Improved fix for MOPB-02-2007

diff --git a/NEWS b/NEWS
index e2ac69de2038341557b9fc4c7bc383a4413d7797..30121bbfecc06988825b4da5472163942eff64cb 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,7 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2007, PHP 5.2.4
+- Improved fix for MOPB-02-2007. (Ilia)
 - Fixed bug #41518 (file_exists() warns of open_basedir restriction on 
   non-existent file). (Tony)
 - Fixed bug #39330 (apache2handler does not call shutdown actions before 

diff --git a/main/php_variables.c b/main/php_variables.c
index 0de1bd6574a3fe50fbc6956de384e36c4e6eea7f..cd4db41a6eb196a919e14021d0782ecbc7ee43e2 100644 (file)
--- a/main/php_variables.c
+++ b/main/php_variables.c
@@ -125,8 +125,22 @@ PHPAPI void php_register_variable_ex(char *var, zval *val, zval *track_vars_arra
                        int new_idx_len = 0;
 
                        if(++nest_level > PG(max_input_nesting_level)) {
+                               HashTable *ht;
                                /* too many levels of nesting */
-                               php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variable nesting level more than allowed %ld (change max_input_nesting_level in php.ini to increase the limit)", PG(max_input_nesting_level));
+
+                               if (track_vars_array) {
+                                       ht = Z_ARRVAL_P(track_vars_array);
+                               } else if (PG(register_globals)) {
+                                       ht = EG(active_symbol_table);
+                               }
+
+                               zend_hash_del(ht, var, var_len + 1);
+                               zval_dtor(val);
+
+                               if (!PG(display_errors)) {
+                                       php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variable nesting level more than allowed %ld (change max_input_nesting_level in php.ini to increase the limit)", PG(max_input_nesting_level));
+                               }
+                               return;
                        }
 
                        ip++;
@@ -142,9 +156,9 @@ PHPAPI void php_register_variable_ex(char *var, zval *val, zval *track_vars_arra
                                        /* PHP variables cannot contain '[' in their names, so we replace the character with a '_' */
                                        *(index_s - 1) = '_';
 
-                                       index_len = var_len = 0;
+                                       index_len = 0;
                                        if (index) {
-                                               index_len = var_len = strlen(index);
+                                               index_len = strlen(index);
                                        }
                                        goto plain_var;
                                        return;

diff --git a/tests/basic/027.phpt b/tests/basic/027.phpt
new file mode 100644 (file)
index 0000000..18b17bc
--- /dev/null
+++ b/tests/basic/027.phpt
@@ -0,0 +1,35 @@
+--TEST--
+Handling of max_input_nesting_level being reached
+--INI--
+magic_quotes_gpc=0
+always_populate_raw_post_data=0
+display_errors=0
+max_input_nesting_level=10
+track_errors=1
+log_errors=0
+--SKIPIF--
+<?php if (php_sapi_name()=='cli') echo 'skip'; ?>
+--POST--
+a=1&b=ZYX&c[][][][][][][][][][][][][][][][][][][][][][]=123&d=123&e[][]][]=3
+--FILE--
+<?php
+var_dump($_POST, $php_errormsg);
+?>
+--EXPECT--
+array(4) {
+  ["a"]=>
+  string(1) "1"
+  ["b"]=>
+  string(3) "ZYX"
+  ["d"]=>
+  string(3) "123"
+  ["e"]=>
+  array(1) {
+    [0]=>
+    array(1) {
+      [0]=>
+      string(1) "3"
+    }
+  }
+}
+string(124) "Unknown: Input variable nesting level more than allowed 10 (change max_input_nesting_level in php.ini to increase the limit)"