github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-16 07:56:12 +03:00
Code Issues Packages Projects Releases Wiki Activity

libinjection v3.2.0

Browse Source
This commit is contained in:
Nick Galbreath 2013-07-12 11:34:27 +09:00
parent 9eca8b5ca1
commit 65e97684bb
3 changed files with 439 additions and 201 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
apache2/libinjection/libinjection.h
View File

@ -19,7 +19,7 @@ extern "C" {
* See python's normalized version * See python's normalized version
* http://www.python.org/dev/peps/pep-0386/#normalizedversion * http://www.python.org/dev/peps/pep-0386/#normalizedversion
*/ */
#define LIBINJECTION_VERSION "3.1.0" #define LIBINJECTION_VERSION "3.2.0"
/** /**
* Libinjection's sqli module makes a "normalized" * Libinjection's sqli module makes a "normalized"

44
apache2/libinjection/libinjection_sqli.c
View File

@ -1076,6 +1076,7 @@ static size_t parse_number(sfilter * sf)
{ {
size_t xlen; size_t xlen;
size_t start; size_t start;
const char* digits = NULL;
const char *cs = sf->s; const char *cs = sf->s;
const size_t slen = sf->slen; const size_t slen = sf->slen;
size_t pos = sf->pos; size_t pos = sf->pos;
@ -1083,18 +1084,22 @@ static size_t parse_number(sfilter * sf)
/* cs[pos] == '0' has 1/10 chance of being true, /* cs[pos] == '0' has 1/10 chance of being true,
* while pos+1< slen is almost always true * while pos+1< slen is almost always true
*/ */
if (cs[pos] == '0' && pos + 1 < slen && (cs[pos + 1] == 'X' || cs[pos + 1] == 'x')) { if (cs[pos] == '0' && pos + 1 < slen) {
/* if (cs[pos + 1] == 'X' || cs[pos + 1] == 'x') {
* TBD compare if isxdigit digits = "0123456789ABCDEFabcdef";
*/ } else if (cs[pos + 1] == 'B' || cs[pos + 1] == 'b') {
xlen = digits = "01";
strlenspn(cs + pos + 2, slen - pos - 2, "0123456789ABCDEFabcdef"); }
if (xlen == 0) {
st_assign(sf->current, TYPE_BAREWORD, pos, 2, cs + pos); if (digits) {
return pos + 2; xlen = strlenspn(cs + pos + 2, slen - pos - 2, digits);
} else { if (xlen == 0) {
st_assign(sf->current, TYPE_NUMBER, pos, 2 + xlen, cs + pos); st_assign(sf->current, TYPE_BAREWORD, pos, 2, cs + pos);
return pos + 2 + xlen; return pos + 2;
} else {
st_assign(sf->current, TYPE_NUMBER, pos, 2 + xlen, cs + pos);
return pos + 2 + xlen;
}
} }
} }
@ -1297,7 +1302,7 @@ int filter_fold(sfilter * sf)
{ {
stoken_t last_comment; stoken_t last_comment;
/* POS is the positive of where the NEXT token goes */ /* POS is the position of where the NEXT token goes */
size_t pos = 0; size_t pos = 0;
/* LEFT is a count of how many tokens that are already /* LEFT is a count of how many tokens that are already
@ -1344,7 +1349,7 @@ int filter_fold(sfilter * sf)
} }
FOLD_DEBUG FOLD_DEBUG
/* did we get 2 tokens? if not then we are done */ /* did we get 2 tokens? if not then we are done */
if (pos - left != 2) { if (pos - left < 2) {
left = pos; left = pos;
break; break;
} }
@ -1460,11 +1465,10 @@ int filter_fold(sfilter * sf)
st_copy(&sf->tokenvec[left], &sf->tokenvec[left+1]); st_copy(&sf->tokenvec[left], &sf->tokenvec[left+1]);
pos -= 1; pos -= 1;
sf->stats_folds += 1; sf->stats_folds += 1;
left = 0;
continue; continue;
} }
/* all cases of handing 2 tokens is done /* all cases of handing 2 tokens is done
and nothing matched. Get one more token and nothing matched. Get one more token
*/ */
@ -1483,7 +1487,7 @@ int filter_fold(sfilter * sf)
} }
/* do we have three tokens? If not then we are done */ /* do we have three tokens? If not then we are done */
if (pos -left != 3) { if (pos -left < 3) {
left = pos; left = pos;
break; break;
} }
@ -1515,7 +1519,7 @@ int filter_fold(sfilter * sf)
continue; continue;
} else if ((sf->tokenvec[left].type == TYPE_BAREWORD || sf->tokenvec[left].type == TYPE_NUMBER || } else if ((sf->tokenvec[left].type == TYPE_BAREWORD || sf->tokenvec[left].type == TYPE_NUMBER ||
sf->tokenvec[left].type == TYPE_VARIABLE || sf->tokenvec[left].type == TYPE_STRING) && sf->tokenvec[left].type == TYPE_VARIABLE || sf->tokenvec[left].type == TYPE_STRING) &&
sf->tokenvec[left+1].type == TYPE_OPERATOR && sf->tokenvec[left+1].type == TYPE_OPERATOR && streq(sf->tokenvec[left+1].val, "::") &&
sf->tokenvec[left+2].type == TYPE_SQLTYPE) { sf->tokenvec[left+2].type == TYPE_SQLTYPE) {
pos -= 2; pos -= 2;
sf->stats_folds += 2; sf->stats_folds += 2;
@ -1569,7 +1573,9 @@ int filter_fold(sfilter * sf)
if (left > 0) { if (left > 0) {
left -= 1; left -= 1;
} }
pos -=3; /* pos is >= 3 so this is safe */
assert(pos >= 3);
pos -= 3;
continue; continue;
} else if ((sf->tokenvec[left].type == TYPE_BAREWORD || sf->tokenvec[left].type == TYPE_STRING)&& } else if ((sf->tokenvec[left].type == TYPE_BAREWORD || sf->tokenvec[left].type == TYPE_STRING)&&
(sf->tokenvec[left+1].type == TYPE_BAREWORD && sf->tokenvec[left+1].val[0] == '.') && (sf->tokenvec[left+1].type == TYPE_BAREWORD && sf->tokenvec[left+1].val[0] == '.') &&

594
apache2/libinjection/libinjection_sqli_data.h
View File

File diff suppressed because it is too large Load Diff