]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f94cc91)
Added max_input_vars directive to prevent attacks based on hash collisions
authorDmitry Stogov <dmitry@php.net>
Wed, 14 Dec 2011 08:56:35 +0000 (08:56 +0000)
committerDmitry Stogov <dmitry@php.net>
Wed, 14 Dec 2011 08:56:35 +0000 (08:56 +0000)
NEWS patch | blob | history
main/main.c patch | blob | history
main/php_globals.h patch | blob | history
main/php_variables.c patch | blob | history

diff --git a/NEWS b/NEWS
index 82d394b06d8b546852d0452ca0329ff1b685d5ea..9d94c7ca8c9fd5e3ebf8eaee42f83623b631540e 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,9 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? Dec 2011, PHP 5.4.0 RC4
+- Core:
+  . Added max_input_vars directive to prevent attacks based on hash collisions
+    (Dmitry).
 - CLI SAPI:
   . Fixed bug #60477 (Segfault after two multipart/form-data POST requests,
     one 200 RQ and one 404). (Laruence)
@@ -9,6 +12,8 @@ PHP                                                                        NEWS
 
 08 Dec 2011, PHP 5.4.0 RC3
 - Core:
+  . Fixed bug #60444 (Segmentation fault with include & class extending).
+    (Laruence, Dmitry).
   . Fixed bug #60350 (No string escape code for ESC (ascii 27), normally \e).
     (php at mickweiss dot com)
   . Fixed bug #60240 (invalid read/writes when unserializing specially crafted
diff --git a/main/main.c b/main/main.c
index b92e2d70468c83376e200f5a782cca7066325786..5c25ac4f4c96c6ace8b162d4a5e1172075ab249a 100644 (file)
--- a/main/main.c
+++ b/main/main.c
@@ -531,6 +531,7 @@ PHP_INI_BEGIN()
        STD_PHP_INI_ENTRY("post_max_size",                      "8M",           PHP_INI_SYSTEM|PHP_INI_PERDIR,          OnUpdateLong,                   post_max_size,                  sapi_globals_struct,sapi_globals)
        STD_PHP_INI_ENTRY("upload_tmp_dir",                     NULL,           PHP_INI_SYSTEM,         OnUpdateStringUnempty,  upload_tmp_dir,                 php_core_globals,       core_globals)
        STD_PHP_INI_ENTRY("max_input_nesting_level", "64",              PHP_INI_SYSTEM|PHP_INI_PERDIR,          OnUpdateLongGEZero,     max_input_nesting_level,                        php_core_globals,       core_globals)
+       STD_PHP_INI_ENTRY("max_input_vars",                     "1000",         PHP_INI_SYSTEM|PHP_INI_PERDIR,          OnUpdateLongGEZero,     max_input_vars,                                         php_core_globals,       core_globals)
 
        STD_PHP_INI_ENTRY("user_dir",                           NULL,           PHP_INI_SYSTEM,         OnUpdateString,                 user_dir,                               php_core_globals,       core_globals)
        STD_PHP_INI_ENTRY("variables_order",            "EGPCS",        PHP_INI_SYSTEM|PHP_INI_PERDIR,          OnUpdateStringUnempty,  variables_order,                php_core_globals,       core_globals)
diff --git a/main/php_globals.h b/main/php_globals.h
index bfd1c6025f8b2052ce98c32f0718ddb5dce206a9..70238d68fe5a6f90ef48d86b9d7dfefe140c24f4 100644 (file)
--- a/main/php_globals.h
+++ b/main/php_globals.h
@@ -146,6 +146,7 @@ struct _php_core_globals {
        zend_bool com_initialized;
 #endif
        long max_input_nesting_level;
+       long max_input_vars;
        zend_bool in_user_include;
 
        char *user_ini_filename;
diff --git a/main/php_variables.c b/main/php_variables.c
index cfb238021077a8133c51c21baddc7c69e67814cd..976e9d5066446c957f8b9d3ba7fbf573e26a85d6 100644 (file)
--- a/main/php_variables.c
+++ b/main/php_variables.c
@@ -179,6 +179,9 @@ PHPAPI void php_register_variable_ex(char *var_name, zval *val, zval *track_vars
                                escaped_index = index;
                                if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE
                                        || Z_TYPE_PP(gpc_element_p) != IS_ARRAY) {
+                                       if (zend_hash_num_elements(symtable1) >= PG(max_input_vars)) {
+                                               php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
+                                       }
                                        MAKE_STD_ZVAL(gpc_element);
                                        array_init(gpc_element);
                                        zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
@@ -220,6 +223,9 @@ plain_var:
                                zend_symtable_exists(symtable1, escaped_index, index_len + 1)) {
                                zval_ptr_dtor(&gpc_element);
                        } else {
+                               if (zend_hash_num_elements(symtable1) >= PG(max_input_vars)) {
+                                       php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
+                               }
                                zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
                        }
                        if (escaped_index != index) {
Unnamed repository; edit this file 'description' to name the repository.