Added max_input_vars directive to prevent attacks based on hash collisions

diff --git a/UPGRADING b/UPGRADING
index 2088a286b3c24fa89def905f4d45f2e37b7692fc..00acc27423a0112d8b9ad0a2d008d2ff2a159e0e 100755 (executable)
--- a/UPGRADING
+++ b/UPGRADING
@@ -75,6 +75,10 @@ UPGRADE NOTES - PHP 5.4
   - safe_mode_protected_env_vars
   - zend.ze1_compatibility_mode
 
+- the following new directives were added
+
+  - max_input_vars - specifies how many GET/POST/COOKIE input variables may be
+    accepted. default value 1000. 
 
 =============================
 2. Reserved words and classes

diff --git a/php.ini-development b/php.ini-development
index e970570460657b8b756ebc0ed01a0fdf81a62cfe..e6a0f6dcc113ea2c1ef836ff4eb860948acd73f3 100644 (file)
--- a/php.ini-development
+++ b/php.ini-development
@@ -397,6 +397,9 @@ max_input_time = 60
 ; http://php.net/max-input-nesting-level
 ;max_input_nesting_level = 64
 
+; How many GET/POST/COOKIE input variables may be accepted
+; max_input_vars = 1000
+
 ; Maximum amount of memory a script may consume (128MB)
 ; http://php.net/memory-limit
 memory_limit = 128M

diff --git a/php.ini-production b/php.ini-production
index 11cb31c437b775d42f388487f225a9e79c6e2f19..5a1052fcfea9479bfe4cc28ae4d3be7efc96f02d 100644 (file)
--- a/php.ini-production
+++ b/php.ini-production
@@ -397,6 +397,9 @@ max_input_time = 60
 ; http://php.net/max-input-nesting-level
 ;max_input_nesting_level = 64
 
+; How many GET/POST/COOKIE input variables may be accepted
+; max_input_vars = 1000
+
 ; Maximum amount of memory a script may consume (128MB)
 ; http://php.net/memory-limit
 memory_limit = 128M