Introduced a max_file_uploads INI setting, which is set to limit the

number of file uploads per-request to 100 by default, to prevent possible
DOS via temporary file exhaustion.

diff --git a/NEWS b/NEWS
index 730d887ace9d3ed0503a48f16925d82468fc0e0c..a473c9cf70c3e90b7b3be6b2e55e9c101219c952 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,10 @@ PHP                                                                        NEWS
 - Implemented FR #49571 (CURLOPT_POSTREDIR not implemented). (Sriram Natarajan)
 - Implemented FR #49253 (added support for libcurl's CERTINFO option).
   (Linus Nielsen Feltzing <linus@haxx.se>)
+
+- Introduced a max_file_uploads INI setting, which is set to limit the
+  number of file uploads per-request to 100 by default, to prevent possible
+  DOS via temporary file exhaustion. (Ilia)
   
 - Fixed memory leak in extension loading when an error occurs on Windows.
   (Pierre)

diff --git a/main/main.c b/main/main.c
index 4236890b332e9d9c8e23055cf23aa082985658e6..08f3cdc3e319da5c6ec3091377c677e5b5a56b4f 100644 (file)
--- a/main/main.c
+++ b/main/main.c
@@ -515,6 +515,7 @@ PHP_INI_BEGIN()
        PHP_INI_ENTRY("mail.force_extra_parameters",NULL,               PHP_INI_SYSTEM|PHP_INI_PERDIR,          OnChangeMailForceExtra)
        PHP_INI_ENTRY("disable_functions",                      "",                     PHP_INI_SYSTEM,         NULL)
        PHP_INI_ENTRY("disable_classes",                        "",                     PHP_INI_SYSTEM,         NULL)
+       PHP_INI_ENTRY("max_file_uploads",                       "100",                  PHP_INI_SYSTEM,         NULL)
 
        STD_PHP_INI_BOOLEAN("allow_url_fopen",          "1",            PHP_INI_SYSTEM,         OnUpdateBool,           allow_url_fopen,                php_core_globals,               core_globals)
        STD_PHP_INI_BOOLEAN("allow_url_include",        "0",            PHP_INI_SYSTEM,         OnUpdateBool,           allow_url_include,              php_core_globals,               core_globals)

diff --git a/main/rfc1867.c b/main/rfc1867.c
index 48130c0de7d5749561ed13f8af1a8e41762fa6b3..ed223122331724ed7fbfe7809d0e4ab57b864d00 100644 (file)
--- a/main/rfc1867.c
+++ b/main/rfc1867.c
@@ -795,6 +795,12 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler)
        zend_llist header;
        void *event_extra_data = NULL;
        int llen = 0;
+       char *max_uploads = INI_STR("max_file_uploads");
+       int upload_cnt = 0;
+
+       if (max_uploads && *max_uploads) {
+               upload_cnt = atoi(max_uploads);
+       }
 
        if (SG(request_info).content_length > SG(post_max_size)) {
                sapi_module.sapi_error(E_WARNING, "POST Content-Length of %ld bytes exceeds the limit of %ld bytes", SG(request_info).content_length, SG(post_max_size));
@@ -973,6 +979,9 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler)
                        /* If file_uploads=off, skip the file part */
                        if (!PG(file_uploads)) {
                                skip_upload = 1;
+                       } else if (upload_cnt <= 0) {
+                               skip_upload = 1;
+                               sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded");
                        }
 
                        /* Return with an error if the posted data is garbled */
@@ -1017,6 +1026,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler)
                        if (!skip_upload) {
                                /* Handle file */
                                fd = php_open_temporary_fd_ex(PG(upload_tmp_dir), "php", &temp_filename, 1 TSRMLS_CC);
+                               upload_cnt--;
                                if (fd==-1) {
                                        sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file");
                                        cancel_upload = UPLOAD_ERROR_E;

diff --git a/php.ini-development b/php.ini-development
index cb994bdf116868ae56134ebbb785e79e0785cf8d..a45b67042d8d7530f31691170dbd81e20f3823ff 100644 (file)
--- a/php.ini-development
+++ b/php.ini-development
@@ -878,6 +878,9 @@ file_uploads = On
 ; http://php.net/upload-max-filesize
 upload_max_filesize = 2M
 
+; Maximum number of files that can be uploaded via a single request
+max_file_uploads = 100
+
 ;;;;;;;;;;;;;;;;;;
 ; Fopen wrappers ;
 ;;;;;;;;;;;;;;;;;;

diff --git a/php.ini-production b/php.ini-production
index 3ef0957d75ee38153826f8390975af831f1abb58..9104155c8851a173132ed5865f282ddab3c2938b 100644 (file)
--- a/php.ini-production
+++ b/php.ini-production
@@ -878,6 +878,9 @@ file_uploads = On
 ; http://php.net/upload-max-filesize
 upload_max_filesize = 2M
 
+; Maximum number of files that can be uploaded via a single request
+max_file_uploads = 100
+
 ;;;;;;;;;;;;;;;;;;
 ; Fopen wrappers ;
 ;;;;;;;;;;;;;;;;;;