Added max_input_vars directive to prevent attacks based on hash collisions

diff --git a/UPGRADING b/UPGRADING
index 1b6c3cc33bf66e82bc21311053c2708a90563c39..fce04afa4913e2553b5bd70117be1d295b4e9356 100755 (executable)
--- a/UPGRADING
+++ b/UPGRADING
@@ -163,6 +163,11 @@ UPGRADE NOTES - PHP 5.3
   xsl.security_prefs. This option will be marked as deprecated in 5.4 again. 
   Use the method XsltProcess::setSecurityPrefs($options) there.
 
+- the following new directives were added
+
+  - max_input_vars - specifies how many GET/POST/COOKIE input variables may be
+    accepted. default value 1000. 
+
 =============
 5. Deprecated
 =============

diff --git a/php.ini-development b/php.ini-development
index b8aef6a374cf3ee3532cd893b9f9a7b7dea8272e..48cc89fa05e51aec82ce65a5c1b4e0f1d833b636 100644 (file)
--- a/php.ini-development
+++ b/php.ini-development
@@ -457,6 +457,9 @@ max_input_time = 60
 ; http://php.net/max-input-nesting-level
 ;max_input_nesting_level = 64
 
+; How many GET/POST/COOKIE input variables may be accepted
+; max_input_vars = 1000
+
 ; Maximum amount of memory a script may consume (128MB)
 ; http://php.net/memory-limit
 memory_limit = 128M

diff --git a/php.ini-production b/php.ini-production
index be3b9708f16fa813d36cd5e69d02ff511662b68a..97dbb48580342691dfc340964e39b83f88eb3453 100644 (file)
--- a/php.ini-production
+++ b/php.ini-production
@@ -457,6 +457,9 @@ max_input_time = 60
 ; http://php.net/max-input-nesting-level
 ;max_input_nesting_level = 64
 
+; How many GET/POST/COOKIE input variables may be accepted
+; max_input_vars = 1000
+
 ; Maximum amount of memory a script may consume (128MB)
 ; http://php.net/memory-limit
 memory_limit = 128M