github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-14 13:56:01 +03:00
Code Issues Packages Projects Releases Wiki Activity

libinjection v3.3.0 sync

Browse Source
This commit is contained in:
Nick Galbreath 2013-07-13 13:29:50 +09:00
parent 65e97684bb
commit 15f3a3040d
3 changed files with 434 additions and 744 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
apache2/libinjection/libinjection.h
View File

@ -19,7 +19,7 @@ extern "C" {
* See python's normalized version
* http://www.python.org/dev/peps/pep-0386/#normalizedversion
*/
#define LIBINJECTION_VERSION "3.2.0"
#define LIBINJECTION_VERSION "3.3.0"
/**
* Libinjection's sqli module makes a "normalized"

49
apache2/libinjection/libinjection_sqli.c
View File

@ -54,15 +54,17 @@ typedef enum {
TYPE_OPERATOR = (int)'o',
TYPE_LOGIC_OPERATOR = (int)'&',
TYPE_COMMENT = (int)'c',
TYPE_COLLATE = (int)'a',
TYPE_LEFTPARENS = (int)'(',
TYPE_RIGHTPARENS = (int)')', /* not used? */
TYPE_COMMA = (int)',',
TYPE_COLON = (int)':',
TYPE_SEMICOLON = (int)';',
TYPE_TSQL = (int)'T', /* TSQL start */
TYPE_TSQL = (int)'T', /* TSQL start */
TYPE_UNKNOWN = (int)'?',
TYPE_EVIL = (int)'X', /* unparsable, abort */
TYPE_FINGERPRINT = (int)'F' /* not really a token */
TYPE_EVIL = (int)'X', /* unparsable, abort */
TYPE_FINGERPRINT = (int)'F', /* not really a token */
TYPE_BACKSLASH = (int)'\\'
} sqli_token_types;
/**
@ -80,8 +82,6 @@ static char flag2delim(int flag)
}
}
/* memchr2 finds a string of 2 characters inside another string
* This a specialized version of "memmem" or "memchr".
* 'memmem' doesn't exist on all platforms
@ -305,6 +305,13 @@ static void st_copy(stoken_t * dest, const stoken_t * src)
memcpy(dest, src, sizeof(stoken_t));
}
static int st_is_arithmetic_op(const stoken_t* st)
{
const char ch = st->val[0];
return (st->type == TYPE_OPERATOR && st->len == 1 &&
(ch == '*' || ch == '/' || ch == '-' || ch == '+' || ch == '%'));
}
static int st_is_unary_op(const stoken_t * st)
{
const char* str = st->val;
@ -521,11 +528,12 @@ static size_t parse_backslash(sfilter * sf)
/*
* Weird MySQL alias for NULL, "\N" (capital N only)
*/
if (pos + 1 < slen && cs[pos + 1] == 'N') {
if (pos + 1 < slen && cs[pos +1] == 'N') {
st_assign(sf->current, TYPE_NUMBER, pos, 2, cs + pos);
return pos + 2;
} else {
return parse_other(sf);
st_assign_char(sf->current, TYPE_BACKSLASH, pos, 1, cs[pos]);
return pos + 1;
}
}
@ -1467,6 +1475,27 @@ int filter_fold(sfilter * sf)
sf->stats_folds += 1;
left = 0;
continue;
} else if (sf->tokenvec[left].type == TYPE_COLLATE &&
sf->tokenvec[left+1].type == TYPE_BAREWORD) {
/*
* there are too many collation types.. so if the bareword has a "_"
* then it's TYPE_SQLTYPE
*/
if (strchr(sf->tokenvec[left+1].val, '_') != NULL) {
sf->tokenvec[left+1].type = TYPE_SQLTYPE;
}
} else if (sf->tokenvec[left].type == TYPE_BACKSLASH) {
if (st_is_arithmetic_op(&(sf->tokenvec[left+1]))) {
/* very weird case in TSQL where '\%1' is parsed as '0 % 1', etc */
sf->tokenvec[left].type = TYPE_NUMBER;
} else {
/* just ignore it.. Again T-SQL seems to parse \1 as "1" */
st_copy(&sf->tokenvec[left], &sf->tokenvec[left+1]);
pos -= 1;
sf->stats_folds += 1;
}
left = 0;
continue;
}
/* all cases of handing 2 tokens is done
@ -1512,6 +1541,12 @@ int filter_fold(sfilter * sf)
sf->tokenvec[left+2].type == TYPE_LOGIC_OPERATOR) {
pos -= 2;
continue;
} else if (sf->tokenvec[left].type == TYPE_VARIABLE &&
sf->tokenvec[left+1].type == TYPE_OPERATOR &&
(sf->tokenvec[left].type == TYPE_VARIABLE || sf->tokenvec[left].type == TYPE_NUMBER ||
sf->tokenvec[left].type == TYPE_BAREWORD)) {
pos -= 2;
continue;
} else if ((sf->tokenvec[left].type == TYPE_BAREWORD || sf->tokenvec[left].type == TYPE_NUMBER ) &&
sf->tokenvec[left+1].type == TYPE_OPERATOR &&
(sf->tokenvec[left+2].type == TYPE_NUMBER || sf->tokenvec[left+2].type == TYPE_BAREWORD)) {

1127
apache2/libinjection/libinjection_sqli_data.h
View File

File diff suppressed because it is too large Load Diff