void taint_array_variant(Variant &v, const std::string original_str) { if (v.isString()) { std::string s = ""; s += v.toString().c_str(); s += " from "; s += original_str; v.asStrRef().get()->getTaintData()->setTaint(TAINT_BIT_ALL); } if (v.isArray()) { Array a = v.toArray(); for(ArrayIter iter(a); iter; ++iter) { Variant key = iter.first(); if (!key.isString()) { // if the URI is /foo.php?123=hello, 123 will be an int, not a string // so just skip it. continue; } ASSERT(key.isString()); std::string s = original_str + "[" + key.toString().c_str() + "]"; taint_array_variant(key, s); Variant value = iter.second(); taint_array_variant(value, s); } } }
void taint_array_variant(Variant& v, const std::string s, bool iskey) { ASSERT(!TaintObserver::IsActive()); if (v.isString()) { TaintData& td = v.asStrRef().get()->getTaintDataRef(); std::string str; if (iskey) { str = s + " {using key}"; } else /* isval */ { str = s + ": " + v.toString().c_str(); } td.setTaint(TAINT_BIT_ALL | TAINT_FLAG_ORIG); ASSERT(!td.getTaintTrace().get()); // We don't call TaintTracer::Trace on these strings because they: // (1) are likely to be unique and not to match function calls or // filenames or other params; and // (2) may persist across requests, at which point they will have been // cleared from the trace set and cannot be reinserted because the // neither a new request nor new trace set will have been init'd. td.setTaintTrace(NEW(TaintTraceData)(str)); ASSERT(!td.getTaintTrace()->getNext().get()); ASSERT(!td.getTaintTrace()->getChild().get()); } if (v.isArray()) { CArrRef a = v.toCArrRef(); for (ArrayIter iter(a); iter; ++iter) { // Taint the key if it is actually a string (in cases where we have a // URI like /foo.php?123=hello, the key will have type int, so we skip // it since we only taint strings). Variant key = iter.first(); std::string str = s + "[" + key.toString().c_str() + "]"; if (key.isString()) { taint_array_variant(key, str, true); } // Taint the value. Variant value = iter.second(); taint_array_variant(value, str, false); } } }
/** * PHP has "EGPCS" processing order of these global variables, and this * order is important in preparing $_REQUEST that needs to know which to * overwrite what when name happens to be the same. */ void HttpProtocol::PrepareSystemVariables(Transport *transport, const RequestURI &r, const SourceRootInfo &sri) { SystemGlobals *g = (SystemGlobals*)get_global_variables(); const VirtualHost *vhost = VirtualHost::GetCurrent(); // reset global symbols to nulls or empty arrays pm_php$globals$symbols_php(); Variant &server = g->GV(_SERVER); server.set("REQUEST_START_TIME", time(NULL)); // $_ENV process_env_variables(g->GV(_ENV)); g->GV(_ENV).set("HPHP", 1); g->GV(_ENV).set("HPHP_SERVER", 1); #ifdef HOTPROFILER g->GV(_ENV).set("HPHP_HOTPROFILER", 1); #endif Variant &request = g->GV(_REQUEST); // $_GET and $_REQUEST if (!r.queryString().empty()) { DecodeParameters(g->GV(_GET), r.queryString().data(), r.queryString().size()); CopyParams(request, g->GV(_GET)); } string contentType = transport->getHeader("Content-Type"); string contentLength = transport->getHeader("Content-Length"); // $_POST and $_REQUEST if (transport->getMethod() == Transport::POST) { bool needDelete = false; int size = 0; const void *data = transport->getPostData(size); if (data && size) { ASSERT(((char*)data)[size] == 0); // we need a NULL terminated string string boundary; int content_length = atoi(contentLength.c_str()); bool rfc1867Post = IsRfc1867(contentType, boundary); string files; if (rfc1867Post) { if (content_length > VirtualHost::GetMaxPostSize()) { // $_POST and $_FILES are empty Logger::Warning("POST Content-Length of %d bytes exceeds " "the limit of %lld bytes", content_length, VirtualHost::GetMaxPostSize()); needDelete = read_all_post_data(transport, data, size); } else { if (transport->hasMorePostData()) { needDelete = true; data = Util::buffer_duplicate(data, size); } DecodeRfc1867(transport, g->GV(_POST), g->GV(_FILES), content_length, data, size, boundary); } ASSERT(!transport->getFiles(files)); } else { needDelete = read_all_post_data(transport, data, size); bool decodeData = strncasecmp(contentType.c_str(), DEFAULT_POST_CONTENT_TYPE, sizeof(DEFAULT_POST_CONTENT_TYPE)-1) == 0; // Always decode data for now. (macvicar) decodeData = true; if (decodeData) { DecodeParameters(g->GV(_POST), (const char*)data, size, true); } bool ret = transport->getFiles(files); if (ret) { g->GV(_FILES) = f_unserialize(files); } } CopyParams(request, g->GV(_POST)); if (needDelete) { if (RuntimeOption::AlwaysPopulateRawPostData) { g->GV(HTTP_RAW_POST_DATA) = String((char*)data, size, AttachString); } else { free((void *)data); } } else { // For literal we disregard RuntimeOption::AlwaysPopulateRawPostData g->GV(HTTP_RAW_POST_DATA) = String((char*)data, size, AttachLiteral); } } } // $_COOKIE string cookie_data = transport->getHeader("Cookie"); if (!cookie_data.empty()) { StringBuffer sb; sb.append(cookie_data); DecodeCookies(g->GV(_COOKIE), (char*)sb.data()); CopyParams(request, g->GV(_COOKIE)); } // $_SERVER // HTTP_ headers -- we don't exclude headers we handle elsewhere (e.g., // Content-Type, Authorization), since the CGI "spec" merely says the server // "may" exclude them; this is not what APE does, but it's harmless. HeaderMap headers; transport->getHeaders(headers); for (HeaderMap::const_iterator iter = headers.begin(); iter != headers.end(); ++iter) { const vector<string> &values = iter->second; for (unsigned int i = 0; i < values.size(); i++) { String key = "HTTP_"; key += StringUtil::ToUpper(iter->first).replace("-", "_"); server.set(key, String(values[i])); } } string host = transport->getHeader("Host"); String hostName(VirtualHost::GetCurrent()->serverName(host)); string hostHeader(host); if (hostHeader.empty()) { server.set("HTTP_HOST", hostName); StackTraceNoHeap::AddExtraLogging("Server", hostName.data()); } else { StackTraceNoHeap::AddExtraLogging("Server", hostHeader.c_str()); } if (hostName.empty() || RuntimeOption::ForceServerNameToHeader) { hostName = hostHeader; // _SERVER['SERVER_NAME'] shouldn't contain the port number int colonPos = hostName.find(':'); if (colonPos != String::npos) { hostName = hostName.substr(0, colonPos); } } // APE sets CONTENT_TYPE and CONTENT_LENGTH without HTTP_ if (!contentType.empty()) { server.set("CONTENT_TYPE", String(contentType)); } if (!contentLength.empty()) { server.set("CONTENT_LENGTH", String(contentLength)); } // APE processes Authorization: Basic into PHP_AUTH_USER and PHP_AUTH_PW string authorization = transport->getHeader("Authorization"); if (!authorization.empty()) { if (strncmp(authorization.c_str(), "Basic ", 6) == 0) { // it's safe to pass this as a string literal since authorization // outlives decodedAuth; this saves us a superfluous copy. String decodedAuth = StringUtil::Base64Decode(String(authorization.c_str() + 6)); int colonPos = decodedAuth.find(':'); if (colonPos != String::npos) { server.set("PHP_AUTH_USER", decodedAuth.substr(0, colonPos)); server.set("PHP_AUTH_PW", decodedAuth.substr(colonPos + 1)); } } } server.set("REQUEST_URI", String(transport->getUrl(), CopyString)); server.set("SCRIPT_URL", r.originalURL()); String prefix(transport->isSSL() ? "https://" : "http://"); String port_suffix(""); // Need to append port if (!transport->isSSL() && RuntimeOption::ServerPort != 80) { port_suffix = ":" + RuntimeOption::ServerPort; } server.set("SCRIPT_URI", String(prefix + (hostHeader.empty() ? hostName + port_suffix : hostHeader) + r.originalURL())); if (r.rewritten()) { // when URL is rewritten, PHP decided to put original URL as SCRIPT_NAME String name = r.originalURL(); if (!r.pathInfo().empty()) { int pos = name.find(r.pathInfo()); if (pos >= 0) { name = name.substr(0, pos); } } if (r.defaultDoc()) { if (!name.empty() && name[name.length() - 1] != '/') { name += "/"; } name += String(RuntimeOption::DefaultDocument); } server.set("SCRIPT_NAME", name); } else { server.set("SCRIPT_NAME", r.resolvedURL()); } if (!r.rewritten() && r.pathInfo().empty()) { server.set("PHP_SELF", r.resolvedURL()); } else { // when URL is rewritten, or pathinfo is not empty, use original URL server.set("PHP_SELF", r.originalURL()); } server.set("SCRIPT_FILENAME", r.absolutePath()); if (r.pathInfo().empty()) { server.set("PATH_TRANSLATED", r.absolutePath()); } else { server.set("PATH_TRANSLATED", String(vhost->getDocumentRoot() + r.pathInfo().data())); server.set("PATH_INFO", r.pathInfo()); } server.set("argv", r.queryString()); server.set("argc", 0); server.set("GATEWAY_INTERFACE", "CGI/1.1"); server.set("SERVER_ADDR", String(RuntimeOption::ServerPrimaryIP)); server.set("SERVER_NAME", hostName); server.set("SERVER_PORT", RuntimeOption::ServerPort); server.set("SERVER_SOFTWARE", "HPHP"); server.set("SERVER_PROTOCOL", "HTTP/" + transport->getHTTPVersion()); server.set("SERVER_ADMIN", ""); server.set("SERVER_SIGNATURE", ""); switch (transport->getMethod()) { case Transport::GET: server.set("REQUEST_METHOD", "GET"); break; case Transport::HEAD: server.set("REQUEST_METHOD", "HEAD"); break; case Transport::POST: if (transport->getExtendedMethod() == NULL) { server.set("REQUEST_METHOD", "POST"); } else { server.set("REQUEST_METHOD", transport->getExtendedMethod()); } break; default: server.set("REQUEST_METHOD", ""); break; } server.set("HTTPS", transport->isSSL() ? "1" : ""); server.set("REQUEST_TIME", time(NULL)); server.set("QUERY_STRING", r.queryString()); server.set("REMOTE_ADDR", String(transport->getRemoteHost(), CopyString)); server.set("REMOTE_HOST", ""); // I don't think we need to nslookup server.set("REMOTE_PORT", 0); // TODO: quite useless server.set("DOCUMENT_ROOT", String(vhost->getDocumentRoot())); for (map<string, string>::const_iterator iter = RuntimeOption::ServerVariables.begin(); iter != RuntimeOption::ServerVariables.end(); ++iter) { server.set(String(iter->first), String(iter->second)); } const map<string, string> &vServerVars = vhost->getServerVars(); for (map<string, string>::const_iterator iter = vServerVars.begin(); iter != vServerVars.end(); ++iter) { server.set(String(iter->first), String(iter->second)); } sri.setServerVariables(server); const char *threadType = transport->getThreadTypeName(); server.set("THREAD_TYPE", threadType); StackTraceNoHeap::AddExtraLogging("ThreadType", threadType); #ifdef TAINTED taint_array_variant(g->GV(_GET), "$_GET"); taint_array_variant(g->GV(_POST), "$_POST"); taint_array_variant(g->GV(_SERVER), "$_SERVER"); taint_array_variant(g->GV(_COOKIE), "$_COOKIE"); #endif }