| ︙ | | |
747
748
749
750
751
752
753
754
755
756
757
758
759
760
|
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
|
+
|
static int seqQP = 0; /* Sequence numbers */
static struct QParam { /* One entry for each query parameter or cookie */
const char *zName; /* Parameter or cookie name */
const char *zValue; /* Value of the query parameter or cookie */
int seq; /* Order of insertion */
char isQP; /* True for query parameters */
char cTag; /* Tag on query parameters */
char isFetched; /* 1 if the var is requested via P/PD() */
} *aParamQP; /* An array of all parameters and cookies */
/*
** Add another query parameter or cookie to the parameter set.
** zName is the name of the query parameter or cookie and zValue
** is its fully decoded value.
**
|
| ︙ | | |
774
775
776
777
778
779
780
781
782
783
784
785
786
787
|
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
|
+
|
aParamQP[nUsedQP].zValue = zValue;
if( g.fHttpTrace ){
fprintf(stderr, "# cgi: %s = [%s]\n", zName, zValue);
}
aParamQP[nUsedQP].seq = seqQP++;
aParamQP[nUsedQP].isQP = isQP;
aParamQP[nUsedQP].cTag = 0;
aParamQP[nUsedQP].isFetched = 0;
nUsedQP++;
sortQP = 1;
}
/*
** Add another query parameter or cookie to the parameter set.
** zName is the name of the query parameter or cookie and zValue
|
| ︙ | | |
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
|
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
|
+
|
lo = 0;
hi = nUsedQP-1;
while( lo<=hi ){
mid = (lo+hi)/2;
c = fossil_strcmp(aParamQP[mid].zName, zName);
if( c==0 ){
CGIDEBUG(("mem-match [%s] = [%s]\n", zName, aParamQP[mid].zValue));
aParamQP[mid].isFetched = 1;
return aParamQP[mid].zValue;
}else if( c>0 ){
hi = mid-1;
}else{
lo = mid+1;
}
}
|
| ︙ | | |
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
|
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
|
-
+
|
style_header("Malicious Query Detected");
@ <h2>Begone, Fiend!</h2>
@ <p>This page was generated because Fossil believes it has
@ detected an SQL injection attack. If you believe you are seeing
@ this in error, contact the developers on the Fossil-SCM Forum. Type
@ "fossil-scm forum" into any search engine to locate the Fossil-SCM Forum.
style_finish_page();
cgi_set_status(404,"Robot Attack Detected");
cgi_set_status(418,"Robot Attack Detected");
cgi_reply();
exit(0);
}
/*
** If looks_like_sql_injection() returns true for the given string, calls
** cgi_begone_spider() and does not return, else this function has no
|
| ︙ | | |
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
|
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
|
-
+
|
if( fossil_strnicmp("fossil-",zName,7)==0 ) continue;
}
switch( eDest ){
case 0: {
cgi_printf("%h = %h <br>\n", zName, aParamQP[i].zValue);
break;
}
case 1: {
case 1: {
fossil_trace("%s = %s\n", zName, aParamQP[i].zValue);
break;
}
case 2: {
cgi_debug("%s = %s\n", zName, aParamQP[i].zValue);
break;
}
|
| ︙ | | |
2702
2703
2704
2705
2706
2707
2708
|
2705
2706
2707
2708
2709
2710
2711
2712
2713
2714
2715
2716
2717
2718
2719
2720
2721
2722
2723
2724
2725
2726
2727
2728
2729
2730
2731
|
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
|
*/
int cgi_from_mobile(void){
const char *zAgent = P("HTTP_USER_AGENT");
if( zAgent==0 ) return 0;
if( sqlite3_strglob("*iPad*", zAgent)==0 ) return 0;
return sqlite3_strlike("%mobile%", zAgent, 0)==0;
}
/*
** If the CGI environment contains any parameters which were not
** fetched via P(), PD(), or equivalent, its value is passed to
** cgi_value_spider_check(), fatally failing if the value looks to be
** malicious. The intent is to block attempts at attacks which post
** apparent SQL injection attempts using arbitrary query parameter
** names.
*/
void verify_all_options_cgi(void){
struct QParam * pParam;
int i;
for(i = 0; i < nUsedQP; ++i){
pParam = &aParamQP[i];
if(0 == pParam->isFetched
&& fossil_islower(pParam->zName[0])){
cgi_value_spider_check(pParam->zValue);
}
}
}
|