Fossil SCM

Improved detection of XSS and SQL injection attacks.

drh 2025-03-30 22:28 trunk

Commit 5a33f307504dd6874bea708645f9f0238be3fac98dfc060bb60924be45de973a

Parent 1c0f93e13f9509c…

1 file changed +22 -9

M src/lookslike.c

+22 -9

		--- src/lookslike.c
		+++ src/lookslike.c
		@@ -486,46 +486,59 @@
486	486	** Rather, this is part of an effort to do early detection of malicious
487	487	** spiders to avoid them using up too many CPU cycles.
488	488	*/
489	489	int looks_like_sql_injection(const char *zTxt){
490	490	unsigned int i;
	491	+ int rc = 0;
491	492	if( zTxt==0 ) return 0;
492	493	for(i=0; zTxt[i]; i++){
493	494	switch( zTxt[i] ){
	495	+ case '<':
	496	+ if( sqlite3_strnicmp(zTxt+i, "<script>", 8)==0 ) rc = 1;
	497	+ break;
494	498	case ';':
495	499	case '\'':
496	500	return 1;
497	501	case '/': /* 0123456789 123456789 */
498		- if( strncmp(zTxt+i+1, "/wp-content/plugins/", 20)==0 ) return 1;
499		- if( strncmp(zTxt+i+1, "/wp-admin/admin-ajax", 20)==0 ) return 1;
	502	+ if( strncmp(zTxt+i+1, "/wp-content/plugins/", 20)==0 ) rc = 1;
	503	+ if( strncmp(zTxt+i+1, "/wp-admin/admin-ajax", 20)==0 ) rc = 1;
500	504	break;
501	505	case 'a':
502	506	case 'A':
503		- if( isWholeWord(zTxt, i, "and", 3) ) return 1;
	507	+ if( isWholeWord(zTxt, i, "and", 3) ) rc = 1;
504	508	break;
505	509	case 'n':
506	510	case 'N':
507		- if( isWholeWord(zTxt, i, "null", 4) ) return 1;
	511	+ if( isWholeWord(zTxt, i, "null", 4) ) rc = 1;
508	512	break;
509	513	case 'o':
510	514	case 'O':
511	515	if( isWholeWord(zTxt, i, "order", 5) && fossil_isspace(zTxt[i+5]) ){
512		- return 1;
	516	+ rc = 1;
513	517	}
514		- if( isWholeWord(zTxt, i, "or", 2) ) return 1;
	518	+ if( isWholeWord(zTxt, i, "or", 2) ) rc = 1;
515	519	break;
516	520	case 's':
517	521	case 'S':
518		- if( isWholeWord(zTxt, i, "select", 6) ) return 1;
	522	+ if( isWholeWord(zTxt, i, "select", 6) ) rc = 1;
519	523	break;
520	524	case 'w':
521	525	case 'W':
522		- if( isWholeWord(zTxt, i, "waitfor", 7) ) return 1;
	526	+ if( isWholeWord(zTxt, i, "waitfor", 7) ) rc = 1;
523	527	break;
524	528	}
525	529	}
526		- return 0;
	530	+ if( rc ){
	531	+ /* The test/markdown-test3.md document which is part of the Fossil source
	532	+ ** tree intentionally tries to fake an attack. Do not report such
	533	+ ** errors. */
	534	+ const char *zPathInfo = P("PATH_INFO");
	535	+ if( sqlite3_strglob("/doc/*/test/markdown-test3.md", zPathInfo)==0 ){
	536	+ rc = 0;
	537	+ }
	538	+ }
	539	+ return rc;
527	540	}
528	541
529	542	/*
530	543	** This is a utility routine associated with the test-looks-like-sql-injection
531	544	** command.
532	545

	--- src/lookslike.c
	+++ src/lookslike.c
	@@ -486,46 +486,59 @@
486	** Rather, this is part of an effort to do early detection of malicious
487	** spiders to avoid them using up too many CPU cycles.
488	*/
489	int looks_like_sql_injection(const char *zTxt){
490	unsigned int i;

491	if( zTxt==0 ) return 0;
492	for(i=0; zTxt[i]; i++){
493	switch( zTxt[i] ){



494	case ';':
495	case '\'':
496	return 1;
497	case '/': /* 0123456789 123456789 */
498	if( strncmp(zTxt+i+1, "/wp-content/plugins/", 20)==0 ) return 1;
499	if( strncmp(zTxt+i+1, "/wp-admin/admin-ajax", 20)==0 ) return 1;
500	break;
501	case 'a':
502	case 'A':
503	if( isWholeWord(zTxt, i, "and", 3) ) return 1;
504	break;
505	case 'n':
506	case 'N':
507	if( isWholeWord(zTxt, i, "null", 4) ) return 1;
508	break;
509	case 'o':
510	case 'O':
511	if( isWholeWord(zTxt, i, "order", 5) && fossil_isspace(zTxt[i+5]) ){
512	return 1;
513	}
514	if( isWholeWord(zTxt, i, "or", 2) ) return 1;
515	break;
516	case 's':
517	case 'S':
518	if( isWholeWord(zTxt, i, "select", 6) ) return 1;
519	break;
520	case 'w':
521	case 'W':
522	if( isWholeWord(zTxt, i, "waitfor", 7) ) return 1;
523	break;
524	}
525	}
526	return 0;









527	}
528
529	/*
530	** This is a utility routine associated with the test-looks-like-sql-injection
531	** command.
532

	--- src/lookslike.c
	+++ src/lookslike.c
	@@ -486,46 +486,59 @@
486	** Rather, this is part of an effort to do early detection of malicious
487	** spiders to avoid them using up too many CPU cycles.
488	*/
489	int looks_like_sql_injection(const char *zTxt){
490	unsigned int i;
491	int rc = 0;
492	if( zTxt==0 ) return 0;
493	for(i=0; zTxt[i]; i++){
494	switch( zTxt[i] ){
495	case '<':
496	if( sqlite3_strnicmp(zTxt+i, "<script>", 8)==0 ) rc = 1;
497	break;
498	case ';':
499	case '\'':
500	return 1;
501	case '/': /* 0123456789 123456789 */
502	if( strncmp(zTxt+i+1, "/wp-content/plugins/", 20)==0 ) rc = 1;
503	if( strncmp(zTxt+i+1, "/wp-admin/admin-ajax", 20)==0 ) rc = 1;
504	break;
505	case 'a':
506	case 'A':
507	if( isWholeWord(zTxt, i, "and", 3) ) rc = 1;
508	break;
509	case 'n':
510	case 'N':
511	if( isWholeWord(zTxt, i, "null", 4) ) rc = 1;
512	break;
513	case 'o':
514	case 'O':
515	if( isWholeWord(zTxt, i, "order", 5) && fossil_isspace(zTxt[i+5]) ){
516	rc = 1;
517	}
518	if( isWholeWord(zTxt, i, "or", 2) ) rc = 1;
519	break;
520	case 's':
521	case 'S':
522	if( isWholeWord(zTxt, i, "select", 6) ) rc = 1;
523	break;
524	case 'w':
525	case 'W':
526	if( isWholeWord(zTxt, i, "waitfor", 7) ) rc = 1;
527	break;
528	}
529	}
530	if( rc ){
531	/* The test/markdown-test3.md document which is part of the Fossil source
532	** tree intentionally tries to fake an attack. Do not report such
533	** errors. */
534	const char *zPathInfo = P("PATH_INFO");
535	if( sqlite3_strglob("/doc/*/test/markdown-test3.md", zPathInfo)==0 ){
536	rc = 0;
537	}
538	}
539	return rc;
540	}
541
542	/*
543	** This is a utility routine associated with the test-looks-like-sql-injection
544	** command.
545

Fossil SCM

Keyboard Shortcuts