php中parse_url函数的源码及分析(scheme部分)
前言
看师傅们的文章时发现,parse_url出现的次数较多,单纯parse_url解析漏洞的考题也有很多,在此研究一下源码(太菜了看不懂,待日后再补充Orz)
源码
在ext/standard/url.c文件中
PHPAPI php_url *php_url_parse_ex(char const *str, size_t length){char port_buf[6];php_url *ret = ecalloc(1, sizeof(php_url));char const *s, *e, *p, *pp, *ue;s = str;ue = s + length;/* parse scheme */if ((e = memchr(s, ':', length)) && e != s) {/* validate scheme */p = s;while (p < e) {/* scheme = 1*[ lowalpha | digit | "+" | "-" | "." ] */if (!isalpha(*p) && !isdigit(*p) && *p != '+' && *p != '.' && *p != '-') {if (e + 1 < ue && e < s + strcspn(s, "?#")) {goto parse_port;} else if (s + 1 < ue && *s == '/' && *(s + 1) == '/') { /* relative-scheme URL */s += 2;e = 0;goto parse_host;} else {goto just_path;}}p++;}if (e + 1 == ue) { /* only scheme is available */ret->scheme = estrndup(s, (e - s));php_replace_controlchars_ex(ret->scheme, (e - s));return ret;}/** certain schemas like mailto: and zlib: may not have any / after them* this check ensures we support those.*/if (*(e+1) != '/') {/* check if the data we get is a port this allows us to* correctly parse things like a.com:80*/p = e + 1;while (p < ue && isdigit(*p)) {p++;}if ((p == ue || *p == '/') && (p - e) < 7) {goto parse_port;}ret->scheme = estrndup(s, (e-s));php_replace_controlchars_ex(ret->scheme, (e - s));s = e + 1;goto just_path;} else {ret->scheme = estrndup(s, (e-s));php_replace_controlchars_ex(ret->scheme, (e - s));if (e + 2 < ue && *(e + 2) == '/') {s = e + 3;if (!strncasecmp("file", ret->scheme, sizeof("file"))) {if (e + 3 < ue && *(e + 3) == '/') {/* support windows drive letters as in:file:///c:/somedir/file.txt*/if (e + 5 < ue && *(e + 5) == ':') {s = e + 4;}goto just_path;}}} else {s = e + 1;goto just_path;}}} else if (e) { /* no scheme; starts with colon: look for port */parse_port:p = e + 1;pp = p;while (pp < ue && pp - p < 6 && isdigit(*pp)) {pp++;}if (pp - p > 0 && pp - p < 6 && (pp == ue || *pp == '/')) {zend_long port;memcpy(port_buf, p, (pp - p));port_buf[pp - p] = '\0';port = ZEND_STRTOL(port_buf, NULL, 10);if (port > 0 && port <= 65535) {ret->port = (unsigned short) port;if (s + 1 < ue && *s == '/' && *(s + 1) == '/') { /* relative-scheme URL */s += 2;}} else {if (ret->scheme) efree(ret->scheme);efree(ret);return NULL;}} else if (p == pp && pp == ue) {if (ret->scheme) efree(ret->scheme);efree(ret);return NULL;} else if (s + 1 < ue && *s == '/' && *(s + 1) == '/') { /* relative-scheme URL */s += 2;} else {goto just_path;}} else if (s + 1 < ue && *s == '/' && *(s + 1) == '/') { /* relative-scheme URL */s += 2;} else {goto just_path;}parse_host:/* Binary-safe strcspn(s, "/?#") */e = ue;if ((p = memchr(s, '/', e - s))) {e = p;}if ((p = memchr(s, '?', e - s))) {e = p;}if ((p = memchr(s, '#', e - s))) {e = p;}/* check for login and password */if ((p = zend_memrchr(s, '@', (e-s)))) {if ((pp = memchr(s, ':', (p-s)))) {ret->user = estrndup(s, (pp-s));php_replace_controlchars_ex(ret->user, (pp - s));pp++;ret->pass = estrndup(pp, (p-pp));php_replace_controlchars_ex(ret->pass, (p-pp));} else {ret->user = estrndup(s, (p-s));php_replace_controlchars_ex(ret->user, (p-s));}s = p + 1;}/* check for port */if (s < ue && *s == '[' && *(e-1) == ']') {/* Short circuit portscan,we're dealing with anIPv6 embedded address */p = NULL;} else {p = zend_memrchr(s, ':', (e-s));}if (p) {if (!ret->port) {p++;if (e-p > 5) { /* port cannot be longer then 5 characters */if (ret->scheme) efree(ret->scheme);if (ret->user) efree(ret->user);if (ret->pass) efree(ret->pass);efree(ret);return NULL;} else if (e - p > 0) {zend_long port;memcpy(port_buf, p, (e - p));port_buf[e - p] = '\0';port = ZEND_STRTOL(port_buf, NULL, 10);if (port > 0 && port <= 65535) {ret->port = (unsigned short)port;} else {if (ret->scheme) efree(ret->scheme);if (ret->user) efree(ret->user);if (ret->pass) efree(ret->pass);efree(ret);return NULL;}}p--;}} else {p = e;}/* check if we have a valid host, if we don't reject the string as url */if ((p-s) < 1) {if (ret->scheme) efree(ret->scheme);if (ret->user) efree(ret->user);if (ret->pass) efree(ret->pass);efree(ret);return NULL;}ret->host = estrndup(s, (p-s));php_replace_controlchars_ex(ret->host, (p - s));if (e == ue) {return ret;}s = e;just_path:e = ue;p = memchr(s, '#', (e - s));if (p) {p++;if (p < e) {ret->fragment = estrndup(p, (e - p));php_replace_controlchars_ex(ret->fragment, (e - p));}e = p-1;}p = memchr(s, '?', (e - s));if (p) {p++;if (p < e) {ret->query = estrndup(p, (e - p));php_replace_controlchars_ex(ret->query, (e - p));}e = p-1;}if (s < e || s == ue) {ret->path = estrndup(s, (e - s));php_replace_controlchars_ex(ret->path, (e - s));}return ret;}
/* {{{ proto mixed parse_url(string url, [int url_component])Parse a URL and return its components */PHP_FUNCTION(parse_url){char *str;size_t str_len;php_url *resource;zend_long key = -1;if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|l", &str, &str_len, &key) == FAILURE) {return;}resource = php_url_parse_ex(str, str_len);if (resource == NULL) {/* @todo Find a method to determine why php_url_parse_ex() failed */RETURN_FALSE;}if (key > -1) {switch (key) {case PHP_URL_SCHEME:if (resource->scheme != NULL) RETVAL_STRING(resource->scheme);break;case PHP_URL_HOST:if (resource->host != NULL) RETVAL_STRING(resource->host);break;case PHP_URL_PORT:if (resource->port != 0) RETVAL_LONG(resource->port);break;case PHP_URL_USER:if (resource->user != NULL) RETVAL_STRING(resource->user);break;case PHP_URL_PASS:if (resource->pass != NULL) RETVAL_STRING(resource->pass);break;case PHP_URL_PATH:if (resource->path != NULL) RETVAL_STRING(resource->path);break;case PHP_URL_QUERY:if (resource->query != NULL) RETVAL_STRING(resource->query);break;case PHP_URL_FRAGMENT:if (resource->fragment != NULL) RETVAL_STRING(resource->fragment);break;default:php_error_docref(NULL, E_WARNING, "Invalid URL component identifier " ZEND_LONG_FMT, key);RETVAL_FALSE;}goto done;}/* allocate an array for return */array_init(return_value);/* add the various elements to the array */if (resource->scheme != NULL)add_assoc_string(return_value, "scheme", resource->scheme);if (resource->host != NULL)add_assoc_string(return_value, "host", resource->host);if (resource->port != 0)add_assoc_long(return_value, "port", resource->port);if (resource->user != NULL)add_assoc_string(return_value, "user", resource->user);if (resource->pass != NULL)add_assoc_string(return_value, "pass", resource->pass);if (resource->path != NULL)add_assoc_string(return_value, "path", resource->path);if (resource->query != NULL)add_assoc_string(return_value, "query", resource->query);if (resource->fragment != NULL)add_assoc_string(return_value, "fragment", resource->fragment);done:php_url_free(resource);}
代码中遇到的问题解决
函数定义部分
PHP_FUNCTION(parse_url){char *str;size_t str_len;php_url *resource;zend_long key = -1;if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|l", &str, &str_len, &key) == FAILURE) {return;}resource = php_url_parse_ex(str, str_len);if (resource == NULL) {/* @todo Find a method to determine why php_url_parse_ex() failed */RETURN_FALSE;}
引用这篇文章的内容http://www.nowamagic.net/librarys/veda/detail/1467
b Booleanl Integer 整型d Floating point 浮点型s String 字符串r Resource 资源a Array 数组o Object instance 对象O Object instance of a specified type 特定类型的对象z Non-specific zval 任意类型Z zval**类型f 表示函数、方法名称
那么其中的"s|l"表示parse_url需要两个参数,一个字符串型,一个整型
php_url类型的声明在ext/standard/url.h中
typedef struct php_url {char *scheme;char *user;char *pass;char *host;unsigned short port;char *path;char *query;char *fragment;} php_url;
问题
- parse_url只有两个参数,不知道strlen这个参数哪里去了……?还有他的值到底是怎么获得的……
函数内部实现部分
使用php_url_parse_ex函数来处理我们传过去的url,先暂定str_len为str的长度……
if ((e = memchr(s, ':', length)) && e != s) {/* validate scheme */p = s;while (p < e) {/* scheme = 1*[ lowalpha | digit | "+" | "-" | "." ] */if (!isalpha(*p) && !isdigit(*p) && *p != '+' && *p != '.' && *p != '-') {if (e + 1 < ue && e < s + strcspn(s, "?#")) {goto parse_port;} else if (s + 1 < ue && *s == '/' && *(s + 1) == '/') { /* relative-scheme URL */s += 2;e = 0;goto parse_host;} else {goto just_path;}}p++;}if (e + 1 == ue) { /* only scheme is available */ret->scheme = estrndup(s, (e - s));php_replace_controlchars_ex(ret->scheme, (e - s));return ret;}/** certain schemas like mailto: and zlib: may not have any / after them* this check ensures we support those.*/if (*(e+1) != '/') {/* check if the data we get is a port this allows us to* correctly parse things like a.com:80*/p = e + 1;while (p < ue && isdigit(*p)) {p++;}if ((p == ue || *p == '/') && (p - e) < 7) {goto parse_port;}ret->scheme = estrndup(s, (e-s));php_replace_controlchars_ex(ret->scheme, (e - s));s = e + 1;goto just_path;} else {ret->scheme = estrndup(s, (e-s));php_replace_controlchars_ex(ret->scheme, (e - s));if (e + 2 < ue && *(e + 2) == '/') {s = e + 3;if (!strncasecmp("file", ret->scheme, sizeof("file"))) {if (e + 3 < ue && *(e + 3) == '/') {/* support windows drive letters as in:file:///c:/somedir/file.txt*/if (e + 5 < ue && *(e + 5) == ':') {s = e + 4;}goto just_path;}}} else {s = e + 1;goto just_path;}}} else if (e) { /* no scheme; starts with colon: look for port */
如果s中含有冒号则e指向冒号
且同时如果冒号不在s的开头,p指向s
当p不指向冒号向循环,p指向下一位
如果p指向的值是字母或者数字或者是+,-,.则指针指向下一位,这就代表冒号前面的值其实是任意的字母、数字、+、-、.
如果冒号所在位置小于str,且?#在冒号后面(如果有的话),就跳转到port解析部分
如果str的长度大于1且str的前两个字符是//,s指向//后面的一个字符,e变为0,跳转到host解析
如果冒号是最后一位字符,则冒号前面的东西会当作scheme返回
如果冒号后面不是/,则p指向冒号后面一位
当p小于str且p指向的为数字字符,p一直指向后一位,直到p指向str末尾或者p指向的字符为/,同时冒号后面的数字位数小于6位,跳转到port解析
如果冒号后面不是纯数字或数字后面有一个/,那么冒号前面的内容就当作scheme,放在ret的scheme参数中,s指向冒号后一位,跳转到path解析
如果冒号后面是/,那么冒号前面的内容就当作scheme,放在ret的scheme参数中。如果下面一位也是/,那么s指向//后面一位,如果scheme为file,那么判断接下来一位是不是/,如果是,判断冒号后是否有五个字符,如果有那么第五个字符是不是冒号(为了处理file:///c:),s指向///后的一位字符,跳转到path解析
如果冒号后面不是三个/,s指向冒号后面一位,之后跳转到path解析
如果冒号在str开头,那么进行port解析
姿势
- 只要请求的url里不含有冒号(:)就会被当成path解析
php中parse_url函数的源码及分析(scheme部分)的更多相关文章
- php中parse_url函数的源码及分析
前言 看师傅们的文章时发现,parse_url出现的次数较多,单纯parse_url解析漏洞的考题也有很多,在此研究一下源码(太菜了看不懂,待日后再补充Orz) 源码 PHPAPI php_url * ...
- Apache Spark源码走读之23 -- Spark MLLib中拟牛顿法L-BFGS的源码实现
欢迎转载,转载请注明出处,徽沪一郎. 概要 本文就拟牛顿法L-BFGS的由来做一个简要的回顾,然后就其在spark mllib中的实现进行源码走读. 拟牛顿法 数学原理 代码实现 L-BFGS算法中使 ...
- redis中set命令的源码分析
首先在源码中的redis.c文件中有一个结构体:redisCommand redisCommandTable[],这个结构体中定义了每个命令对应的函数,源码中的set命令对应的函数是setComman ...
- sleep函数——Gevent源码分析
gevent是一个异步I/O框架,当遇到I/O操作的时候,会自动切换任务,从而能异步地完成I/O操作 但是在测试的情况下,可以使用sleep函数来让gevent进行任务切换.示例如下: import ...
- Matlab.NET混合编程技巧之——直接调用Matlab内置函数(附源码)
原文:[原创]Matlab.NET混合编程技巧之--直接调用Matlab内置函数(附源码) 在我的上一篇文章[原创]Matlab.NET混编技巧之——找出Matlab内置函数中,已经大概的介绍了mat ...
- Generator函数执行器-co函数库源码解析
一.co函数是什么 co 函数库是著名程序员 TJ Holowaychuk 于2013年6月发布的一个小工具,用于 Generator 函数的自动执行.短小精悍只有短短200余行,就可以免去手动编写G ...
- caffe-windows中classification.cpp的源码阅读
caffe-windows中classification.cpp的源码阅读 命令格式: usage: classification string(模型描述文件net.prototxt) string( ...
- Django框架rest_framework中APIView的as_view()源码解析、认证、权限、频率控制
在上篇我们对Django原生View源码进行了局部解析:https://www.cnblogs.com/dongxixi/p/11130976.html 在前后端分离项目中前面我们也提到了各种认证需要 ...
- RocketMQ中Broker的启动源码分析(一)
在RocketMQ中,使用BrokerStartup作为启动类,相较于NameServer的启动,Broker作为RocketMQ的核心可复杂得多 [RocketMQ中NameServer的启动源码分 ...
随机推荐
- 感觉自己应该重新读一次Javascript
我自己也有一本Javascript书籍,是自己上大学的时候学校给提供的,现在,我依旧带着这本书.我决定要把这本书在重新温习一下.然后,开启下面的Javascript之旅.这是我看到博客园一位园友写的, ...
- 51nod 1851俄罗斯方块(trick)
题目大意:给出一个黑白图,你可以选定一个俄罗斯方块的区域,黑白翻转,问能否变成白图 比较trick的题目, 首先可以想到,奇数个1肯定是无解的,所以考虑偶数个1 可以先讨论n是2的情况 当n为2时,其 ...
- HDU - 1880 魔咒词典~哈希入门
哈利波特在魔法学校的必修课之一就是学习魔咒.据说魔法世界有100000种不同的魔咒,哈利很难全部记住,但是为了对抗强敌,他必须在危急时刻能够调用任何一个需要的魔咒,所以他需要你的帮助. 给你一部魔咒词 ...
- eclipse console输出有长度限制
抓取一个网页内容,然后打印到控制台,发现内容首部都没有了. String content = getResponseText("http://xxx.html"); System. ...
- 转:RBAC权限控制
名词解释: RBAC:Role-Based Access Control,基于角色的访问控制 关键词: RBAC,Java Shiro,Spring Security, 一. RBAC 要解决 ...
- centos7下yum快速安装 mariadb(mysql)
从最新版本的centos系统开始,默认的是 Mariadb而不是mysql! 使用系统自带的repos安装很简单: yum install mariadb mariadb-server systemc ...
- POJ 2395 Out of Hay (prim)
题目链接 Description The cows have run out of hay, a horrible event that must be remedied immediately. B ...
- bzoj 1433 二分图匹配
裸地匈牙利或者最大流,直接匹配就行了 需要注意的是(我就没注意细节WA了好多次...) 每个人和自己之间的边是0,但是应该是1 不是在校生是没有床的.... /******************** ...
- linux下面which whereis find locate的使用
我们经常在linux要查找某个文件,但不知道放在哪里了,可以使用下面的一些命令来搜索.这些是从网上找到的资料,因为有时很长时间不会用到,当要用的时候经常弄混了,所以放到这里方便使用. which ...
- Unordered load/store queue
A method and processor for providing full load/store queue functionality to an unordered load/store ...