	if (!ctx->result.s) {
638		smart_str_appendl(&ctx->result, "", 0);
639		*newlen = 0;
640	} else {
641		*newlen = ZSTR_LEN(ctx->result.s);
642	}
643	smart_str_0(&ctx->result);
644	if (do_flush) {
645		smart_str_append(&ctx->result, ctx->buf.s);
646		*newlen += ZSTR_LEN(ctx->buf.s);
647		smart_str_free(&ctx->buf);
648		smart_str_free(&ctx->val);
649		smart_str_free(&ctx->attr_val);
650	}
651	retval = estrndup(ZSTR_VAL(ctx->result.s), ZSTR_LEN(ctx->result.s));
652	smart_str_free(&ctx->result);
653	return retval;
654}
655
656static void php_url_scanner_ex_activate(bool is_session)
657{
658	url_adapt_state_ex_t *ctx;
659
660	if (is_session) {
661		ctx = &BG(url_adapt_session_ex);
662	} else {
663		ctx = &BG(url_adapt_output_ex);
664	}
665
666	memset(ctx, 0, XtOffsetOf(url_adapt_state_ex_t, tags));
667}
668
669static void php_url_scanner_ex_deactivate(bool is_session)
670{
671	url_adapt_state_ex_t *ctx;
672
673	if (is_session) {
674		ctx = &BG(url_adapt_session_ex);
675	} else {
676		ctx = &BG(url_adapt_output_ex);
677	}
678
679	smart_str_free(&ctx->result);
680	smart_str_free(&ctx->buf);
681	smart_str_free(&ctx->tag);
682	smart_str_free(&ctx->arg);
683	smart_str_free(&ctx->attr_val);
684}
685
686static inline void php_url_scanner_session_handler_impl(char *output, size_t output_len, char **handled_output, size_t *handled_output_len, int mode, bool is_session)
687{
688	size_t len;
689	url_adapt_state_ex_t *url_state;
690
691	if (is_session) {
692		url_state = &BG(url_adapt_session_ex);
693	} else {
694		url_state = &BG(url_adapt_output_ex);
695	}
696
697	if (ZSTR_LEN(url_state->url_app.s) != 0) {
698		*handled_output = url_adapt_ext(output, output_len, &len, (bool) (mode & (PHP_OUTPUT_HANDLER_END | PHP_OUTPUT_HANDLER_CONT | PHP_OUTPUT_HANDLER_FLUSH | PHP_OUTPUT_HANDLER_FINAL) ? 1 : 0), url_state);
699		if (sizeof(unsigned int) < sizeof(size_t)) {
700			if (len > UINT_MAX)
701				len = UINT_MAX;
702		}
703		*handled_output_len = len;
704	} else if (ZSTR_LEN(url_state->url_app.s) == 0) {
705		url_adapt_state_ex_t *ctx = url_state;
706		if (ctx->buf.s && ZSTR_LEN(ctx->buf.s)) {
707			smart_str_append(&ctx->result, ctx->buf.s);
708			smart_str_appendl(&ctx->result, output, output_len);
709
710			*handled_output = estrndup(ZSTR_VAL(ctx->result.s), ZSTR_LEN(ctx->result.s));
711			*handled_output_len = ZSTR_LEN(ctx->buf.s) + output_len;
712
713			smart_str_free(&ctx->buf);
714			smart_str_free(&ctx->result);
715		} else {
716			*handled_output = estrndup(output, *handled_output_len = output_len);
717		}
718	} else {
719		*handled_output = NULL;
720	}
721}
722
723static void php_url_scanner_session_handler(char *output, size_t output_len, char **handled_output, size_t *handled_output_len, int mode)
724{
725	php_url_scanner_session_handler_impl(output, output_len, handled_output, handled_output_len, mode, /* is_session */ true);
726}
727
728static void php_url_scanner_output_handler(char *output, size_t output_len, char **handled_output, size_t *handled_output_len, int mode)
729{
730	php_url_scanner_session_handler_impl(output, output_len, handled_output, handled_output_len, mode, /* is_session */ false);
731}
732
733static inline void php_url_scanner_add_var_impl(const char *name, size_t name_len, const char *value, size_t value_len, bool encode, bool is_session)
734{
735	smart_str sname = {0};
736	smart_str svalue = {0};
737	smart_str hname = {0};
738	smart_str hvalue = {0};
739	zend_string *encoded;
740	url_adapt_state_ex_t *url_state;
741	php_output_handler_func_t handler;
742	bool should_start = false;
743
744	if (is_session) {
745		url_state = &BG(url_adapt_session_ex);
746		handler = php_url_scanner_session_handler;
747	} else {
748		url_state = &BG(url_adapt_output_ex);
749		handler = php_url_scanner_output_handler;
750	}
751
752	if (!url_state->active) {
753		php_url_scanner_ex_activate(is_session);
754		should_start = true;
755		url_state->active = 1;
756		url_state->type = is_session;
757	}
758
759	if (url_state->url_app.s && ZSTR_LEN(url_state->url_app.s) != 0) {
760		smart_str_appends(&url_state->url_app, PG(arg_separator).output);
761	}
762
763	if (encode) {
764		encoded = php_raw_url_encode(name, name_len);
765		smart_str_appendl(&sname, ZSTR_VAL(encoded), ZSTR_LEN(encoded)); zend_string_free(encoded);
766		encoded = php_raw_url_encode(value, value_len);
767		smart_str_appendl(&svalue, ZSTR_VAL(encoded), ZSTR_LEN(encoded)); zend_string_free(encoded);
768		encoded = php_escape_html_entities_ex((const unsigned char *) name, name_len, 0, ENT_QUOTES|ENT_SUBSTITUTE, NULL, /* double_encode */ 0, /* quiet */ 1);
769		smart_str_appendl(&hname, ZSTR_VAL(encoded), ZSTR_LEN(encoded)); zend_string_free(encoded);
770		encoded = php_escape_html_entities_ex((const unsigned char *) value, value_len, 0, ENT_QUOTES|ENT_SUBSTITUTE, NULL, /* double_encode */ 0, /* quiet */ 1);
771		smart_str_appendl(&hvalue, ZSTR_VAL(encoded), ZSTR_LEN(encoded)); zend_string_free(encoded);
772	} else {
773		smart_str_appendl(&sname, name, name_len);
774		smart_str_appendl(&svalue, value, value_len);
775		smart_str_appendl(&hname, name, name_len);
776		smart_str_appendl(&hvalue, value, value_len);
777	}
778
779	smart_str_append_smart_str(&url_state->url_app, &sname);
780	smart_str_appendc(&url_state->url_app, '=');
781	smart_str_append_smart_str(&url_state->url_app, &svalue);
782
783	smart_str_appends(&url_state->form_app, "<input type=\"hidden\" name=\"");
784	smart_str_append_smart_str(&url_state->form_app, &hname);
785	smart_str_appends(&url_state->form_app, "\" value=\"");
786	smart_str_append_smart_str(&url_state->form_app, &hvalue);
787	smart_str_appends(&url_state->form_app, "\" />");
788
789	smart_str_free(&sname);
790	smart_str_free(&svalue);
791	smart_str_free(&hname);
792	smart_str_free(&hvalue);
793
794	if (should_start) {
795		php_output_start_internal(ZEND_STRL("URL-Rewriter"), handler, 0, PHP_OUTPUT_HANDLER_STDFLAGS);
796	}
797}
798
799
800PHPAPI zend_result php_url_scanner_add_session_var(const char *name, size_t name_len, const char *value, size_t value_len, bool encode)
801{
802	php_url_scanner_add_var_impl(name, name_len, value, value_len, encode, /* is_session */ true);
803	return SUCCESS;
804}
805
806
807PHPAPI zend_result php_url_scanner_add_var(const char *name, size_t name_len, const char *value, size_t value_len, bool encode)
808{
809	php_url_scanner_add_var_impl(name, name_len, value, value_len, encode, /* is_session */ false);
810	return SUCCESS;
811}
812
813
814static inline void php_url_scanner_reset_vars_impl(bool is_session) {
815	url_adapt_state_ex_t *url_state;
816
817	if (is_session) {
818		url_state = &BG(url_adapt_session_ex);
819	} else {
820		url_state = &BG(url_adapt_output_ex);
821	}
822
823	if (url_state->form_app.s) {
824		ZSTR_LEN(url_state->form_app.s) = 0;
825	}
826	if (url_state->url_app.s) {
827		ZSTR_LEN(url_state->url_app.s) = 0;
828	}
829}
830
831
832PHPAPI zend_result php_url_scanner_reset_session_vars(void)
833{
834	php_url_scanner_reset_vars_impl(true);
835	return SUCCESS;
836}
837
838
839PHPAPI zend_result php_url_scanner_reset_vars(void)
840{
841	php_url_scanner_reset_vars_impl(false);
842	return SUCCESS;
843}
844
845
846static inline zend_result php_url_scanner_reset_var_impl(zend_string *name, int encode, bool is_session)
847{
848	char *start, *end, *limit;
849	size_t separator_len;
850	smart_str sname = {0};
851	smart_str hname = {0};
852	smart_str url_app = {0};
853	smart_str form_app = {0};
854	zend_string *encoded;
855	int ret = SUCCESS;
856	bool sep_removed = 0;
857	url_adapt_state_ex_t *url_state;
858
859	if (is_session) {
860		url_state = &BG(url_adapt_session_ex);
861	} else {
862		url_state = &BG(url_adapt_output_ex);
863	}
864
865	/* Short circuit check. Only check url_app. */
866	if (!url_state->url_app.s || !ZSTR_LEN(url_state->url_app.s)) {
867		return SUCCESS;
868	}
869
870	if (encode) {
871		encoded = php_raw_url_encode(ZSTR_VAL(name), ZSTR_LEN(name));
872		smart_str_appendl(&sname, ZSTR_VAL(encoded), ZSTR_LEN(encoded));
873		zend_string_free(encoded);
874		encoded = php_escape_html_entities_ex((const unsigned char *) ZSTR_VAL(name), ZSTR_LEN(name), 0, ENT_QUOTES|ENT_SUBSTITUTE, SG(default_charset), /* double_encode */ 0, /* quiet */ 1);
875		smart_str_appendl(&hname, ZSTR_VAL(encoded), ZSTR_LEN(encoded));
876		zend_string_free(encoded);
877	} else {
878		smart_str_appendl(&sname, ZSTR_VAL(name), ZSTR_LEN(name));
879		smart_str_appendl(&hname, ZSTR_VAL(name), ZSTR_LEN(name));
880	}
881	smart_str_0(&sname);
882	smart_str_0(&hname);
883
884	smart_str_append_smart_str(&url_app, &sname);
885	smart_str_appendc(&url_app, '=');
886	smart_str_0(&url_app);
887
888	smart_str_appends(&form_app, "<input type=\"hidden\" name=\"");
889	smart_str_append_smart_str(&form_app, &hname);
890	smart_str_appends(&form_app, "\" value=\"");
891	smart_str_0(&form_app);
892
893	/* Short circuit check. Only check url_app. */
894	start = (char *) php_memnstr(ZSTR_VAL(url_state->url_app.s),
895								 ZSTR_VAL(url_app.s), ZSTR_LEN(url_app.s),
896								 ZSTR_VAL(url_state->url_app.s) + ZSTR_LEN(url_state->url_app.s));
897	if (!start) {
898		ret = FAILURE;
899		goto finish;
900	}
901
902	/* Get end of url var */
903	limit = ZSTR_VAL(url_state->url_app.s) + ZSTR_LEN(url_state->url_app.s);
904	end = start + ZSTR_LEN(url_app.s);
905	separator_len = strlen(PG(arg_separator).output);
906	while (end < limit) {
907		if (!memcmp(end, PG(arg_separator).output, separator_len)) {
908			end += separator_len;
909			sep_removed = 1;
910			break;
911		}
912		end++;
913	}
914	/* Remove all when this is the only rewrite var */
915	if (ZSTR_LEN(url_state->url_app.s) == end - start) {
916		php_url_scanner_reset_vars_impl(is_session);
917		goto finish;
918	}
919	/* Check preceding separator */
920	if (!sep_removed
921		&& (size_t)(start - PG(arg_separator).output) >= separator_len
922		&& !memcmp(start - separator_len, PG(arg_separator).output, separator_len)) {
923		start -= separator_len;
924	}
925	/* Remove partially */
926	memmove(start, end,
927			ZSTR_LEN(url_state->url_app.s) - (end - ZSTR_VAL(url_state->url_app.s)));
928	ZSTR_LEN(url_state->url_app.s) -= end - start;
929	ZSTR_VAL(url_state->url_app.s)[ZSTR_LEN(url_state->url_app.s)] = '\0';
930
931	/* Remove form var */
932	start = (char *) php_memnstr(ZSTR_VAL(url_state->form_app.s),
933						ZSTR_VAL(form_app.s), ZSTR_LEN(form_app.s),
934						ZSTR_VAL(url_state->form_app.s) + ZSTR_LEN(url_state->form_app.s));
935	if (!start) {
936		/* Should not happen */
937		ret = FAILURE;
938		php_url_scanner_reset_vars_impl(is_session);
939		goto finish;
940	}
941	/* Get end of form var */
942	limit = ZSTR_VAL(url_state->form_app.s) + ZSTR_LEN(url_state->form_app.s);
943	end = start + ZSTR_LEN(form_app.s);
944	while (end < limit) {
945		if (*end == '>') {
946			end += 1;
947			break;
948		}
949		end++;
950	}
951	/* Remove partially */
952	memmove(start, end,
953			ZSTR_LEN(url_state->form_app.s) - (end - ZSTR_VAL(url_state->form_app.s)));
954	ZSTR_LEN(url_state->form_app.s) -= end - start;
955	ZSTR_VAL(url_state->form_app.s)[ZSTR_LEN(url_state->form_app.s)] = '\0';
956
957finish:
958	smart_str_free(&url_app);
959	smart_str_free(&form_app);
960	smart_str_free(&sname);
961	smart_str_free(&hname);
962	return ret;
963}
964
965
966PHPAPI zend_result php_url_scanner_reset_session_var(zend_string *name, int encode)
967{
968	return php_url_scanner_reset_var_impl(name, encode, /* is_session */ true);
969}
970
971
972PHPAPI zend_result php_url_scanner_reset_var(zend_string *name, int encode)
973{
974	return php_url_scanner_reset_var_impl(name, encode, /* is_session */ false);
975}
976
977
978PHP_MINIT_FUNCTION(url_scanner)
979{
980	REGISTER_INI_ENTRIES();
981	return SUCCESS;
982}
983
984PHP_MSHUTDOWN_FUNCTION(url_scanner)
985{
986	UNREGISTER_INI_ENTRIES();
987
988	return SUCCESS;
989}
990
991PHP_RINIT_FUNCTION(url_scanner)
992{
993	BG(url_adapt_session_ex).active    = 0;
994	BG(url_adapt_session_ex).tag_type  = 0;
995	BG(url_adapt_session_ex).attr_type = 0;
996	BG(url_adapt_output_ex).active    = 0;
997	BG(url_adapt_output_ex).tag_type  = 0;
998	BG(url_adapt_output_ex).attr_type = 0;
999	return SUCCESS;
1000}
1001
1002PHP_RSHUTDOWN_FUNCTION(url_scanner)
1003{
1004	if (BG(url_adapt_session_ex).active) {
1005		php_url_scanner_ex_deactivate(true);
1006		BG(url_adapt_session_ex).active    = 0;
1007		BG(url_adapt_session_ex).tag_type  = 0;
1008		BG(url_adapt_session_ex).attr_type = 0;
1009	}
1010	smart_str_free(&BG(url_adapt_session_ex).form_app);
1011	smart_str_free(&BG(url_adapt_session_ex).url_app);
1012
1013	if (BG(url_adapt_output_ex).active) {
1014		php_url_scanner_ex_deactivate(false);
1015		BG(url_adapt_output_ex).active    = 0;
1016		BG(url_adapt_output_ex).tag_type  = 0;
1017		BG(url_adapt_output_ex).attr_type = 0;
1018	}
1019	smart_str_free(&BG(url_adapt_output_ex).form_app);
1020	smart_str_free(&BG(url_adapt_output_ex).url_app);
1021
1022	return SUCCESS;
1023}
1024