File: upload_validation.py

package info (click to toggle)
snuffleupagus 0.12.0-1
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 3,828 kB
  • sloc: ansic: 6,265; php: 127; makefile: 98; python: 79; sh: 3
file content (39 lines) | stat: -rwxr-xr-x 1,071 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
 
#!/usr/bin/python3

import sys
import subprocess

WHITELIST = ('ECHO', 'RETURN', 'PHP', 'NOP')

def check(filename):
    try:
        output = subprocess.check_output(["php",
            "-d", "vld.active=1",
            "-d", "vld.execute=0",
            "-d", "extension=vld.so",
            "-d", "vld.format=1",
            "-d", "vld.col_sep=@",
            "-d", "log_errors=0",
            "-d", "error_log=/dev/null",
            filename],
            stderr=subprocess.STDOUT)
    except subprocess.CalledProcessError as e:
        print("Error: %s" % e)
        return 2

    for line in output.splitlines()[8:]:
        sp = line.split('@')
        if len(sp) < 5:
            continue
        opcode = sp[4]  # ,line, #, EIO, op, fetch, ext, return, operands
        if opcode not in WHITELIST:
            print("Upload_validation: Found an opcode: %s" % opcode)
            return 1
    return 0


if __name__ == '__main__':
    if len(sys.argv) != 2:
        print('Usage: %0 file_to_test.php', sys.argv[0])
    else:
        sys.exit(check(sys.argv[1]))