libinjection sync

2025-08-14 13:56:01 +03:00 · 2013-10-12 21:51:26 +09:00 · 2013-10-12 21:51:26 +09:00 · f52242a013
commit f52242a013
parent 11217207e8
3 changed files with 69 additions and 11 deletions
--- a/apache2/libinjection/libinjection.h
+++ b/apache2/libinjection/libinjection.h
@ -19,7 +19,7 @@ extern "C" {
 * See python's normalized version
 * http://www.python.org/dev/peps/pep-0386/#normalizedversion
 */
-#define LIBINJECTION_VERSION "3.6.0"
+#define LIBINJECTION_VERSION "3.7.0"

 /**
 * Libinjection's sqli module makes a "normalized"
--- a/apache2/libinjection/libinjection_sqli.c
+++ b/apache2/libinjection/libinjection_sqli.c
@ -120,6 +120,23 @@ memchr2(const char *haystack, size_t haystack_len, char c0, char c1)
 }

 /**
+ * memchr might not exist on some systems
+ */
+static const char*
+my_memchr(const char* haystack, size_t hlen, int needle)
+{
+    const char* cur;
+    const char* last =  haystack + hlen;
+    for (cur = haystack; cur < last; ++cur) {
+        if (cur[0] == needle) {
+            return cur;
+        }
+    }
+    return NULL;
+}
+
+/**
+ * memmem might not exist on some systems
 */
 static const char *
 my_memmem(const char* haystack, size_t hlen, const char* needle, size_t nlen)
@ -285,9 +302,11 @@ static void st_clear(stoken_t * st)
 static void st_assign_char(stoken_t * st, const char stype, size_t pos, size_t len,
                           const char value)
 {
+    /* done to elimiate unused warning */
+    (void)len;
    st->type = (char) stype;
    st->pos = pos;
-    st->len = len;
+    st->len = 1;
    st->val[0] = value;
    st->val[1] = CHAR_NULL;
 }
@ -299,7 +318,7 @@ static void st_assign(stoken_t * st, const char stype,
    size_t last = len < MSIZE ? len : (MSIZE - 1);
    st->type = (char) stype;
    st->pos = pos;
-    st->len = len;
+    st->len = last;
    memcpy(st->val, value, last);
    st->val[last] = CHAR_NULL;
 }
@ -857,6 +876,25 @@ static size_t parse_xstring(struct libinjection_sqli_state *sf)
    return pos + 2 + wlen + 1;
 }

+/**
+ * This handles MS SQLSERVER bracket words
+ * http://stackoverflow.com/questions/3551284/sql-serverwhat-do-brackets-mean-around-column-name
+ *
+ */
+static size_t parse_bword(struct libinjection_sqli_state * sf)
+{
+    const char *cs = sf->s;
+    size_t pos = sf->pos;
+    const char* endptr = my_memchr(cs + pos, sf->slen - pos, ']');
+    if (endptr == NULL) {
+        st_assign(sf->current, TYPE_BAREWORD, pos, sf->slen - pos, cs + pos);
+        return sf->slen;
+    } else {
+        st_assign(sf->current, TYPE_BAREWORD, pos, (endptr - cs) - pos + 1, cs + pos);
+        return (endptr - cs) + 1;
+    }
+}
+
 static size_t parse_word(struct libinjection_sqli_state * sf)
 {
    char ch;
@ -865,7 +903,7 @@ static size_t parse_word(struct libinjection_sqli_state * sf)
    const char *cs = sf->s;
    size_t pos = sf->pos;
    size_t wlen = strlencspn(cs + pos, sf->slen - pos,
-                             " {}<>:\\?=@!#~+-*/&|^%(),';\t\n\v\f\r\"\000");
+                             " []{}<>:\\?=@!#~+-*/&|^%(),';\t\n\v\f\r\"\000");

    st_assign(sf->current, TYPE_BAREWORD, pos, wlen, cs + pos);

@ -1720,8 +1758,7 @@ int libinjection_sqli_fold(struct libinjection_sqli_state * sf)
                   (sf->tokenvec[left+2].type == TYPE_NUMBER ||
                    sf->tokenvec[left+2].type == TYPE_BAREWORD ||
                    sf->tokenvec[left+2].type == TYPE_VARIABLE ||
-                    sf->tokenvec[left+2].type == TYPE_STRING ||
-                    sf->tokenvec[left+2].type == TYPE_FUNCTION )) {
+                    sf->tokenvec[left+2].type == TYPE_STRING)) {
            /*
             * interesting case    turn ", -1"  ->> ",1" PLUS we need to back up
             * one token if possible to see if more folding can be done
@ -1735,6 +1772,19 @@ int libinjection_sqli_fold(struct libinjection_sqli_state * sf)
            assert(pos >= 3);
            pos -= 3;
            continue;
+        } else if (sf->tokenvec[left].type == TYPE_COMMA &&
+                   st_is_unary_op(&sf->tokenvec[left+1]) &&
+                   sf->tokenvec[left+2].type == TYPE_FUNCTION) {
+
+            /* Seperate case from above since you end up with
+             * 1,-sin(1) --> 1 (1)
+             * Here, just do
+             * 1,-sin(1) --> 1,sin(1)
+             * just remove unary opartor
+             */
+            st_copy(&sf->tokenvec[left+1], &sf->tokenvec[left+2]);
+            pos -= 1;
+            continue;
        } else if ((sf->tokenvec[left].type == TYPE_BAREWORD) &&
                   (sf->tokenvec[left+1].type == TYPE_DOT) &&
                   (sf->tokenvec[left+2].type == TYPE_BAREWORD)) {
@ -2132,10 +2182,10 @@ static int reparse_as_mysql(struct libinjection_sqli_state * sql_state)
 /*
 * This function is mostly use with SWIG
 */
-struct libinjection_sqli_token* libinjection_sqli_get_token(struct libinjection_sqli_state * sql_state,
-                                                            int i)
+struct libinjection_sqli_token*
+libinjection_sqli_get_token(struct libinjection_sqli_state * sql_state, int i)
 {
-    if (i < 0 || i > (int) strlen(sql_state->fingerprint)) {
+    if (i < 0 || i >  LIBINJECTION_SQLI_MAX_TOKENS) {
        return NULL;
    }
    return &(sql_state->tokenvec[i]);
--- a/apache2/libinjection/libinjection_sqli_data.h
+++ b/apache2/libinjection/libinjection_sqli_data.h
@ -30,6 +30,7 @@ static size_t parse_nqstring(sfilter * sf);
 static size_t parse_xstring(sfilter * sf);
 static size_t parse_bstring(sfilter * sf);
 static size_t parse_estring(sfilter * sf);
+static size_t parse_bword(sfilter * sf);


 typedef size_t (*pt2Function)(sfilter *sf);
@ -125,7 +126,7 @@ static const pt2Function char_parse_map[] = {
   &parse_xstring, /* 88 */
   &parse_word, /* 89 */
   &parse_word, /* 90 */
-   &parse_other, /* 91 */
+   &parse_bword, /* 91 */
   &parse_backslash, /* 92 */
   &parse_other, /* 93 */
   &parse_operator1, /* 94 */
@ -618,6 +619,8 @@ static const keyword_t sql_keywords[] = {
    {"01&VU;", 'F'},
    {"01&VUC", 'F'},
    {"01&VUE", 'F'},
+    {"01(EF(", 'F'},
+    {"01(EKF", 'F'},
    {"01(EKN", 'F'},
    {"01(ENK", 'F'},
    {"01(U(E", 'F'},
@ -3833,6 +3836,7 @@ static const keyword_t sql_keywords[] = {
    {"0N(1OF", 'F'},
    {"0N(1OS", 'F'},
    {"0N(1OV", 'F'},
+    {"0N(EF(", 'F'},
    {"0N(EKN", 'F'},
    {"0N(ENK", 'F'},
    {"0N(F()", 'F'},
@ -5525,6 +5529,8 @@ static const keyword_t sql_keywords[] = {
    {"0S&VU;", 'F'},
    {"0S&VUC", 'F'},
    {"0S&VUE", 'F'},
+    {"0S(EF(", 'F'},
+    {"0S(EKF", 'F'},
    {"0S(EKN", 'F'},
    {"0S(ENK", 'F'},
    {"0S(U(E", 'F'},
@ -7713,6 +7719,8 @@ static const keyword_t sql_keywords[] = {
    {"0V&VU;", 'F'},
    {"0V&VUC", 'F'},
    {"0V&VUE", 'F'},
+    {"0V(EF(", 'F'},
+    {"0V(EKF", 'F'},
    {"0V(EKN", 'F'},
    {"0V(ENK", 'F'},
    {"0V(U(E", 'F'},
@ -9871,5 +9879,5 @@ static const keyword_t sql_keywords[] = {
    {"||", '&'},
    {"~*", 'o'},
 };
-static const size_t sql_keywords_sz = 9705;
+static const size_t sql_keywords_sz = 9712;
 #endif