archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-16 05:58:45 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Added max_input_vars directive to prevent attacks based on hash collisions

Browse source
This commit is contained in:
Dmitry Stogov 2011-12-14 08:56:35 +00:00
parent f94cc91dda
commit 6fb3897f80
4 changed files with 13 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
NEWS
View file

@ -1,6 +1,9 @@
PHP NEWS PHP NEWS
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? Dec 2011, PHP 5.4.0 RC4 ?? Dec 2011, PHP 5.4.0 RC4
- Core:
. Added max_input_vars directive to prevent attacks based on hash collisions
(Dmitry).
- CLI SAPI: - CLI SAPI:
. Fixed bug #60477 (Segfault after two multipart/form-data POST requests, . Fixed bug #60477 (Segfault after two multipart/form-data POST requests,
one 200 RQ and one 404). (Laruence) one 200 RQ and one 404). (Laruence)
@ -9,6 +12,8 @@ PHP NEWS
08 Dec 2011, PHP 5.4.0 RC3 08 Dec 2011, PHP 5.4.0 RC3
- Core: - Core:
. Fixed bug #60444 (Segmentation fault with include & class extending).
(Laruence, Dmitry).
. Fixed bug #60350 (No string escape code for ESC (ascii 27), normally \e). . Fixed bug #60350 (No string escape code for ESC (ascii 27), normally \e).
(php at mickweiss dot com) (php at mickweiss dot com)
. Fixed bug #60240 (invalid read/writes when unserializing specially crafted . Fixed bug #60240 (invalid read/writes when unserializing specially crafted

1
main/main.c
View file

@ -531,6 +531,7 @@ PHP_INI_BEGIN()
STD_PHP_INI_ENTRY("post_max_size", "8M", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLong, post_max_size, sapi_globals_struct,sapi_globals) STD_PHP_INI_ENTRY("post_max_size", "8M", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLong, post_max_size, sapi_globals_struct,sapi_globals)
STD_PHP_INI_ENTRY("upload_tmp_dir", NULL, PHP_INI_SYSTEM, OnUpdateStringUnempty, upload_tmp_dir, php_core_globals, core_globals) STD_PHP_INI_ENTRY("upload_tmp_dir", NULL, PHP_INI_SYSTEM, OnUpdateStringUnempty, upload_tmp_dir, php_core_globals, core_globals)
STD_PHP_INI_ENTRY("max_input_nesting_level", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_nesting_level, php_core_globals, core_globals) STD_PHP_INI_ENTRY("max_input_nesting_level", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_nesting_level, php_core_globals, core_globals)
STD_PHP_INI_ENTRY("max_input_vars", "1000", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_vars, php_core_globals, core_globals)
STD_PHP_INI_ENTRY("user_dir", NULL, PHP_INI_SYSTEM, OnUpdateString, user_dir, php_core_globals, core_globals) STD_PHP_INI_ENTRY("user_dir", NULL, PHP_INI_SYSTEM, OnUpdateString, user_dir, php_core_globals, core_globals)
STD_PHP_INI_ENTRY("variables_order", "EGPCS", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateStringUnempty, variables_order, php_core_globals, core_globals) STD_PHP_INI_ENTRY("variables_order", "EGPCS", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateStringUnempty, variables_order, php_core_globals, core_globals)

1
main/php_globals.h
View file

@ -146,6 +146,7 @@ struct _php_core_globals {
zend_bool com_initialized; zend_bool com_initialized;
#endif #endif
long max_input_nesting_level; long max_input_nesting_level;
long max_input_vars;
zend_bool in_user_include; zend_bool in_user_include;
char *user_ini_filename; char *user_ini_filename;

6
main/php_variables.c
View file

@ -179,6 +179,9 @@ PHPAPI void php_register_variable_ex(char *var_name, zval *val, zval *track_vars
escaped_index = index; escaped_index = index;
if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE
|| Z_TYPE_PP(gpc_element_p) != IS_ARRAY) { || Z_TYPE_PP(gpc_element_p) != IS_ARRAY) {
if (zend_hash_num_elements(symtable1) >= PG(max_input_vars)) {
php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
}
MAKE_STD_ZVAL(gpc_element); MAKE_STD_ZVAL(gpc_element);
array_init(gpc_element); array_init(gpc_element);
zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
@ -220,6 +223,9 @@ plain_var:
zend_symtable_exists(symtable1, escaped_index, index_len + 1)) { zend_symtable_exists(symtable1, escaped_index, index_len + 1)) {
zval_ptr_dtor(&gpc_element); zval_ptr_dtor(&gpc_element);
} else { } else {
if (zend_hash_num_elements(symtable1) >= PG(max_input_vars)) {
php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
}
zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
} }
if (escaped_index != index) { if (escaped_index != index) {