github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-14 13:56:01 +03:00
Code Issues Packages Projects Releases Wiki Activity

v3.1.0

Browse Source
This commit is contained in:
Nick Galbreath 2013-07-02 10:06:50 +09:00
parent 83fdf34dde
commit 9eca8b5ca1
3 changed files with 34 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
apache2/libinjection/libinjection.h
View File

@ -19,7 +19,7 @@ extern "C" {
* See python's normalized version
* http://www.python.org/dev/peps/pep-0386/#normalizedversion
*/
#define LIBINJECTION_VERSION "3.0.0"
#define LIBINJECTION_VERSION "3.1.0"
/**
* Libinjection's sqli module makes a "normalized"
@ -227,21 +227,31 @@ void libinjection_sqli_reset(sfilter* sql_state, int flags);
*
* \param sql_state
*
* \return pointer to sfilter.pat as convience.
* do not free!
* \returns a pointer to sfilter.fingerprint as convenience
* do not free!
*
*/
const char* libinjection_sqli_fingerprint(sfilter * sql_state, int flags);
/**
* The default "word" to token-type or fingerprint function. This
* uses a ASCII case-insensitive binary tree.
*/
char libinjection_sqli_lookup_word(sfilter *sql_state, int lookup_type,
const char* s, size_t slen);
/* Streaming tokenization interface.
*
* sql_state->current is updated with the current token.
*
* \returns 1, has a token, keep going, or 0 no tokens
*
*/
int libinjection_sqli_tokenize(sfilter * sql_state);
/** The built-in default function to match fingerprints
* and do false negative/positive analysis. This calls the following
* two functions. With this, you other-ride one part or the other.
* two functions. With this, you over-ride one part or the other.
*
* return libinjection_sqli_blacklist(sql_state) &&
* libinject_sqli_not_whitelist(sql_state);

14
apache2/libinjection/libinjection_sqli.c
View File

@ -181,9 +181,10 @@ static int char_is_white(char ch) {
'\v' 0x0b \013 verical tab
'\f' 0x0c \014 new page
'\r' 0x0d \015 carriage return
0x00 \000 null (oracle)
0xa0 \240 is latin1
*/
return strchr(" \t\n\v\f\r\240", ch) != NULL;
return strchr(" \t\n\v\f\r\240\000", ch) != NULL;
}
/* DANGER DANGER
@ -872,7 +873,7 @@ static size_t parse_word(sfilter * sf)
const char *cs = sf->s;
size_t pos = sf->pos;
size_t wlen = strlencspn(cs + pos, sf->slen - pos,
" <>:\\?=@!#~+-*/&|^%(),';\t\n\v\f\r\"");
" <>:\\?=@!#~+-*/&|^%(),';\t\n\v\f\r\"\000");
st_assign(sf->current, TYPE_BAREWORD, pos, wlen, cs + pos);
@ -1125,6 +1126,15 @@ static size_t parse_number(sfilter * sf)
}
}
/* oracle's ending float or double suffix
* http://docs.oracle.com/cd/B19306_01/server.102/b14200/sql_elements003.htm#i139891
*/
if (pos < slen) {
if (cs[pos] == 'd' || cs[pos] == 'D' || cs[pos] == 'f' || cs[pos] == 'F') {
pos += 1;
}
}
st_assign(sf->current, TYPE_NUMBER, start, pos - start, cs + start);
return pos;
}

8
apache2/libinjection/libinjection_sqli_data.h
View File

@ -9686,6 +9686,7 @@ static const keyword_t sql_keywords[] = {
{"FROM_DAYS", 'f'},
{"FROM_UNIXTIME", 'f'},
{"FULL OUTER", 'k'},
{"FULL OUTER JOIN", 'k'},
{"FULLTEXT", 'k'},
{"FULLTEXTCATALOGPROPERTY", 'f'},
{"FULLTEXTSERVICEPROPERTY", 'f'},
@ -9741,6 +9742,7 @@ static const keyword_t sql_keywords[] = {
{"INFILE", 'k'},
{"INITCAP", 'f'},
{"INNER", 'k'},
{"INNER JOIN", 'k'},
{"INOUT", 'k'},
{"INSENSITIVE", 'k'},
{"INSERT", 'E'},
@ -9808,6 +9810,7 @@ static const keyword_t sql_keywords[] = {
{"LEFT", 'n'},
{"LEFT JOIN", 'k'},
{"LEFT OUTER", 'k'},
{"LEFT OUTER JOIN", 'k'},
{"LENGTH", 'f'},
{"LIKE", 'o'},
{"LIMIT", 'B'},
@ -9874,6 +9877,8 @@ static const keyword_t sql_keywords[] = {
{"NATURAL INNER", 'k'},
{"NATURAL JOIN", 'k'},
{"NATURAL LEFT", 'k'},
{"NATURAL LEFT OUTER", 'k'},
{"NATURAL LEFT OUTER JOIN", 'k'},
{"NATURAL OUTER", 'k'},
{"NATURAL RIGHT", 'k'},
{"NETMASK", 'f'},
@ -10029,6 +10034,7 @@ static const keyword_t sql_keywords[] = {
{"RIGHT", 'n'},
{"RIGHT JOIN", 'k'},
{"RIGHT OUTER", 'k'},
{"RIGHT OUTER JOIN", 'k'},
{"RLIKE", 'o'},
{"ROUND", 'f'},
{"ROW", 'f'},
@ -10317,5 +10323,5 @@ static const keyword_t sql_keywords[] = {
{"||", '&'},
{"~*", 'o'},
};
static const size_t sql_keywords_sz = 10150;
static const size_t sql_keywords_sz = 10156;
#endif