From dffad71804dc04cb33a2d78de3af777a390d99cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Markus=20M=C3=A4kel=C3=A4?= Date: Tue, 10 Jan 2017 15:26:54 +0200 Subject: [PATCH] Add support for comparison operators in dbfwfilter functions The dbfwfilter now supports the main comparison operators in MySQL. The string versions (IS, NOT, IS NOT etc.) are not supported. --- Documentation/Filters/Database-Firewall-Filter.md | 4 +++- server/modules/filter/dbfwfilter/ruleparser.y | 11 +++++++---- server/modules/filter/dbfwfilter/token.l | 2 ++ 3 files changed, 12 insertions(+), 5 deletions(-) diff --git a/Documentation/Filters/Database-Firewall-Filter.md b/Documentation/Filters/Database-Firewall-Filter.md index 1440afd9c..e311dd785 100644 --- a/Documentation/Filters/Database-Firewall-Filter.md +++ b/Documentation/Filters/Database-Firewall-Filter.md @@ -117,7 +117,9 @@ This rule expects a list of values after the `columns` keyword. These values are This rule expects a list of values after the `function` keyword. These values are interpreted as function names and if a query uses any of these, it is -blocked. +blocked. The symbolic comparison operators (`<`, `>`, `>=` etc.) are also +considered functions whereas the text versions (`NOT`, `IS`, `IS NOT` etc.) are +not considered functions. #### `regex` diff --git a/server/modules/filter/dbfwfilter/ruleparser.y b/server/modules/filter/dbfwfilter/ruleparser.y index 4efa30f9e..34025ccbf 100644 --- a/server/modules/filter/dbfwfilter/ruleparser.y +++ b/server/modules/filter/dbfwfilter/ruleparser.y @@ -37,7 +37,7 @@ %token FWTOK_RULE FWTOK_RULENAME FWTOK_USERS FWTOK_USER FWTOK_RULES FWTOK_MATCH FWTOK_ANY FWTOK_ALL FWTOK_STRICT_ALL FWTOK_DENY %token FWTOK_WILDCARD FWTOK_COLUMNS FWTOK_REGEX FWTOK_LIMIT_QUERIES FWTOK_WHERE_CLAUSE FWTOK_AT_TIMES FWTOK_ON_QUERIES %token FWTOK_SQLOP FWTOK_COMMENT FWTOK_INT FWTOK_FLOAT FWTOK_PIPE FWTOK_TIME -%token FWTOK_BTSTR FWTOK_QUOTEDSTR FWTOK_STR FWTOK_FUNCTION +%token FWTOK_BTSTR FWTOK_QUOTEDSTR FWTOK_STR FWTOK_FUNCTION FWTOK_CMP /** Non-terminal symbols */ %type rulename @@ -124,10 +124,13 @@ columnlist: ; functionlist: - FWTOK_BTSTR {if (!define_function_rule(scanner, $1)){YYERROR;}} + functionvalue + | functionlist functionvalue + ; + +functionvalue: + FWTOK_CMP {if (!define_function_rule(scanner, $1)){YYERROR;}} | FWTOK_STR {if (!define_function_rule(scanner, $1)){YYERROR;}} - | functionlist FWTOK_BTSTR {if (!define_function_rule(scanner, $2)){YYERROR;}} - | functionlist FWTOK_STR {if (!define_function_rule(scanner, $2)){YYERROR;}} ; optional: diff --git a/server/modules/filter/dbfwfilter/token.l b/server/modules/filter/dbfwfilter/token.l index 62dbbcbfc..9dcfd3f1e 100644 --- a/server/modules/filter/dbfwfilter/token.l +++ b/server/modules/filter/dbfwfilter/token.l @@ -33,6 +33,7 @@ USER [^[:space:]]*[@] IP [0-9]{1,3}[.][0-9]{1,3}[.][0-9]{1,3}[.][0-9]{1,3} BTSTR `[^`]*` USTR [%-_[:alnum:][:punct:]]+ +CMP [=<>!]+ %% "\n"+ return '\n'; @@ -53,6 +54,7 @@ match return FWTOK_MATCH; any return FWTOK_ANY; all return FWTOK_ALL; strict_all return FWTOK_STRICT_ALL; +{CMP} yylval->strval = yytext;return FWTOK_CMP; {USTR}@{USTR} yylval->strval = yytext;return FWTOK_USER; {BTSTR}@{BTSTR} yylval->strval = yytext;return FWTOK_USER; {QSTR}@{QSTR} yylval->strval = yytext;return FWTOK_USER;