--- parser3/src/main/untaint.C 2003/11/20 16:34:27 1.123 +++ parser3/src/main/untaint.C 2009/05/23 08:12:56 1.147 @@ -1,11 +1,11 @@ /** @file Parser: String class part: untaint mechanizm. - Copyright(c) 2001-2003 ArtLebedev Group (http://www.artlebedev.com) + Copyright(c) 2001-2005 ArtLebedev Group (http://www.artlebedev.com) Author: Alexandr Petrosian (http://paf.design.ru) */ -static const char * const IDENT_UNTAINT_C="$Date: 2003/11/20 16:34:27 $"; +static const char * const IDENT_UNTAINT_C="$Date: 2009/05/23 08:12:56 $"; #include "pa_string.h" @@ -23,15 +23,10 @@ extern "C" { // author forgot to do that #include "ec.h" } -#define PA_SQL - -#ifdef PA_SQL #include "pa_sql_connection.h" -#endif // defines - #undef CORD_ec_append // redefining to intercept flushes and implement whitespace optimization // of all consequent white space chars leaving only first one @@ -39,7 +34,7 @@ extern "C" { // author forgot to do that { \ bool skip=false; \ if(optimize) switch(c) { \ - case ' ': case '\r': case '\n': case '\t': \ + case ' ': case '\n': case '\t': \ if(whitespace) \ skip=true; /*skipping subsequent*/ \ else \ @@ -58,12 +53,12 @@ extern "C" { // author forgot to do that } -#define escape(action) \ +#define escape_fragment(action) \ for(; fragment_length--; CORD_next(info->pos)) { \ char c=CORD_pos_fetch(info->pos); \ action \ } -#define _default default: CORD_ec_append(info->result, c); break +#define _default CORD_ec_append(info->result, c) #define encode(need_encode_func, prefix, otherwise) \ if(need_encode_func(c)) { \ static const char* hex="0123456789ABCDEF"; \ @@ -72,61 +67,41 @@ extern "C" { // author forgot to do that CORD_ec_append(info->result, hex[((unsigned char)c)%0x10]); \ } else \ CORD_ec_append(info->result, otherwise); -#define to_char(c) CORD_ec_append(info->result, c) -#define to_string(s) CORD_ec_append_cord(info->result, s) +#define to_char(c) { CORD_ec_append(info->result, c); whitespace=false; } +#define to_string(s) { CORD_ec_append_cord(info->result, s); whitespace=false; } inline bool need_file_encode(unsigned char c){ // russian letters and space ENABLED // encoding only these... return strchr( - "*?'\"<>|" + "*?'\"<>|" #ifndef WIN32 - ":\\" + ":\\" #endif - , c)!=0; + , c)!=0; } + inline bool need_uri_encode(unsigned char c){ - if((c>='0') &&(c<='9') ||(c>='A') &&(c<='Z') ||(c>='a') &&(c<='z')) + if((c>='0') &&(c<='9') ||(c>='A') &&(c<='Z') ||(c>='a') &&(c<='z')) return false; - return !strchr("_-./", c); + return !strchr("_-./", c); } + inline bool need_http_header_encode(unsigned char c){ - if(strchr(" , :", c)) + if(strchr(" , :", c)) return false; return need_uri_encode(c); } -// - -static const char* String_Untaint_lang_name[]={ - "U", ///< zero value handy for hash lookup @see untaint_lang_name2enum - "C", ///< clean - "T", ///< tainted, untaint language as assigned later - // untaint languages. assigned by ^untaint[lang]{...} - "P", - /**< - leave language built into string being appended. - just a flag, that value not stored - */ - "A", ///< leave all characters intact - "F", ///< file specification - "H", ///< ext in HTTP response header - "M", ///< text in mail header - "URI", ///< text in uri - "T", ///< ^table:set body - "SQL", ///< ^table:sql body - "JS", ///< JavaScript code - "XML", ///< ^dom:set xml - "HTML" ///< HTML code (for editing) -}; - +inline bool need_regex_escape(unsigned char c){ + return strchr("\\^$.[]|()?*+{}-", c)!=0; +} // String /* - HTTP-header = field-name ":" [ field-value ] CRLF field-name = token @@ -210,21 +185,37 @@ int append_fragment_nonoptimizing(char a or marking ALL pieces of it with a @a lang when @a forced to, and propagating OPTIMIZE language bit. */ -String& String::append_to(String& dest, Language lang, bool forced) const { +String& String::append_to(String& dest, Language ilang, bool forced) const { if(is_empty()) return dest; // first: fragment infos - if(lang==L_PASS_APPENDED) // without language-change? - dest.langs.append(dest.body, body.length(), langs); + if(ilang==L_PASS_APPENDED) // without language-change? + dest.langs.appendHelper(dest.body, langs, body); else if(forced) //forcing passed lang? - dest.langs.append(dest.body, lang, length()); - else { - Append_fragment_info info={lang, &dest.langs, dest.body.length()}; - langs.for_each(body, lang&L_OPTIMIZE_BIT? - append_fragment_optimizing - :append_fragment_nonoptimizing, &info); + dest.langs.appendHelper(dest.body, ilang, body); + else { + if(langs.opt.is_not_just_lang){ + Append_fragment_info info={ilang, &dest.langs, dest.body.length()}; + langs.for_each(body, ilang&L_OPTIMIZE_BIT? + append_fragment_optimizing + :append_fragment_nonoptimizing, &info); + } else { + Language lang=langs.opt.lang; + // see append_fragment_* for explanation + if(ilang&L_OPTIMIZE_BIT){ + dest.langs.appendHelper(dest.body, + lang==String::L_TAINTED? + ilang + :lang==String::L_CLEAN? + (String::Language)(String::L_CLEAN|String::L_OPTIMIZE_BIT) + :lang, + body); + } else { + dest.langs.appendHelper(dest.body, lang==String::L_TAINTED ? ilang:lang, body); + } + } } // next: letters @@ -268,7 +259,7 @@ inline bool mail_header_char_valid_withi || strchr("!*+-/", c); } inline bool addr_spec_soon(const char *src) { - for(char c; c=*src; src++) + for(char c; (c=*src); src++) if(c=='<') return true; else if(!(c==' ' || c=='\t')) @@ -284,6 +275,7 @@ inline bool addr_spec_soon(const char *s inline bool mail_header_nonspace_char(char c) { return c != 0x20; } + inline void ec_append(CORD_ec& result, bool& optimize, bool& whitespace, CORD_pos pos, size_t size) { while(size--) { CORD_ec_append(result, CORD_pos_fetch(pos)); @@ -292,12 +284,12 @@ inline void ec_append(CORD_ec& result, b } inline void pa_CORD_pos_advance(CORD_pos pos, size_t n) { while(true) { - size_t avail=CORD_pos_chars_left(pos); - if(avail==0) { + long avail=CORD_pos_chars_left(pos); + if(avail<=0) { CORD_next(pos); if(!--n) break; - } else if(avail=n @@ -322,14 +314,14 @@ struct Cstr_to_string_body_block_info { CORD_pos pos; size_t fragment_begin; bool whitespace; + const char* exception; }; #endif int cstr_to_string_body_block(char alang, size_t fragment_length, Cstr_to_string_body_block_info* info) { const String::Language fragment_lang=(String::Language)(unsigned char)alang; bool& whitespace=info->whitespace; size_t fragment_end=info->fragment_begin+fragment_length; - //fprintf(stderr, "%d, %d\n", fragment.lang, fragment.length); - + //fprintf(stderr, "%d, %d =%s=\n", fragment_lang, fragment_length, info->body->cstr()); String::Language to_lang=info->lang==String::L_UNSPECIFIED?fragment_lang:info->lang; bool optimize=(to_lang & String::L_OPTIMIZE_BIT)!=0; @@ -351,14 +343,26 @@ int cstr_to_string_body_block(char alang break; case String::L_FILE_SPEC: // tainted, untaint language: file [name] - escape( - // Macintosh has problems with small Russian letter 'r' - if( c=='\xF0' && info->charsets && info->charsets->source().NAME()=="WINDOWS-1251" ) { - // fixing that letter for most common charset - to_char('p'); - } else // fallback to default - encode(need_file_encode, '_', c); - ); + { + bool is1251=(info->charsets && info->charsets->source().NAME()=="WINDOWS-1251"); + escape_fragment( + // Macintosh has problems with small Russian letter 'r' + if( is1251 && c=='\xF0' ) { + // fixing that letter for most common charset + to_char('p'); + } else // fallback to default + encode(need_file_encode, '_', c); + ); + } + break; + case String::L_FILE_POST: + { + escape_fragment(switch(c) { + case '\0': to_string("\\0"); break; + case '\\': to_string("\\\\"); break; + default: _default; break; + }); + } break; case String::L_URI: // tainted, untaint language: uri @@ -373,13 +377,14 @@ int cstr_to_string_body_block(char alang info->charsets->client()); char c; - for(const char* src=output.str; c=*src++; ) + for(const char* src=output.str; (c=*src++); ) encode(need_uri_encode, '%', c); } break; case String::L_HTTP_HEADER: // tainted, untaint language: http-field-content-text - escape( + // the same as L_URI BUT not transcoded into $response:charset before encoding + escape_fragment( encode(need_uri_encode, '%', c); ); break; @@ -400,13 +405,15 @@ int cstr_to_string_body_block(char alang bool email=false; uchar c; - for(const char* src=mail_ptr; c=(uchar)*src++; ) { - //RFC + An 'encoded-word' MUST NOT appear in any portion of an 'addr-spec'. - if(to_quoted_printable && (c==',' || addr_spec_soon(src) || c == '"')) { + for(const char* src=mail_ptr; (c=(uchar)*src++); ) { + if(c=='\r' || c=='\n') + c=' '; + if(to_quoted_printable && (c==',' || c == '"' || addr_spec_soon(src-1/*position to 'c'*/))) { email=c=='<'; to_string("?="); to_quoted_printable=false; } + //RFC + An 'encoded-word' MUST NOT appear in any portion of an 'addr-spec'. if(!email && ( !to_quoted_printable && (c & 0x80) // starting quote-printable-encoding on first 8bit char || to_quoted_printable && !mail_header_char_valid_within_Qencoded(c) @@ -429,15 +436,6 @@ int cstr_to_string_body_block(char alang } else ec_append(info->result, optimize, whitespace, info->pos, fragment_length); break; - case String::L_TABLE: - // tainted, untaint language: table - escape(switch(c) { - case '\t': to_char(' '); break; - case '\n': to_char(' '); break; - _default; - }); - break; -#ifdef PA_SQL case String::L_SQL: // tainted, untaint language: sql if(info->connection) { @@ -446,44 +444,89 @@ int cstr_to_string_body_block(char alang pa_CORD_pos_advance(info->pos, fragment_length); to_string(info->connection->quote(fragment_str, fragment_length)); - } else - throw Exception(0, - 0, - "untaint in SQL language failed - no connection specified"); + } else { + info->exception="untaint in SQL language failed - no connection specified"; + info->fragment_begin=fragment_end; + return 1; // stop processing. can't throw exception here + } break; -#endif case String::L_JS: - escape(switch(c) { + escape_fragment(switch(c) { + case '\n': to_string("\\n"); break; case '"': to_string("\\\""); break; case '\'': to_string("\\'"); break; - case '\n': to_string("\\n"); break; case '\\': to_string("\\\\"); break; case '\xFF': to_string("\\\xFF"); break; - _default; + case '\r': to_string("\\r"); break; + default: _default; break; }); break; case String::L_XML: - escape(switch(c) { + // [2] Char ::= #x9 | #xA | #xD | [#x20-#xD7FF] | [#xE000-#xFFFD] | [#x10000-#x10FFFF] + escape_fragment(switch(c) { + case '\x20': + case '\x9': + case '\xA': + case '\xD': // this is usually removed on input + _default; + break; case '&': to_string("&"); break; case '>': to_string(">"); break; case '<': to_string("<"); break; case '"': to_string("""); break; case '\'': to_string("'"); break; - _default; + default: + if(((unsigned char)c)<0x20) { + // fixing it, so that libxml would not result + // in fatal error parsing text + // though it really violates standard. + // to indicate there were an error + // replace bad char not to it's code, + // which we can do, + // but rather to '!' to show that input were actually + // invalid. + // life: shows that MSIE can somehow garble form values + // so that they contain these chars. + to_char('!'); + } else { + _default; + } + break; }); break; case String::L_HTML: - escape(switch(c) { + escape_fragment(switch(c) { case '&': to_string("&"); break; case '>': to_string(">"); break; case '<': to_string("<"); break; case '"': to_string("""); break; - _default; + default: _default; break; }); break; + case String::L_REGEX: + // tainted, untaint language: regex + escape_fragment( + if(need_regex_escape(c)) + to_char('\\') + _default; + ); + break; + case String::L_HTTP_COOKIE: + // tainted, untaint language: cookie (3.3.0 and higher: %uXXXX in UTF-8) + { + const char *fragment_str=info->body->mid(info->fragment_begin, fragment_length).cstr(); + // skip source [we use recoded version] + pa_CORD_pos_advance(info->pos, fragment_length); + String::C output(fragment_str, fragment_length); + + output=Charset::escape(output, info->charsets->source()); + //throw Exception(0, 0, output); + to_string(output); + + } + break; default: - assert(!"should never"); - SAPI::die("unknown untaint language #%d", + SAPI::abort("unknown untaint language #%d", static_cast(to_lang)); // should never break; // never } @@ -497,6 +540,8 @@ int cstr_to_string_body_block(char alang String::Body String::cstr_to_string_body(Language lang, SQL_Connection* connection, const Request_charsets *charsets) const { + if(is_empty()) + return String::Body(); Cstr_to_string_body_block_info info; // input @@ -509,10 +554,15 @@ String::Body String::cstr_to_string_body // private body.set_pos(info.pos, 0); info.fragment_begin=0; + info.exception=0; info.whitespace=true; - if(!is_empty()) - langs.for_each(body, cstr_to_string_body_block, &info); + langs.for_each(body, cstr_to_string_body_block, &info); + if(info.exception){ + throw Exception(0, + 0, + info.exception); + } return String::Body(CORD_ec_to_cord(info.result)); }