mirror of
https://github.com/owasp-modsecurity/ModSecurity.git
synced 2025-08-13 21:36:00 +03:00
Merge pull request #130 from client9/remotes/trunk
libinjection sync v3.4.1
This commit is contained in:
Breno Silva
commit
50f9d01406
@ -19,7 +19,7 @@ extern "C" {
|
||||
* See python's normalized version
|
||||
* http://www.python.org/dev/peps/pep-0386/#normalizedversion
|
||||
*/
|
||||
#define LIBINJECTION_VERSION "3.3.0"
|
||||
#define LIBINJECTION_VERSION "3.4.1"
|
||||
|
||||
/**
|
||||
* Libinjection's sqli module makes a "normalized"
|
||||
@ -39,12 +39,12 @@ extern "C" {
|
||||
|
||||
enum lookup_type {
|
||||
FLAG_NONE = 0,
|
||||
FLAG_QUOTE_NONE = 0,
|
||||
FLAG_QUOTE_SINGLE = 1 << 1,
|
||||
FLAG_QUOTE_DOUBLE = 1 << 2,
|
||||
FLAG_QUOTE_NONE = 1 << 1,
|
||||
FLAG_QUOTE_SINGLE = 1 << 2,
|
||||
FLAG_QUOTE_DOUBLE = 1 << 3,
|
||||
|
||||
FLAG_SQL_ANSI = 1 << 3,
|
||||
FLAG_SQL_MYSQL = 1 << 4,
|
||||
FLAG_SQL_ANSI = 1 << 4,
|
||||
FLAG_SQL_MYSQL = 1 << 5,
|
||||
|
||||
LOOKUP_WORD,
|
||||
LOOKUP_TYPE,
|
||||
@ -249,6 +249,12 @@ char libinjection_sqli_lookup_word(sfilter *sql_state, int lookup_type,
|
||||
*/
|
||||
int libinjection_sqli_tokenize(sfilter * sql_state);
|
||||
|
||||
/**
|
||||
* parses and folds input, up to 5 tokens
|
||||
*
|
||||
*/
|
||||
int libinjection_sqli_fold(sfilter * sql_state);
|
||||
|
||||
/** The built-in default function to match fingerprints
|
||||
* and do false negative/positive analysis. This calls the following
|
||||
* two functions. With this, you over-ride one part or the other.
|
||||
|
||||
@ -54,7 +54,7 @@ typedef enum {
|
||||
TYPE_OPERATOR = (int)'o',
|
||||
TYPE_LOGIC_OPERATOR = (int)'&',
|
||||
TYPE_COMMENT = (int)'c',
|
||||
TYPE_COLLATE = (int)'a',
|
||||
TYPE_COLLATE = (int)'A',
|
||||
TYPE_LEFTPARENS = (int)'(',
|
||||
TYPE_RIGHTPARENS = (int)')', /* not used? */
|
||||
TYPE_COMMA = (int)',',
|
||||
@ -1220,6 +1220,10 @@ int libinjection_sqli_tokenize(sfilter * sf)
|
||||
|
||||
void libinjection_sqli_init(sfilter * sf, const char *s, size_t len, int flags)
|
||||
{
|
||||
if (flags == 0) {
|
||||
flags = FLAG_QUOTE_NONE | FLAG_SQL_ANSI;
|
||||
}
|
||||
|
||||
memset(sf, 0, sizeof(sfilter));
|
||||
sf->s = s;
|
||||
sf->slen = len;
|
||||
@ -1231,6 +1235,9 @@ void libinjection_sqli_init(sfilter * sf, const char *s, size_t len, int flags)
|
||||
|
||||
void libinjection_sqli_reset(sfilter * sf, int flags)
|
||||
{
|
||||
if (flags == 0) {
|
||||
flags = FLAG_QUOTE_NONE | FLAG_SQL_ANSI;
|
||||
}
|
||||
libinjection_sqli_init(sf, sf->s, sf->slen, flags);
|
||||
sf->lookup = sf->lookup;
|
||||
sf->userdata = sf->userdata;
|
||||
@ -1309,7 +1316,7 @@ static int syntax_merge_words(sfilter * sf,stoken_t * a, stoken_t * b)
|
||||
}
|
||||
}
|
||||
|
||||
int filter_fold(sfilter * sf)
|
||||
int libinjection_sqli_fold(sfilter * sf)
|
||||
{
|
||||
stoken_t last_comment;
|
||||
|
||||
@ -1546,8 +1553,8 @@ int filter_fold(sfilter * sf)
|
||||
continue;
|
||||
} else if (sf->tokenvec[left].type == TYPE_VARIABLE &&
|
||||
sf->tokenvec[left+1].type == TYPE_OPERATOR &&
|
||||
(sf->tokenvec[left].type == TYPE_VARIABLE || sf->tokenvec[left].type == TYPE_NUMBER ||
|
||||
sf->tokenvec[left].type == TYPE_BAREWORD)) {
|
||||
(sf->tokenvec[left+2].type == TYPE_VARIABLE || sf->tokenvec[left+2].type == TYPE_NUMBER ||
|
||||
sf->tokenvec[left+2].type == TYPE_BAREWORD)) {
|
||||
pos -= 2;
|
||||
continue;
|
||||
} else if ((sf->tokenvec[left].type == TYPE_BAREWORD || sf->tokenvec[left].type == TYPE_NUMBER ) &&
|
||||
@ -1671,7 +1678,7 @@ const char* libinjection_sqli_fingerprint(sfilter * sql_state, int flags)
|
||||
|
||||
libinjection_sqli_reset(sql_state, flags);
|
||||
|
||||
tlen = filter_fold(sql_state);
|
||||
tlen = libinjection_sqli_fold(sql_state);
|
||||
for (i = 0; i < tlen; ++i) {
|
||||
sql_state->fingerprint[i] = sql_state->tokenvec[i].type;
|
||||
}
|
||||
|
||||
@ -884,6 +884,7 @@ static const keyword_t sql_keywords[] = {
|
||||
{"01)O(S", 'F'},
|
||||
{"01)O(V", 'F'},
|
||||
{"01)O1", 'F'},
|
||||
{"01)O1&", 'F'},
|
||||
{"01)O1)", 'F'},
|
||||
{"01)O1;", 'F'},
|
||||
{"01)O1B", 'F'},
|
||||
@ -902,6 +903,7 @@ static const keyword_t sql_keywords[] = {
|
||||
{"01)ONO", 'F'},
|
||||
{"01)ONU", 'F'},
|
||||
{"01)OS", 'F'},
|
||||
{"01)OS&", 'F'},
|
||||
{"01)OS)", 'F'},
|
||||
{"01)OS;", 'F'},
|
||||
{"01)OSB", 'F'},
|
||||
@ -910,6 +912,7 @@ static const keyword_t sql_keywords[] = {
|
||||
{"01)OSO", 'F'},
|
||||
{"01)OSU", 'F'},
|
||||
{"01)OV", 'F'},
|
||||
{"01)OV&", 'F'},
|
||||
{"01)OV)", 'F'},
|
||||
{"01)OV;", 'F'},
|
||||
{"01)OVB", 'F'},
|
||||
@ -1375,6 +1378,7 @@ static const keyword_t sql_keywords[] = {
|
||||
{"01F()U", 'F'},
|
||||
{"01F()V", 'F'},
|
||||
{"01F(1)", 'F'},
|
||||
{"01F(1N", 'F'},
|
||||
{"01F(1O", 'F'},
|
||||
{"01F(F(", 'F'},
|
||||
{"01F(N)", 'F'},
|
||||
@ -4646,6 +4650,7 @@ static const keyword_t sql_keywords[] = {
|
||||
{"0NF()U", 'F'},
|
||||
{"0NF()V", 'F'},
|
||||
{"0NF(1)", 'F'},
|
||||
{"0NF(1N", 'F'},
|
||||
{"0NF(1O", 'F'},
|
||||
{"0NF(F(", 'F'},
|
||||
{"0NF(N)", 'F'},
|
||||
@ -5825,6 +5830,7 @@ static const keyword_t sql_keywords[] = {
|
||||
{"0S)O(S", 'F'},
|
||||
{"0S)O(V", 'F'},
|
||||
{"0S)O1", 'F'},
|
||||
{"0S)O1&", 'F'},
|
||||
{"0S)O1)", 'F'},
|
||||
{"0S)O1;", 'F'},
|
||||
{"0S)O1B", 'F'},
|
||||
@ -5843,6 +5849,7 @@ static const keyword_t sql_keywords[] = {
|
||||
{"0S)ONO", 'F'},
|
||||
{"0S)ONU", 'F'},
|
||||
{"0S)OS", 'F'},
|
||||
{"0S)OS&", 'F'},
|
||||
{"0S)OS)", 'F'},
|
||||
{"0S)OS;", 'F'},
|
||||
{"0S)OSB", 'F'},
|
||||
@ -5851,6 +5858,7 @@ static const keyword_t sql_keywords[] = {
|
||||
{"0S)OSO", 'F'},
|
||||
{"0S)OSU", 'F'},
|
||||
{"0S)OV", 'F'},
|
||||
{"0S)OV&", 'F'},
|
||||
{"0S)OV)", 'F'},
|
||||
{"0S)OV;", 'F'},
|
||||
{"0S)OVB", 'F'},
|
||||
@ -6360,6 +6368,7 @@ static const keyword_t sql_keywords[] = {
|
||||
{"0SF()U", 'F'},
|
||||
{"0SF()V", 'F'},
|
||||
{"0SF(1)", 'F'},
|
||||
{"0SF(1N", 'F'},
|
||||
{"0SF(1O", 'F'},
|
||||
{"0SF(F(", 'F'},
|
||||
{"0SF(N)", 'F'},
|
||||
@ -8163,6 +8172,7 @@ static const keyword_t sql_keywords[] = {
|
||||
{"0V)O(S", 'F'},
|
||||
{"0V)O(V", 'F'},
|
||||
{"0V)O1", 'F'},
|
||||
{"0V)O1&", 'F'},
|
||||
{"0V)O1)", 'F'},
|
||||
{"0V)O1;", 'F'},
|
||||
{"0V)O1B", 'F'},
|
||||
@ -8181,6 +8191,7 @@ static const keyword_t sql_keywords[] = {
|
||||
{"0V)ONO", 'F'},
|
||||
{"0V)ONU", 'F'},
|
||||
{"0V)OS", 'F'},
|
||||
{"0V)OS&", 'F'},
|
||||
{"0V)OS)", 'F'},
|
||||
{"0V)OS;", 'F'},
|
||||
{"0V)OSB", 'F'},
|
||||
@ -8189,6 +8200,7 @@ static const keyword_t sql_keywords[] = {
|
||||
{"0V)OSO", 'F'},
|
||||
{"0V)OSU", 'F'},
|
||||
{"0V)OV", 'F'},
|
||||
{"0V)OV&", 'F'},
|
||||
{"0V)OV)", 'F'},
|
||||
{"0V)OV;", 'F'},
|
||||
{"0V)OVB", 'F'},
|
||||
@ -8698,6 +8710,7 @@ static const keyword_t sql_keywords[] = {
|
||||
{"0VF()U", 'F'},
|
||||
{"0VF()V", 'F'},
|
||||
{"0VF(1)", 'F'},
|
||||
{"0VF(1N", 'F'},
|
||||
{"0VF(1O", 'F'},
|
||||
{"0VF(F(", 'F'},
|
||||
{"0VF(N)", 'F'},
|
||||
@ -9870,6 +9883,7 @@ static const keyword_t sql_keywords[] = {
|
||||
{"PRIMARY", 'k'},
|
||||
{"PRINT", 'T'},
|
||||
{"PROCEDURE", 'k'},
|
||||
{"PROCEDURE ANALYSE", 'f'},
|
||||
{"PUBLISHINGSERVERNAME", 'f'},
|
||||
{"PURGE", 'k'},
|
||||
{"PWDCOMPARE", 'f'},
|
||||
@ -10210,5 +10224,5 @@ static const keyword_t sql_keywords[] = {
|
||||
{"||", '&'},
|
||||
{"~*", 'o'},
|
||||
};
|
||||
static const size_t sql_keywords_sz = 10043;
|
||||
static const size_t sql_keywords_sz = 10057;
|
||||
#endif
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user