static size_t readline_shell_write(const char *str, size_t str_length TSRMLS_DC) /* {{{ */
{
if (CLIR_G(prompt_str)) {
smart_str_appendl(CLIR_G(prompt_str), str, str_length);
return str_length;
}
if (CLIR_G(pager) && *CLIR_G(pager) && !pager_pipe) {
pager_pipe = VCWD_POPEN(CLIR_G(pager), "w");
}
if (pager_pipe) {
return fwrite(str, 1, MIN(str_length, 16384), pager_pipe);
}
return -1;
}
FILE *fp;
char *buf;
int l = 0, pclose_return;
char *b, *d=NULL;
php_stream *stream;
size_t buflen, bufl = 0;
#if PHP_SIGCHILD
void (*sig_handler)() = NULL;
#endif
#if PHP_SIGCHILD
sig_handler = signal (SIGCHLD, SIG_DFL);
#endif
#ifdef PHP_WIN32
fp = VCWD_POPEN(cmd, "rb");
#else
fp = VCWD_POPEN(cmd, "r");
#endif
if (!fp) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to fork [%s]", cmd);
goto err;
}
stream = php_stream_fopen_from_pipe(fp, "rb");
buf = (char *) emalloc(EXEC_INPUT_BUF);
buflen = EXEC_INPUT_BUF;
if (type != 3) {
b = buf;
/* {{{ php_exec
* If type==0, only last line of output is returned (exec)
* If type==1, all lines will be printed and last lined returned (system)
* If type==2, all lines will be saved to given array (exec with &$array)
* If type==3, output will be printed binary, no lines will be saved or returned (passthru)
*
*/
PHPAPI int php_exec(int type, char *cmd, zval *array, zval *return_value)
{
FILE *fp;
char *buf;
size_t l = 0;
int pclose_return;
char *b, *d=NULL;
php_stream *stream;
size_t buflen, bufl = 0;
#if PHP_SIGCHILD
void (*sig_handler)() = NULL;
#endif
#if PHP_SIGCHILD
sig_handler = signal (SIGCHLD, SIG_DFL);
#endif
#ifdef PHP_WIN32
fp = VCWD_POPEN(cmd, "rb");
#else
fp = VCWD_POPEN(cmd, "r");
#endif
if (!fp) {
php_error_docref(NULL, E_WARNING, "Unable to fork [%s]", cmd);
goto err;
}
stream = php_stream_fopen_from_pipe(fp, "rb");
buf = (char *) emalloc(EXEC_INPUT_BUF);
buflen = EXEC_INPUT_BUF;
if (type != 3) {
b = buf;
while (php_stream_get_line(stream, b, EXEC_INPUT_BUF, &bufl)) {
/* no new line found, let's read some more */
if (b[bufl - 1] != '\n' && !php_stream_eof(stream)) {
if (buflen < (bufl + (b - buf) + EXEC_INPUT_BUF)) {
bufl += b - buf;
buflen = bufl + EXEC_INPUT_BUF;
buf = erealloc(buf, buflen);
b = buf + bufl;
} else {
b += bufl;
}
continue;
} else if (b != buf) {
bufl += b - buf;
}
if (type == 1) {
PHPWRITE(buf, bufl);
if (php_output_get_level() < 1) {
sapi_flush();
}
} else if (type == 2) {
/* strip trailing whitespaces */
l = bufl;
while (l >= 1 && l-- && isspace(((unsigned char *)buf)[l]));
if (l != (bufl - 1)) {
bufl = l + 1;
buf[bufl] = '\0';
}
add_next_index_stringl(array, buf, bufl);
}
b = buf;
}
if (bufl) {
/* strip trailing whitespaces if we have not done so already */
if ((type == 2 && buf != b) || type != 2) {
l = bufl;
while (l >= 1 && l-- && isspace(((unsigned char *)buf)[l]));
if (l != (bufl - 1)) {
bufl = l + 1;
buf[bufl] = '\0';
}
if (type == 2) {
add_next_index_stringl(array, buf, bufl);
}
}
/* Return last line from the shell command */
RETVAL_STRINGL(buf, bufl);
} else { /* should return NULL, but for BC we return "" */
RETVAL_EMPTY_STRING();
}
} else {
while((bufl = php_stream_read(stream, buf, EXEC_INPUT_BUF)) > 0) {
PHPWRITE(buf, bufl);
}
}
pclose_return = php_stream_close(stream);
efree(buf);
done:
#if PHP_SIGCHILD
if (sig_handler) {
signal(SIGCHLD, sig_handler);
}
#endif
if (d) {
efree(d);
}
return pclose_return;
err:
pclose_return = -1;
goto done;
}
PHP_SUHOSIN_API void suhosin_log(int loglevel, char *fmt, ...)
{
int s, r, i=0, fd;
long written, towrite;
int getcaller=0;
char *wbuf;
struct timeval tv;
time_t now;
struct tm tm;
#if defined(AF_UNIX)
struct sockaddr_un saun;
#endif
#ifdef PHP_WIN32
LPTSTR strs[2];
unsigned short etype;
DWORD evid;
#endif
char buf[5000];
char error[5000];
char *ip_address;
char *fname;
char *alertstring;
int lineno;
va_list ap;
TSRMLS_FETCH();
#if PHP_VERSION_ID >= 50500
getcaller = (loglevel & S_GETCALLER) == S_GETCALLER;
#endif
/* remove the S_GETCALLER flag */
loglevel = loglevel & ~S_GETCALLER;
SDEBUG("(suhosin_log) loglevel: %d log_syslog: %u - log_sapi: %u - log_script: %u", loglevel, SUHOSIN_G(log_syslog), SUHOSIN_G(log_sapi), SUHOSIN_G(log_script));
/* dump core if wanted */
if (SUHOSIN_G(coredump) && loglevel == S_MEMORY) {
volatile unsigned int *x = 0;
volatile int y = *x;
}
if (SUHOSIN_G(log_use_x_forwarded_for)) {
ip_address = suhosin_getenv("HTTP_X_FORWARDED_FOR", 20 TSRMLS_CC);
if (ip_address == NULL) {
ip_address = "X-FORWARDED-FOR not set";
}
} else {
ip_address = suhosin_getenv("REMOTE_ADDR", 11 TSRMLS_CC);
if (ip_address == NULL) {
ip_address = "REMOTE_ADDR not set";
}
}
va_start(ap, fmt);
ap_php_vsnprintf(error, sizeof(error), fmt, ap);
va_end(ap);
while (error[i]) {
if (error[i] < 32) error[i] = '.';
i++;
}
if (SUHOSIN_G(simulation)) {
alertstring = "ALERT-SIMULATION";
} else {
alertstring = "ALERT";
}
if (zend_is_executing(TSRMLS_C)) {
zend_execute_data *exdata = EG(current_execute_data);
if (exdata) {
if (getcaller && exdata->prev_execute_data) {
lineno = exdata->prev_execute_data->opline->lineno;
fname = (char *)exdata->prev_execute_data->op_array->filename;
} else {
lineno = exdata->opline->lineno;
fname = (char *)exdata->op_array->filename;
}
} else {
lineno = zend_get_executed_lineno(TSRMLS_C);
fname = (char *)zend_get_executed_filename(TSRMLS_C);
}
ap_php_snprintf(buf, sizeof(buf), "%s - %s (attacker '%s', file '%s', line %u)", alertstring, error, ip_address, fname, lineno);
} else {
fname = suhosin_getenv("SCRIPT_FILENAME", 15 TSRMLS_CC);
if (fname==NULL) {
fname = "unknown";
}
ap_php_snprintf(buf, sizeof(buf), "%s - %s (attacker '%s', file '%s')", alertstring, error, ip_address, fname);
}
/* Syslog-Logging disabled? */
if (((SUHOSIN_G(log_syslog)|S_INTERNAL) & loglevel)==0) {
goto log_file;
}
#if defined(AF_UNIX)
ap_php_snprintf(error, sizeof(error), "<%u>suhosin[%u]: %s\n", (unsigned int)(SUHOSIN_G(log_syslog_facility)|SUHOSIN_G(log_syslog_priority)),getpid(),buf);
s = socket(AF_UNIX, SOCK_DGRAM, 0);
if (s == -1) {
goto log_file;
}
memset(&saun, 0, sizeof(saun));
saun.sun_family = AF_UNIX;
strcpy(saun.sun_path, SYSLOG_PATH);
/*saun.sun_len = sizeof(saun);*/
r = connect(s, (struct sockaddr *)&saun, sizeof(saun));
if (r) {
close(s);
s = socket(AF_UNIX, SOCK_STREAM, 0);
if (s == -1) {
goto log_file;
}
memset(&saun, 0, sizeof(saun));
saun.sun_family = AF_UNIX;
strcpy(saun.sun_path, SYSLOG_PATH);
/*saun.sun_len = sizeof(saun);*/
r = connect(s, (struct sockaddr *)&saun, sizeof(saun));
if (r) {
close(s);
goto log_file;
}
}
send(s, error, strlen(error), 0);
close(s);
#endif
#ifdef PHP_WIN32
ap_php_snprintf(error, sizeof(error), "suhosin[%u]: %s", getpid(),buf);
switch (SUHOSIN_G(log_syslog_priority)) { /* translate UNIX type into NT type */
case 1: /*LOG_ALERT:*/
etype = EVENTLOG_ERROR_TYPE;
break;
case 6: /*LOG_INFO:*/
etype = EVENTLOG_INFORMATION_TYPE;
break;
default:
etype = EVENTLOG_WARNING_TYPE;
}
evid = loglevel;
strs[0] = error;
/* report the event */
if (log_source == NULL) {
log_source = RegisterEventSource(NULL, "Suhosin-" SUHOSIN_EXT_VERSION);
}
ReportEvent(log_source, etype, (unsigned short) SUHOSIN_G(log_syslog_priority), evid, NULL, 1, 0, strs, NULL);
#endif
log_file:
/* File-Logging disabled? */
if ((SUHOSIN_G(log_file) & loglevel)==0) {
goto log_sapi;
}
if (!SUHOSIN_G(log_filename) || !SUHOSIN_G(log_filename)[0]) {
goto log_sapi;
}
fd = open(SUHOSIN_G(log_filename), O_CREAT|O_APPEND|O_WRONLY, 0640);
if (fd == -1) {
suhosin_log(S_INTERNAL, "Unable to open logfile: %s", SUHOSIN_G(log_filename));
return;
}
gettimeofday(&tv, NULL);
now = tv.tv_sec;
php_gmtime_r(&now, &tm);
ap_php_snprintf(error, sizeof(error), "%s %2d %02d:%02d:%02d [%u] %s\n", month_names[tm.tm_mon], tm.tm_mday, tm.tm_hour, tm.tm_min, tm.tm_sec, getpid(),buf);
towrite = strlen(error);
wbuf = error;
php_flock(fd, LOCK_EX);
while (towrite > 0) {
written = write(fd, wbuf, towrite);
if (written < 0) {
break;
}
towrite -= written;
wbuf += written;
}
php_flock(fd, LOCK_UN);
close(fd);
log_sapi:
/* SAPI Logging activated? */
SDEBUG("(suhosin_log) log_syslog: %u - log_sapi: %u - log_script: %u - log_phpscript: %u", SUHOSIN_G(log_syslog), SUHOSIN_G(log_sapi), SUHOSIN_G(log_script), SUHOSIN_G(log_phpscript));
if (((SUHOSIN_G(log_sapi)|S_INTERNAL) & loglevel)!=0) {
#if PHP_VERSION_ID < 50400
sapi_module.log_message(buf);
#else
sapi_module.log_message(buf TSRMLS_CC);
#endif
}
if ((SUHOSIN_G(log_stdout) & loglevel)!=0) {
printf("%s\n", buf);
}
/*log_script:*/
/* script logging activaed? */
if (((SUHOSIN_G(log_script) & loglevel)!=0) && SUHOSIN_G(log_scriptname)!=NULL) {
char cmd[8192], *cmdpos, *bufpos;
FILE *in;
int space;
struct stat st;
char *sname = SUHOSIN_G(log_scriptname);
while (isspace(*sname)) ++sname;
if (*sname == 0) goto log_phpscript;
if (VCWD_STAT(sname, &st) < 0) {
suhosin_log(S_INTERNAL, "unable to find logging shell script %s - file dropped", sname);
goto log_phpscript;
}
if (access(sname, X_OK|R_OK) < 0) {
suhosin_log(S_INTERNAL, "logging shell script %s is not executable - file dropped", sname);
goto log_phpscript;
}
/* TODO: clean up this code to calculate size of output dynamically */
ap_php_snprintf(cmd, sizeof(cmd) - 20, "%s %s \'", sname, loglevel2string(loglevel));
space = sizeof(cmd) - strlen(cmd) - 20;
cmdpos = cmd + strlen(cmd);
bufpos = buf;
if (space <= 1) return;
while (space > 2 && *bufpos) {
if (*bufpos == '\'') {
if (space<=5) break;
*cmdpos++ = '\'';
*cmdpos++ = '\\';
*cmdpos++ = '\'';
*cmdpos++ = '\'';
bufpos++;
space-=4;
} else {
*cmdpos++ = *bufpos++;
space--;
}
}
*cmdpos++ = '\'';
*cmdpos++ = ' ';
*cmdpos++ = '2';
*cmdpos++ = '>';
*cmdpos++ = '&';
*cmdpos++ = '1';
*cmdpos = 0;
if ((in=VCWD_POPEN(cmd, "r"))==NULL) {
suhosin_log(S_INTERNAL, "Unable to execute logging shell script: %s", sname);
goto log_phpscript;
}
/* read and forget the result */
while (1) {
int readbytes = fread(cmd, 1, sizeof(cmd), in);
if (readbytes<=0) {
break;
}
if (strncmp(cmd, "sh: ", 4) == 0) {
/* assume this is an error */
suhosin_log(S_INTERNAL, "Error while executing logging shell script: %s", sname);
pclose(in);
goto log_phpscript;
}
}
pclose(in);
}
log_phpscript:
if ((SUHOSIN_G(log_phpscript) & loglevel)!=0 && EG(in_execution) && SUHOSIN_G(log_phpscriptname) && SUHOSIN_G(log_phpscriptname)[0]) {
zend_file_handle file_handle;
zend_op_array *new_op_array;
zval *result = NULL;
long orig_execution_depth = SUHOSIN_G(execution_depth);
#if PHP_VERSION_ID < 50400
zend_bool orig_safe_mode = PG(safe_mode);
#endif
char *orig_basedir = PG(open_basedir);
char *phpscript = SUHOSIN_G(log_phpscriptname);
SDEBUG("scriptname %s", SUHOSIN_G(log_phpscriptname));
#ifdef ZEND_ENGINE_2
if (zend_stream_open(phpscript, &file_handle TSRMLS_CC) == SUCCESS) {
#else
if (zend_open(phpscript, &file_handle) == SUCCESS && ZEND_IS_VALID_FILE_HANDLE(&file_handle)) {
file_handle.filename = phpscript;
file_handle.free_filename = 0;
#endif
if (!file_handle.opened_path) {
file_handle.opened_path = estrndup(phpscript, strlen(phpscript));
}
new_op_array = zend_compile_file(&file_handle, ZEND_REQUIRE TSRMLS_CC);
zend_destroy_file_handle(&file_handle TSRMLS_CC);
if (new_op_array) {
HashTable *active_symbol_table = EG(active_symbol_table);
zval *zerror, *zerror_class;
if (active_symbol_table == NULL) {
active_symbol_table = &EG(symbol_table);
}
EG(return_value_ptr_ptr) = &result;
EG(active_op_array) = new_op_array;
MAKE_STD_ZVAL(zerror);
MAKE_STD_ZVAL(zerror_class);
ZVAL_STRING(zerror, buf, 1);
ZVAL_LONG(zerror_class, loglevel);
zend_hash_update(active_symbol_table, "SUHOSIN_ERROR", sizeof("SUHOSIN_ERROR"), (void **)&zerror, sizeof(zval *), NULL);
zend_hash_update(active_symbol_table, "SUHOSIN_ERRORCLASS", sizeof("SUHOSIN_ERRORCLASS"), (void **)&zerror_class, sizeof(zval *), NULL);
SUHOSIN_G(execution_depth) = 0;
if (SUHOSIN_G(log_phpscript_is_safe)) {
#if PHP_VERSION_ID < 50400
PG(safe_mode) = 0;
#endif
PG(open_basedir) = NULL;
}
zend_execute(new_op_array TSRMLS_CC);
SUHOSIN_G(execution_depth) = orig_execution_depth;
#if PHP_VERSION_ID < 50400
PG(safe_mode) = orig_safe_mode;
#endif
PG(open_basedir) = orig_basedir;
#ifdef ZEND_ENGINE_2
destroy_op_array(new_op_array TSRMLS_CC);
#else
destroy_op_array(new_op_array);
#endif
efree(new_op_array);
#ifdef ZEND_ENGINE_2
if (!EG(exception))
#endif
{
if (EG(return_value_ptr_ptr)) {
zval_ptr_dtor(EG(return_value_ptr_ptr));
EG(return_value_ptr_ptr) = NULL;
}
}
} else {
suhosin_log(S_INTERNAL, "Unable to execute logging PHP script: %s", SUHOSIN_G(log_phpscriptname));
return;
}
} else {
suhosin_log(S_INTERNAL, "Unable to execute logging PHP script: %s", SUHOSIN_G(log_phpscriptname));
return;
}
}
}
/*
* If type==0, only last line of output is returned (exec)
* If type==1, all lines will be printed and last lined returned (system)
* If type==2, all lines will be saved to given array (exec with &$array)
* If type==3, output will be printed binary, no lines will be saved or returned (passthru)
*
*/
int php_Exec(int type, char *cmd, pval *array, pval *return_value)
{
FILE *fp;
char *buf, *tmp=NULL;
int buflen = 0;
int t, l, output=1;
int overflow_limit, lcmd, ldir;
int rsrc_id;
char *b, *c, *d=NULL;
#if PHP_SIGCHILD
void (*sig_handler)();
#endif
PLS_FETCH();
FLS_FETCH();
buf = (char*) emalloc(EXEC_INPUT_BUF);
if (!buf) {
php_error(E_WARNING, "Unable to emalloc %d bytes for exec buffer", EXEC_INPUT_BUF);
return -1;
}
buflen = EXEC_INPUT_BUF;
if (PG(safe_mode)) {
lcmd = strlen(cmd);
ldir = strlen(PG(safe_mode_exec_dir));
l = lcmd + ldir + 2;
overflow_limit = l;
c = strchr(cmd, ' ');
if (c) *c = '\0';
if (strstr(cmd, "..")) {
php_error(E_WARNING, "No '..' components allowed in path");
efree(buf);
return -1;
}
d = emalloc(l);
strcpy(d, PG(safe_mode_exec_dir));
overflow_limit -= ldir;
b = strrchr(cmd, PHP_DIR_SEPARATOR);
if (b) {
strcat(d, b);
overflow_limit -= strlen(b);
} else {
strcat(d, "/");
strcat(d, cmd);
overflow_limit-=(strlen(cmd)+1);
}
if (c) {
*c = ' ';
strncat(d, c, overflow_limit);
}
tmp = php_escape_shell_cmd(d);
efree(d);
d = tmp;
#if PHP_SIGCHILD
sig_handler = signal (SIGCHLD, SIG_DFL);
#endif
#ifdef PHP_WIN32
fp = VCWD_POPEN(d, "rb");
#else
fp = VCWD_POPEN(d, "r");
#endif
if (!fp) {
php_error(E_WARNING, "Unable to fork [%s]", d);
efree(d);
efree(buf);
#if PHP_SIGCHILD
signal (SIGCHLD, sig_handler);
#endif
return -1;
}
} else { /* not safe_mode */
#if PHP_SIGCHILD
sig_handler = signal (SIGCHLD, SIG_DFL);
#endif
#ifdef PHP_WIN32
fp = VCWD_POPEN(cmd, "rb");
#else
fp = VCWD_POPEN(cmd, "r");
#endif
if (!fp) {
php_error(E_WARNING, "Unable to fork [%s]", cmd);
efree(buf);
#if PHP_SIGCHILD
signal (SIGCHLD, sig_handler);
#endif
return -1;
}
}
buf[0] = '\0';
if (type==2) {
if (Z_TYPE_P(array) != IS_ARRAY) {
pval_destructor(array);
array_init(array);
}
}
/* we register the resource so that case of an aborted connection the
* fd gets pclosed
*/
rsrc_id = ZEND_REGISTER_RESOURCE(NULL, fp, php_file_le_popen());
if (type != 3) {
l=0;
while ( !feof(fp) || l != 0 ) {
l = 0;
/* Read a line or fill the buffer, whichever comes first */
do {
if ( buflen <= (l+1) ) {
buf = erealloc(buf, buflen + EXEC_INPUT_BUF);
if ( buf == NULL ) {
php_error(E_WARNING, "Unable to erealloc %d bytes for exec buffer",
buflen + EXEC_INPUT_BUF);
#if PHP_SIGCHILD
signal (SIGCHLD, sig_handler);
#endif
return -1;
}
buflen += EXEC_INPUT_BUF;
}
if ( fgets(&(buf[l]), buflen - l, fp) == NULL ) {
/* eof */
break;
}
l += strlen(&(buf[l]));
} while ( (l > 0) && (buf[l-1] != '\n') );
if ( feof(fp) && (l == 0) ) {
break;
}
if (type == 1) {
if (output) PUTS(buf);
sapi_flush();
}
else if (type == 2) {
/* strip trailing whitespaces */
l = strlen(buf);
t = l;
while (l-- && isspace((int)buf[l]));
if (l < t) {
buf[l + 1] = '\0';
}
add_next_index_string(array, buf, 1);
}
}
/* strip trailing spaces */
l = strlen(buf);
t = l;
while (l && isspace((int)buf[l - 1])) {
l--;
}
if (l < t) buf[l] = '\0';
/* Return last line from the shell command */
if (PG(magic_quotes_runtime)) {
int len;
tmp = php_addslashes(buf, 0, &len, 0);
RETVAL_STRINGL(tmp,len,0);
} else {
RETVAL_STRINGL(buf,l,1);
}
} else {
int b, i;
while ((b = fread(buf, 1, buflen, fp)) > 0) {
for (i = 0; i < b; i++)
if (output) (void)PUTC(buf[i]);
}
}
/* the zend_list_delete will pclose our popen'ed process */
zend_list_delete(rsrc_id);
#if HAVE_SYS_WAIT_H
if (WIFEXITED(FG(pclose_ret))) {
FG(pclose_ret) = WEXITSTATUS(FG(pclose_ret));
}
#endif
#if PHP_SIGCHILD
signal (SIGCHLD, sig_handler);
#endif
if (d) {
efree(d);
}
efree(buf);
return FG(pclose_ret);
}
