From: Ilia Alshanetsky Date: Tue, 27 Oct 2009 16:13:48 +0000 (+0000) Subject: Introduced a max_file_uploads INI setting, which is set to limit the X-Git-Tag: php-5.4.0alpha1~191^2~2456 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=0e5f61656c6b867abb04f16106d0928faa1dece3;p=php Introduced a max_file_uploads INI setting, which is set to limit the number of file uploads per-request to 100 by default, to prevent possible DOS via temporary file exhaustion. --- diff --git a/main/main.c b/main/main.c index 14c6559cb7..ac5a502a19 100644 --- a/main/main.c +++ b/main/main.c @@ -602,6 +602,7 @@ PHP_INI_BEGIN() PHP_INI_ENTRY("mail.force_extra_parameters",NULL, PHP_INI_SYSTEM|PHP_INI_PERDIR, OnChangeMailForceExtra) PHP_INI_ENTRY("disable_functions", "", PHP_INI_SYSTEM, NULL) PHP_INI_ENTRY("disable_classes", "", PHP_INI_SYSTEM, NULL) + PHP_INI_ENTRY("max_file_uploads", "100", PHP_INI_SYSTEM, NULL) STD_PHP_INI_BOOLEAN("allow_url_fopen", "1", PHP_INI_ALL, OnUpdateAllowUrl, allow_url_fopen_list, php_core_globals, core_globals) STD_PHP_INI_BOOLEAN("allow_url_include", "0", PHP_INI_ALL, OnUpdateAllowUrl, allow_url_include_list, php_core_globals, core_globals) diff --git a/main/rfc1867.c b/main/rfc1867.c index 242125a066..fbc3a2e818 100644 --- a/main/rfc1867.c +++ b/main/rfc1867.c @@ -594,6 +594,12 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) zend_llist header; void *event_extra_data = NULL; int llen = 0; + char *max_uploads = INI_STR("max_file_uploads"); + int upload_cnt = 0; + + if (max_uploads && *max_uploads) { + upload_cnt = atoi(max_uploads); + } if (SG(request_info).content_length > SG(post_max_size)) { sapi_module.sapi_error(E_WARNING, "POST Content-Length of %ld bytes exceeds the limit of %ld bytes", SG(request_info).content_length, SG(post_max_size)); @@ -740,6 +746,9 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* If file_uploads=off, skip the file part */ if (!PG(file_uploads)) { skip_upload = 1; + } else if (upload_cnt <= 0) { + skip_upload = 1; + sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded"); } /* Return with an error if the posted data is garbled */ @@ -784,6 +793,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) if (!skip_upload) { /* Handle file */ fd = php_open_temporary_fd(PG(upload_tmp_dir), "php", &temp_filename TSRMLS_CC); + upload_cnt--; if (fd==-1) { sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file"); cancel_upload = UPLOAD_ERROR_E; diff --git a/php.ini-development b/php.ini-development index cb994bdf11..a45b67042d 100644 --- a/php.ini-development +++ b/php.ini-development @@ -878,6 +878,9 @@ file_uploads = On ; http://php.net/upload-max-filesize upload_max_filesize = 2M +; Maximum number of files that can be uploaded via a single request +max_file_uploads = 100 + ;;;;;;;;;;;;;;;;;; ; Fopen wrappers ; ;;;;;;;;;;;;;;;;;; diff --git a/php.ini-production b/php.ini-production index 3ef0957d75..9104155c88 100644 --- a/php.ini-production +++ b/php.ini-production @@ -878,6 +878,9 @@ file_uploads = On ; http://php.net/upload-max-filesize upload_max_filesize = 2M +; Maximum number of files that can be uploaded via a single request +max_file_uploads = 100 + ;;;;;;;;;;;;;;;;;; ; Fopen wrappers ; ;;;;;;;;;;;;;;;;;;