Changeset 784

Timestamp:

2011-04-22T17:18:42+02:00 (2 years ago)

Author:

moo

Message:

merge from trunk

Location:

branches/1.3

Files:

• . (modified) (1 prop)
• ChangeLog (modified) (1 diff)
• Decompiler.class.php (modified) (10 diffs)
• NEWS (modified) (1 diff)
• admin/common.php (modified) (5 diffs)
• decompilesample.php (modified) (1 diff)
• opcode_spec_def.h (modified) (1 diff)
• utils.c (modified) (1 diff)
• xcache.c (modified) (5 diffs)

branches/1.3/ChangeLog

@@ -1 +1 @@
 1.3.2 2011-??-??
 ========
+ * avoid possible filename injection in admin page
  * adds 30 seconds timeout to "compiling" flag
  * decompiler: improves decompiling

branches/1.3/Decompiler.class.php

@@ -737 +737 @@
         $EX['last'] = count($opcodes) - 1;
         $EX['silence'] = 0;
+        $EX['recvs'] = array();
+        $EX['uses'] = array();
 
         for ($next = 0, $last = $EX['last'];
@@ -1139 +1141 @@
                         break;
                     }
+                    if (is_a($rvalue, 'Decompiler_Fetch')) {
+                        $src = str($rvalue->src, $EX);
+                        if ('$' . unquoteName($src) == $lvalue) {
+                            switch ($rvalue->fetchType) {
+                            case ZEND_FETCH_STATIC:
+                                $statics = &$EX['op_array']['static_variables'];
+                                if ((xcache_get_type($statics[$name]) & IS_LEXICAL_VAR)) {
+                                    $EX['uses'][] = str($lvalue);
+                                    unset($statics);
+                                    break 2;
+                                }
+                                unset($statics);
+                            }
+                        }
+                    }
                     $resvar = "$lvalue = " . str($rvalue, $EX);
                     break;
@@ -1155 +1172 @@
                             case ZEND_FETCH_STATIC:
                                 $statics = &$EX['op_array']['static_variables'];
+                                if ((xcache_get_type($statics[$name]) & IS_LEXICAL_REF)) {
+                                    $EX['uses'][] = '&' . str($lvalue);
+                                    unset($statics);
+                                    break 2;
+                                }
+
                                 $resvar = 'static ' . $lvalue;
                                 $name = unquoteName($src);
@@ -1203 +1226 @@
                     if ($opc == XC_ISSET_ISEMPTY_VAR) {
                         $rvalue = $this->getOpVal($op1, $EX);
+                        // for < PHP_5_3
+                        if ($op1['op_type'] == XC_IS_CONST) {
+                            $rvalue = '$' . unquoteVariableName($this->getOpVal($op1, $EX));
+                        }
                         if ($op2['EA.type'] == ZEND_FETCH_STATIC_MEMBER) {
                             $class = $this->getOpVal($op2, $EX);
@@ -1227 +1254 @@
                     switch ((!ZEND_ENGINE_2 ? $op['op2']['var'] /* constant */ : $ext) & (ZEND_ISSET|ZEND_ISEMPTY)) {
                     case ZEND_ISSET:
-                        $rvalue = "isset($rvalue)";
+                        $rvalue = "isset(" . str($rvalue) . ")";
                         break;
                     case ZEND_ISEMPTY:
-                        $rvalue = "empty($rvalue)";
+                        $rvalue = "empty(" . str($rvalue) . ")";
                         break;
                     }
@@ -1838 +1865 @@
     }
     // }}}
+    function duses(&$EX, $indent) // {{{
+    {
+        if ($EX['uses']) {
+            echo ' use(', implode(', ', $EX['uses']), ')';
+        }
+    }
+    // }}}
     function dfunction($func, $indent = '', $nobody = false) // {{{
     {
@@ -1846 +1880 @@
             $EX['op_array'] = &$func['op_array'];
             $EX['recvs'] = array();
+            $EX['uses'] = array();
         }
         else {
@@ -1852 +1887 @@
             $EX = &$this->dop_array($func['op_array'], $newindent);
             $body = ob_get_clean();
-            if (!isset($EX['recvs'])) {
-                $EX['recvs'] = array();
-            }
         }
 
@@ -1861 +1893 @@
             $functionName = '';
         }
-        echo 'function ', $functionName, '(';
+        echo 'function', $functionName ? ' ' . $functionName : '', '(';
         $this->dargs($EX, $indent);
         echo ")";
+        $this->duses($EX, $indent);
         if ($nobody) {
             echo ";\n";
@@ -2231 +2264 @@
 define('IS_CONSTANT', 8);
 define('IS_CONSTANT_ARRAY',   9);
+/* Ugly hack to support constants as static array indices */
+define('IS_CONSTANT_TYPE_MASK',   0x0f);
+define('IS_CONSTANT_UNQUALIFIED', 0x10);
+define('IS_CONSTANT_INDEX',       0x80);
+define('IS_LEXICAL_VAR',          0x20);
+define('IS_LEXICAL_REF',          0x40);
 
 @define('XC_IS_CV', 16);

branches/1.3/NEWS

@@ -1 +1 @@
 1.3.2 2011-??-??
 ========
+ * admin page security fix
  * adds 30 seconds timeout to "compiling" flag
  * improves decompiling

branches/1.3/admin/common.php

@@ -1 +1 @@
 <?php
+
+function xcache_validateFileName($name)
+{
+    return preg_match('!^[a-zA-Z0-9._-]+$!', $name);
+}
 
 function get_language_file_ex($name, $l, $s)
@@ -16 +21 @@
         $l = $lmap[$l];
     }
-    if (file_exists($file = "$name-$l-$s.lang.php")) {
+    $file = "$name-$l-$s.lang.php";
+    if (xcache_validateFileName($file) && file_exists($file)) {
         return $file;
     }
     if (isset($smap[$s])) {
         $s = $smap[$s];
-        if (file_exists($file = "$name-$l-$s.lang.php")) {
+        $file = "$name-$l-$s.lang.php";
+        if (xcache_validateFileName($file) && file_exists($file)) {
             return $file;
         }
     }
-    if (file_exists($file = "$name-$l.lang.php")) {
+    $file = "$name-$l.lang.php";
+    if (xcache_validateFileName($file) && file_exists($file)) {
         return $file;
     }
@@ -39 +47 @@
         $file = get_language_file_ex($name, $l, $s);
         if (!isset($file)) {
-            $l = strtok($l, '-');
+            $l = strtok($l, ':-');
             $file = get_language_file_ex($name, $l, $s);
         }
@@ -45 +53 @@
     else if (!empty($_SERVER['HTTP_ACCEPT_LANGUAGE'])) {
         foreach (explode(',', str_replace(' ', '', $_SERVER['HTTP_ACCEPT_LANGUAGE'])) as $l) {
-            $l = strtok($l, ';');
+            $l = strtok($l, ':;');
             $file = get_language_file_ex($name, $l, $s);
             if (isset($file)) {
@@ -52 +60 @@
             }
             if (strpos($l, '-') !== false) {
-                $ll = strtok($l, '-');
+                $ll = strtok($l, ':-');
                 $file = get_language_file_ex($name, $ll, $s);
                 if (isset($file)) {

branches/1.3/decompilesample.php

@@ -360 +360 @@
 $total = 0;
 $tax = 1;
-$callback = function ($quantity, $product) use ($tax, &$total) {
-    static $static = array(1);
+$callback = function($quantity, $product) use($tax, &$total) {
     $tax = 'tax';
+    static $static1 = array(1);
+    static $static2;
+    $tax = 'tax';
+    $tax = --$tax;
     $pricePerItem = constant('PRICE_' . strtoupper($product));
     $total += $pricePerItem * $quantity * ($tax + 1);

branches/1.3/opcode_spec_def.h

@@ -147 +147 @@
     OPSPEC(    UNUSED,      VAR_2,        STD,        VAR) /* 97 FETCH_OBJ_UNSET                */
     OPSPEC(    UNUSED,        STD,        STD,        VAR) /* 98 FETCH_DIM_TMP_VAR              */
-#ifdef ZEND_ENGINE_2
+#ifdef ZEND_ENGINE_2_3
+    OPSPEC(    UNUSED,      VAR_2,        STD,        TMP) /* 99 FETCH_CONSTANT                 */
+#elif defined(ZEND_ENGINE_2)
     OPSPEC(    UNUSED,     UCLASS,        STD,        TMP) /* 99 FETCH_CONSTANT                 */
 #else

branches/1.3/utils.c

@@ -244 +244 @@
             case IS_TMP_VAR:
                 break;
-
-            case IS_CONST:
-                if (spec == OPSPEC_UCLASS) {
-                    break;
-                }
-                /* fall */
 
             default:

branches/1.3/xcache.c

@@ -2280 +2280 @@
 }
 /* }}} */
+/* {{{ proto int xcache_get_refcount(mixed variable)
+   XCache internal uses only: Get reference count of variable */
+PHP_FUNCTION(xcache_get_refcount)
+{
+    zval *variable;
+    if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "z", &variable) == FAILURE) {
+        RETURN_NULL();
+    }
+
+    RETURN_LONG(Z_REFCOUNT_P(variable));
+}
+/* }}} */
+/* {{{ proto bool xcache_get_isref(mixed variable)
+   XCache internal uses only: Check if variable data is marked referenced */
+ZEND_BEGIN_ARG_INFO_EX(arginfo_xcache_get_isref, 0, 0, 1)
+    ZEND_ARG_INFO(1, variable)
+ZEND_END_ARG_INFO()
+
+PHP_FUNCTION(xcache_get_isref)
+{
+    zval *variable;
+    if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "z", &variable) == FAILURE) {
+        RETURN_NULL();
+    }
+
+    RETURN_BOOL(Z_ISREF_P(variable) && Z_REFCOUNT_P(variable) >= 3);
+}
+/* }}} */
 #ifdef HAVE_XCACHE_DPRINT
 /* {{{ proto bool  xcache_dprint(mixed value)
@@ -2428 +2456 @@
 /* }}} */
 #endif
-/* {{{ proto mixed xcache_get_special_value(zval value) */
+/* {{{ proto mixed xcache_get_special_value(zval value)
+   XCache internal use only: For decompiler to get static value with type fixed */
 PHP_FUNCTION(xcache_get_special_value)
 {
@@ -2453 +2482 @@
         RETURN_NULL();
     }
+}
+/* }}} */
+/* {{{ proto int xcache_get_type(zval value)
+   XCache internal use only for disassembler to get variable type in engine level */
+PHP_FUNCTION(xcache_get_type)
+{
+    zval *value;
+
+    if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "z", &value) == FAILURE) {
+        return;
+    }
+
+    RETURN_LONG(Z_TYPE_P(value));
 }
 /* }}} */
@@ -2507 +2549 @@
 #endif
     PHP_FE(xcache_get_special_value, NULL)
+    PHP_FE(xcache_get_type,          NULL)
     PHP_FE(xcache_get_op_type,       NULL)
     PHP_FE(xcache_get_data_type,     NULL)
@@ -2521 +2564 @@
     PHP_FE(xcache_unset,             NULL)
     PHP_FE(xcache_unset_by_prefix,   NULL)
+    PHP_FE(xcache_get_refcount,      NULL)
+    PHP_FE(xcache_get_isref,         arginfo_xcache_get_isref)
 #ifdef HAVE_XCACHE_DPRINT
     PHP_FE(xcache_dprint,            NULL)