Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Newer
Older
100644 185 lines (158 sloc) 5.395 kB
3bf293f @andigutmans - Change from PHP5 -> PHP 5
andigutmans authored
1 Input Filter Support in PHP 5
2 -----------------------------
7429c2d @rlerdorf Input Filter support. See README.input_filter for details.
rlerdorf authored
3
4 XSS (Cross Site Scripting) hacks are becoming more and more prevalent,
5 and can be quite difficult to prevent. Whenever you accept user data
6 and somehow display this data back to users, you are likely vulnerable
7 to XSS hacks.
8
3bf293f @andigutmans - Change from PHP5 -> PHP 5
andigutmans authored
9 The Input Filter support in PHP 5 is aimed at providing the framework
7429c2d @rlerdorf Input Filter support. See README.input_filter for details.
rlerdorf authored
10 through which a company-wide or site-wide security policy can be
11 enforced. It is implemented as a SAPI hook and is called from the
12 treat_data and post handler functions. To implement your own security
228bb9e @rlerdorf Pierre requested an update to this. I don't think it makes sense to
rlerdorf authored
13 policy you will need to write a standard PHP extension. There is also
14 a powerful standard implementation in ext/filter that should suit most
15 peoples' needs. However, if you want to implement your own security
16 policy, read on.
7429c2d @rlerdorf Input Filter support. See README.input_filter for details.
rlerdorf authored
17
18 A simple implementation might look like the following. This stores the
19 original raw user data and adds a my_get_raw() function while the normal
20 $_POST, $_GET and $_COOKIE arrays are only populated with stripped
21 data. In this simple example all I am doing is calling strip_tags() on
febee11 @KalleZ Removed register_globals
KalleZ authored
22 the data.
7429c2d @rlerdorf Input Filter support. See README.input_filter for details.
rlerdorf authored
23
24 ZEND_BEGIN_MODULE_GLOBALS(my_input_filter)
25 zval *post_array;
26 zval *get_array;
27 zval *cookie_array;
28 ZEND_END_MODULE_GLOBALS(my_input_filter)
29
30 #ifdef ZTS
31 #define IF_G(v) TSRMG(my_input_filter_globals_id, zend_my_input_filter_globals *, v)
32 #else
33 #define IF_G(v) (my_input_filter_globals.v)
34 #endif
35
36 ZEND_DECLARE_MODULE_GLOBALS(my_input_filter)
37
684d68b MFH: fix docs
foobar authored
38 zend_function_entry my_input_filter_functions[] = {
7429c2d @rlerdorf Input Filter support. See README.input_filter for details.
rlerdorf authored
39 PHP_FE(my_get_raw, NULL)
40 {NULL, NULL, NULL}
41 };
42
43 zend_module_entry my_input_filter_module_entry = {
44 STANDARD_MODULE_HEADER,
45 "my_input_filter",
46 my_input_filter_functions,
47 PHP_MINIT(my_input_filter),
48 PHP_MSHUTDOWN(my_input_filter),
49 NULL,
50 PHP_RSHUTDOWN(my_input_filter),
51 PHP_MINFO(my_input_filter),
52 "0.1",
53 STANDARD_MODULE_PROPERTIES
54 };
55
56 PHP_MINIT_FUNCTION(my_input_filter)
57 {
58 ZEND_INIT_MODULE_GLOBALS(my_input_filter, php_my_input_filter_init_globals, NULL);
59
60 REGISTER_LONG_CONSTANT("POST", PARSE_POST, CONST_CS | CONST_PERSISTENT);
61 REGISTER_LONG_CONSTANT("GET", PARSE_GET, CONST_CS | CONST_PERSISTENT);
62 REGISTER_LONG_CONSTANT("COOKIE", PARSE_COOKIE, CONST_CS | CONST_PERSISTENT);
63
64 sapi_register_input_filter(my_sapi_input_filter);
65 return SUCCESS;
66 }
67
68 PHP_RSHUTDOWN_FUNCTION(my_input_filter)
69 {
70 if(IF_G(get_array)) {
71 zval_ptr_dtor(&IF_G(get_array));
72 IF_G(get_array) = NULL;
73 }
74 if(IF_G(post_array)) {
75 zval_ptr_dtor(&IF_G(post_array));
76 IF_G(post_array) = NULL;
77 }
78 if(IF_G(cookie_array)) {
79 zval_ptr_dtor(&IF_G(cookie_array));
80 IF_G(cookie_array) = NULL;
81 }
82 return SUCCESS;
83 }
84
85 PHP_MINFO_FUNCTION(my_input_filter)
86 {
87 php_info_print_table_start();
88 php_info_print_table_row( 2, "My Input Filter Support", "enabled" );
f7b10ab @dsp Replace $Revision$ with $Id$ in keyword expansion enable files
dsp authored
89 php_info_print_table_row( 2, "Revision", "$Id$");
7429c2d @rlerdorf Input Filter support. See README.input_filter for details.
rlerdorf authored
90 php_info_print_table_end();
91 }
92
350d755 - Update NEWS and README for input_filters
Derick Rethans authored
93 /* The filter handler. If you return 1 from it, then PHP also registers the
94 * (modified) variable. Returning 0 prevents PHP from registering the variable;
95 * you can use this if your filter already registers the variable under a
96 * different name, or if you just don't want the variable registered at all. */
c73641a - And fix the README too.
Derick Rethans authored
97 SAPI_INPUT_FILTER_FUNC(my_sapi_input_filter)
7429c2d @rlerdorf Input Filter support. See README.input_filter for details.
rlerdorf authored
98 {
99 zval new_var;
100 zval *array_ptr = NULL;
101 char *raw_var;
102 int var_len;
103
d08a0e9 @rlerdorf An input filter might not simply strip stuff, it might also turn things
rlerdorf authored
104 assert(*val != NULL);
7429c2d @rlerdorf Input Filter support. See README.input_filter for details.
rlerdorf authored
105
106 switch(arg) {
107 case PARSE_GET:
108 if(!IF_G(get_array)) {
109 ALLOC_ZVAL(array_ptr);
110 array_init(array_ptr);
111 INIT_PZVAL(array_ptr);
112 }
113 IF_G(get_array) = array_ptr;
114 break;
115 case PARSE_POST:
116 if(!IF_G(post_array)) {
117 ALLOC_ZVAL(array_ptr);
118 array_init(array_ptr);
119 INIT_PZVAL(array_ptr);
120 }
121 IF_G(post_array) = array_ptr;
122 break;
123 case PARSE_COOKIE:
124 if(!IF_G(cookie_array)) {
125 ALLOC_ZVAL(array_ptr);
126 array_init(array_ptr);
127 INIT_PZVAL(array_ptr);
128 }
129 IF_G(cookie_array) = array_ptr;
130 break;
131 }
132 Z_STRLEN(new_var) = val_len;
d08a0e9 @rlerdorf An input filter might not simply strip stuff, it might also turn things
rlerdorf authored
133 Z_STRVAL(new_var) = estrndup(*val, val_len);
7429c2d @rlerdorf Input Filter support. See README.input_filter for details.
rlerdorf authored
134 Z_TYPE(new_var) = IS_STRING;
135
136 var_len = strlen(var);
137 raw_var = emalloc(var_len+5); /* RAW_ and a \0 */
138 strcpy(raw_var, "RAW_");
139 strlcat(raw_var,var,var_len+5);
140
141 php_register_variable_ex(raw_var, &new_var, array_ptr TSRMLS_DC);
142
d08a0e9 @rlerdorf An input filter might not simply strip stuff, it might also turn things
rlerdorf authored
143 php_strip_tags(*val, val_len, NULL, NULL, 0);
7429c2d @rlerdorf Input Filter support. See README.input_filter for details.
rlerdorf authored
144
750b033 - Fix sapi_input_filter patch. Returning 1 from the filter handler sh…
Derick Rethans authored
145 *new_val_len = strlen(*val);
350d755 - Update NEWS and README for input_filters
Derick Rethans authored
146 return 1;
7429c2d @rlerdorf Input Filter support. See README.input_filter for details.
rlerdorf authored
147 }
148
149 PHP_FUNCTION(my_get_raw)
150 {
151 long arg;
152 char *var;
153 int var_len;
154 zval **tmp;
155 zval *array_ptr = NULL;
156
476c9a3 Fixed zend_parse_parameters arguments...
Stefan Esser authored
157 if(zend_parse_parameters(2 TSRMLS_CC, "ls", &arg, &var, &var_len) == FAILURE) {
7429c2d @rlerdorf Input Filter support. See README.input_filter for details.
rlerdorf authored
158 return;
159 }
160
161 switch(arg) {
162 case PARSE_GET:
163 array_ptr = IF_G(get_array);
164 break;
165 case PARSE_POST:
166 array_ptr = IF_G(post_array);
167 break;
168 case PARSE_COOKIE:
169 array_ptr = IF_G(post_array);
170 break;
171 }
172
febee11 @KalleZ Removed register_globals
KalleZ authored
173 if(!array_ptr) {
174 RETURN_FALSE;
175 }
7429c2d @rlerdorf Input Filter support. See README.input_filter for details.
rlerdorf authored
176
febee11 @KalleZ Removed register_globals
KalleZ authored
177 if(zend_hash_find(HASH_OF(array_ptr), var, var_len+5, (void **)&tmp) == SUCCESS) {
7429c2d @rlerdorf Input Filter support. See README.input_filter for details.
rlerdorf authored
178 *return_value = **tmp;
179 zval_copy_ctor(return_value);
180 } else {
181 RETVAL_FALSE;
182 }
183 }
184
Something went wrong with that request. Please try again.