From: Dmitry Stogov <dmitry@php.net>
Date: Thu, 15 Dec 2011 08:47:03 +0000 (+0000)
Subject: Added max_input_vars directive to prevent attacks based on hash collisions
X-Git-Tag: php-5.3.9RC4~6
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=0d1998e34ff487aab6451963d60697dd5b5b0115;p=php

Added max_input_vars directive to prevent attacks based on hash collisions
---

diff --git a/NEWS b/NEWS
index 52f1200867..ac14281145 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,10 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2011, PHP 5.3.9
 
+- Core:
+  . Added max_input_vars directive to prevent attacks based on hash collisions
+    (Dmitry).
+
 - Streams:
   . Fixed bug #60455 (stream_get_line misbehaves if EOF is not detected together
     with the last read). (Gustavo)
diff --git a/main/main.c b/main/main.c
index 8e52412cdd..c512f2652d 100644
--- a/main/main.c
+++ b/main/main.c
@@ -512,6 +512,7 @@ PHP_INI_BEGIN()
 	STD_PHP_INI_ENTRY("post_max_size",			"8M",		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateLong,			post_max_size,			sapi_globals_struct,sapi_globals)
 	STD_PHP_INI_ENTRY("upload_tmp_dir",			NULL,		PHP_INI_SYSTEM,		OnUpdateStringUnempty,	upload_tmp_dir,			php_core_globals,	core_globals)
 	STD_PHP_INI_ENTRY("max_input_nesting_level", "64",		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateLongGEZero,	max_input_nesting_level,			php_core_globals,	core_globals)
+	STD_PHP_INI_ENTRY("max_input_vars",			"1000",		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateLongGEZero,	max_input_vars,						php_core_globals,	core_globals)
 
 	STD_PHP_INI_ENTRY("user_dir",				NULL,		PHP_INI_SYSTEM,		OnUpdateString,			user_dir,				php_core_globals,	core_globals)
 	STD_PHP_INI_ENTRY("variables_order",		"EGPCS",	PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateStringUnempty,	variables_order,		php_core_globals,	core_globals)
diff --git a/main/php_globals.h b/main/php_globals.h
index f4316fb675..d0be82c0e9 100644
--- a/main/php_globals.h
+++ b/main/php_globals.h
@@ -174,6 +174,8 @@ struct _php_core_globals {
 #ifdef PHP_WIN32
 	zend_bool windows_show_crt_warning;
 #endif
+
+	long max_input_vars;
 };
 
 
diff --git a/main/php_variables.c b/main/php_variables.c
index 73803e136d..40d549a937 100644
--- a/main/php_variables.c
+++ b/main/php_variables.c
@@ -191,6 +191,9 @@ PHPAPI void php_register_variable_ex(char *var_name, zval *val, zval *track_vars
 				}
 				if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE
 					|| Z_TYPE_PP(gpc_element_p) != IS_ARRAY) {
+					if (zend_hash_num_elements(symtable1) >= PG(max_input_vars)) {
+						php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
+					}
 					MAKE_STD_ZVAL(gpc_element);
 					array_init(gpc_element);
 					zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
@@ -236,6 +239,9 @@ plain_var:
 				zend_symtable_exists(symtable1, escaped_index, index_len + 1)) {
 				zval_ptr_dtor(&gpc_element);
 			} else {
+				if (zend_hash_num_elements(symtable1) >= PG(max_input_vars)) {
+					php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
+				}
 				zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
 			}
 			if (escaped_index != index) {