github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-16 07:56:12 +03:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #128 from client9/remotes/trunk

Browse Source 
libinjection v3.3.0 sync
This commit is contained in:
Breno Silva 2013-07-13 12:26:20 -07:00
commit 3f080fa8ce
3 changed files with 434 additions and 744 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
apache2/libinjection/libinjection.h
View File

@ -19,7 +19,7 @@ extern "C" {
* See python's normalized version * See python's normalized version
* http://www.python.org/dev/peps/pep-0386/#normalizedversion * http://www.python.org/dev/peps/pep-0386/#normalizedversion
*/ */
#define LIBINJECTION_VERSION "3.2.0" #define LIBINJECTION_VERSION "3.3.0"
/** /**
* Libinjection's sqli module makes a "normalized" * Libinjection's sqli module makes a "normalized"

49
apache2/libinjection/libinjection_sqli.c
View File

@ -54,15 +54,17 @@ typedef enum {
TYPE_OPERATOR = (int)'o', TYPE_OPERATOR = (int)'o',
TYPE_LOGIC_OPERATOR = (int)'&', TYPE_LOGIC_OPERATOR = (int)'&',
TYPE_COMMENT = (int)'c', TYPE_COMMENT = (int)'c',
TYPE_COLLATE = (int)'a',
TYPE_LEFTPARENS = (int)'(', TYPE_LEFTPARENS = (int)'(',
TYPE_RIGHTPARENS = (int)')', /* not used? */ TYPE_RIGHTPARENS = (int)')', /* not used? */
TYPE_COMMA = (int)',', TYPE_COMMA = (int)',',
TYPE_COLON = (int)':', TYPE_COLON = (int)':',
TYPE_SEMICOLON = (int)';', TYPE_SEMICOLON = (int)';',
TYPE_TSQL = (int)'T', /* TSQL start */ TYPE_TSQL = (int)'T', /* TSQL start */
TYPE_UNKNOWN = (int)'?', TYPE_UNKNOWN = (int)'?',
TYPE_EVIL = (int)'X', /* unparsable, abort */ TYPE_EVIL = (int)'X', /* unparsable, abort */
TYPE_FINGERPRINT = (int)'F' /* not really a token */ TYPE_FINGERPRINT = (int)'F', /* not really a token */
TYPE_BACKSLASH = (int)'\\'
} sqli_token_types; } sqli_token_types;
/** /**
@ -80,8 +82,6 @@ static char flag2delim(int flag)
} }
} }
/* memchr2 finds a string of 2 characters inside another string /* memchr2 finds a string of 2 characters inside another string
* This a specialized version of "memmem" or "memchr". * This a specialized version of "memmem" or "memchr".
* 'memmem' doesn't exist on all platforms * 'memmem' doesn't exist on all platforms
@ -307,6 +307,13 @@ static void st_copy(stoken_t * dest, const stoken_t * src)
memcpy(dest, src, sizeof(stoken_t)); memcpy(dest, src, sizeof(stoken_t));
} }
static int st_is_arithmetic_op(const stoken_t* st)
{
const char ch = st->val[0];
return (st->type == TYPE_OPERATOR && st->len == 1 &&
(ch == '*' || ch == '/' || ch == '-' || ch == '+' || ch == '%'));
}
static int st_is_unary_op(const stoken_t * st) static int st_is_unary_op(const stoken_t * st)
{ {
const char* str = st->val; const char* str = st->val;
@ -524,11 +531,12 @@ static size_t parse_backslash(sfilter * sf)
/* /*
* Weird MySQL alias for NULL, "\N" (capital N only) * Weird MySQL alias for NULL, "\N" (capital N only)
*/ */
if (pos + 1 < slen && cs[pos + 1] == 'N') { if (pos + 1 < slen && cs[pos +1] == 'N') {
st_assign(sf->current, TYPE_NUMBER, pos, 2, cs + pos); st_assign(sf->current, TYPE_NUMBER, pos, 2, cs + pos);
return pos + 2; return pos + 2;
} else { } else {
return parse_other(sf); st_assign_char(sf->current, TYPE_BACKSLASH, pos, 1, cs[pos]);
return pos + 1;
} }
} }
@ -1470,6 +1478,27 @@ int filter_fold(sfilter * sf)
sf->stats_folds += 1; sf->stats_folds += 1;
left = 0; left = 0;
continue; continue;
} else if (sf->tokenvec[left].type == TYPE_COLLATE &&
sf->tokenvec[left+1].type == TYPE_BAREWORD) {
/*
* there are too many collation types.. so if the bareword has a "_"
* then it's TYPE_SQLTYPE
*/
if (strchr(sf->tokenvec[left+1].val, '_') != NULL) {
sf->tokenvec[left+1].type = TYPE_SQLTYPE;
}
} else if (sf->tokenvec[left].type == TYPE_BACKSLASH) {
if (st_is_arithmetic_op(&(sf->tokenvec[left+1]))) {
/* very weird case in TSQL where '\%1' is parsed as '0 % 1', etc */
sf->tokenvec[left].type = TYPE_NUMBER;
} else {
/* just ignore it.. Again T-SQL seems to parse \1 as "1" */
st_copy(&sf->tokenvec[left], &sf->tokenvec[left+1]);
pos -= 1;
sf->stats_folds += 1;
}
left = 0;
continue;
} }
/* all cases of handing 2 tokens is done /* all cases of handing 2 tokens is done
@ -1515,6 +1544,12 @@ int filter_fold(sfilter * sf)
sf->tokenvec[left+2].type == TYPE_LOGIC_OPERATOR) { sf->tokenvec[left+2].type == TYPE_LOGIC_OPERATOR) {
pos -= 2; pos -= 2;
continue; continue;
} else if (sf->tokenvec[left].type == TYPE_VARIABLE &&
sf->tokenvec[left+1].type == TYPE_OPERATOR &&
(sf->tokenvec[left].type == TYPE_VARIABLE || sf->tokenvec[left].type == TYPE_NUMBER ||
sf->tokenvec[left].type == TYPE_BAREWORD)) {
pos -= 2;
continue;
} else if ((sf->tokenvec[left].type == TYPE_BAREWORD || sf->tokenvec[left].type == TYPE_NUMBER ) && } else if ((sf->tokenvec[left].type == TYPE_BAREWORD || sf->tokenvec[left].type == TYPE_NUMBER ) &&
sf->tokenvec[left+1].type == TYPE_OPERATOR && sf->tokenvec[left+1].type == TYPE_OPERATOR &&
(sf->tokenvec[left+2].type == TYPE_NUMBER || sf->tokenvec[left+2].type == TYPE_BAREWORD)) { (sf->tokenvec[left+2].type == TYPE_NUMBER || sf->tokenvec[left+2].type == TYPE_BAREWORD)) {

1127
apache2/libinjection/libinjection_sqli_data.h
View File

File diff suppressed because it is too large Load Diff