Introduced a max_file_uploads INI setting, which is set to limit the

number of file uploads per-request to 100 by default, to prevent possible
DOS via temporary file exhaustion.

diff --git a/NEWS b/NEWS
index 0d3f35f97a54e4e887daaf3e14a17a0e683cb6ad..173416f063a22773973a5675c0c07d71aec63365 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,9 @@ PHP                                                                        NEWS
 ?? ??? 2009, PHP 5.2.12
 - Updated timezone database to version 2009.14 (2009n). (Derick)
 
+- Introduced a max_file_uploads INI setting, which is set to limit the
+  number of file uploads per-request to 100 by default, to prevent possible
+  DOS via temporary file exhaustion. (Ilia)
 - Fixed a safe_mode bypass in tempnam() identified by Grzegorz Stachowiak.  
   (Rasmus)
 - Fixed a open_basedir bypass in posix_mkfifo() identified by Grzegorz 

diff --git a/main/main.c b/main/main.c
index c47dffed3f151937fa69a4b95719e29b622ef63d..ceeb25c36e29f64c0991557736707b011dc16818 100644 (file)
--- a/main/main.c
+++ b/main/main.c
@@ -452,6 +452,7 @@ PHP_INI_BEGIN()
        PHP_INI_ENTRY("mail.force_extra_parameters",NULL,               PHP_INI_SYSTEM|PHP_INI_PERDIR,          OnChangeMailForceExtra)
        PHP_INI_ENTRY("disable_functions",                      "",                     PHP_INI_SYSTEM,         NULL)
        PHP_INI_ENTRY("disable_classes",                        "",                     PHP_INI_SYSTEM,         NULL)
+       PHP_INI_ENTRY("max_file_uploads",                       "100",                  PHP_INI_SYSTEM,         NULL)
 
        STD_PHP_INI_BOOLEAN("allow_url_fopen",          "1",            PHP_INI_SYSTEM,         OnUpdateBool,           allow_url_fopen,                php_core_globals,       core_globals)
        STD_PHP_INI_BOOLEAN("allow_url_include",        "0",            PHP_INI_SYSTEM,         OnUpdateBool,           allow_url_include,              php_core_globals,       core_globals)

diff --git a/main/php_version.h b/main/php_version.h
index 473ba21013de3cbfcf387eee32040065c86e468d..38bd4b0030cecf1259400708f737d574d216897b 100644 (file)
--- a/main/php_version.h
+++ b/main/php_version.h
@@ -2,7 +2,7 @@
 /* edit configure.in to change version number */
 #define PHP_MAJOR_VERSION 5
 #define PHP_MINOR_VERSION 2
-#define PHP_RELEASE_VERSION 12
+#define PHP_RELEASE_VERSION 11
 #define PHP_EXTRA_VERSION "-dev"
-#define PHP_VERSION "5.2.12-dev"
-#define PHP_VERSION_ID 50212
+#define PHP_VERSION "5.2.11-dev"
+#define PHP_VERSION_ID 50211

diff --git a/main/rfc1867.c b/main/rfc1867.c
index 331c5bd3941e7e5971ff3d41fd42a27b54434cb1..730a5200555cd80a869e26f6a724967f5c59ac5d 100644 (file)
--- a/main/rfc1867.c
+++ b/main/rfc1867.c
@@ -32,6 +32,7 @@
 #include "php_globals.h"
 #include "php_variables.h"
 #include "rfc1867.h"
+#include "php_ini.h"
 
 #define DEBUG_FILE_UPLOAD ZEND_DEBUG
 
@@ -794,6 +795,12 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler)
        zend_llist header;
        void *event_extra_data = NULL;
        int llen = 0;
+       char *max_uploads = INI_STR("max_file_uploads");
+       int upload_cnt = 0;
+
+       if (max_uploads && *max_uploads) {
+               upload_cnt = atoi(max_uploads);
+       }
 
        if (SG(request_info).content_length > SG(post_max_size)) {
                sapi_module.sapi_error(E_WARNING, "POST Content-Length of %ld bytes exceeds the limit of %ld bytes", SG(request_info).content_length, SG(post_max_size));
@@ -972,6 +979,9 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler)
                        /* If file_uploads=off, skip the file part */
                        if (!PG(file_uploads)) {
                                skip_upload = 1;
+                       } else if (upload_cnt <= 0) {
+                               skip_upload = 1;
+                               sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded");
                        }
 
                        /* Return with an error if the posted data is garbled */
@@ -1016,6 +1026,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler)
                        if (!skip_upload) {
                                /* Handle file */
                                fd = php_open_temporary_fd_ex(PG(upload_tmp_dir), "php", &temp_filename, 1 TSRMLS_CC);
+                               upload_cnt--;
                                if (fd==-1) {
                                        sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file");
                                        cancel_upload = UPLOAD_ERROR_E;

diff --git a/php.ini-dist b/php.ini-dist
index 9c5d6b1188c89f3726b423193623143ce8ce54f1..b7b26d4357e3fc38590644bc6713ed978698d04f 100644 (file)
--- a/php.ini-dist
+++ b/php.ini-dist
@@ -552,6 +552,9 @@ file_uploads = On
 upload_max_filesize = 2M
 
 
+; Maximum number of files that can be uploaded via a single request
+max_file_uploads = 100
+
 ;;;;;;;;;;;;;;;;;;
 ; Fopen wrappers ;
 ;;;;;;;;;;;;;;;;;;

diff --git a/php.ini-recommended b/php.ini-recommended
index 784912ebb0a0f856584bd21eafb5ae3cfa96321a..c33d93854a8eea6515d6c2b7ccef8fbf54f11815 100644 (file)
--- a/php.ini-recommended
+++ b/php.ini-recommended
@@ -603,6 +603,9 @@ file_uploads = On
 upload_max_filesize = 2M
 
 
+; Maximum number of files that can be uploaded via a single request
+max_file_uploads = 100
+
 ;;;;;;;;;;;;;;;;;;
 ; Fopen wrappers ;
 ;;;;;;;;;;;;;;;;;;