function AspisTaintedDynamicCall()
{
$f_params = func_get_args();
$f_name = array_shift($f_params);
$f_name = deAspisCallback($f_name);
//the caller is tainted
global $built_in_functions;
if (empty($built_in_functions)) {
load_functions();
}
global $aspis_taint_details;
if (empty($aspis_taint_details)) {
loadTaintDetails();
}
$is_function = is_string($f_name);
if ($is_function && isset($built_in_functions[$f_name])) {
//TODO: this doesn't and rather can't work with ref parameters.
//That's because no matter what, I cannot get my hands in refs of the incoming params
foreach ($f_params as &$value) {
$value = deAspisRC($value);
}
return attAspisRC(call_user_func_array($f_name, $f_params));
} else {
if ($is_function && !isset($aspis_taint_details[0][$f_name])) {
foreach ($f_params as &$value) {
$value = deAspisRCO($value);
}
return attAspisRCO(call_user_func_array($f_name, $f_params));
} else {
$guard = AspisFindSinkGuard($f_name);
if ($guard != "") {
if (isset($f_params[0])) {
$f_params[0] = $guard($f_params[0]);
}
return call_user_func_array($f_name, $f_params);
} else {
$ret = call_user_func_array($f_name, $f_params);
$i = AspisIsSanitiser($f_name);
if ($i != -1) {
$ret = AspisKillTaint($ret, $i);
}
return $ret;
}
}
}
}
function AspisTainted_call_user_func_array($name, $params)
{
global $built_in_functions;
if (empty($built_in_functions)) {
load_functions();
}
global $aspis_taint_details;
if (empty($aspis_taint_details)) {
loadTaintDetails();
}
$name = deAspisCallback($name);
$class = "AspisFakeClass";
if (is_array($name)) {
$class = get_class($name[0]);
}
//untainted case
if (is_string($name) && (isset($built_in_functions[$name]) || !isset($aspis_taint_details[0][$name])) || $class === "AspisProxy") {
//TODO: Doesn't handle cases where the built in function uses callback
//I have to read all function definitions and call AspisInternalCallback
//TODO: This does not work with reference params (the else case does though)
$params = $params[0];
foreach ($params as &$param) {
//actually, just the name and the arg array
$param = deAspisRCO($param);
}
unset($param);
if ($class == "AspisProxy") {
$name[0] = $name[0]->obj;
}
array_unshift($params, $name);
$params[] = array();
//no ref parameters
$ret = call_user_func_array("AspisUntaintedFunctionCall", $params);
if ($ret === FALSE) {
$ret = array($ret, false);
}
return $ret;
} else {
/*
* If the called function expects objects, then an explicit refernce is not required by PHP.
* But, if, insted, I pass an array that contains the object, then the reference is required.
* To solve this, I always try to pass references. If I got references as input,
* then everything is ok. If I got copies, then I pass references to these copies: no harm done.
*/
$params_ref = array();
foreach ($params[0] as &$p) {
$params_ref[] =& $p;
}
$guard = AspisFindGuard($name);
if ($guard != "" && isset($params_ref[0])) {
$params_ref[0] =& $guard($params_ref[0]);
}
$ret = call_user_func_array($name, $params_ref);
if ($ret === FALSE) {
$ret = array($ret, false);
}
$i = AspisIsSanitiser($name);
if ($i != -1) {
$ret = AspisKillTaint($ret, $i);
}
return $ret;
}
}
