From: Ilia Alshanetsky Date: Tue, 27 Oct 2009 16:13:48 +0000 (+0000) Subject: Introduced a max_file_uploads INI setting, which is set to limit the X-Git-Tag: php-5.3.2RC1~304 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e2211cee86982758a8cf06a10ed8ead0bfc32635;p=php Introduced a max_file_uploads INI setting, which is set to limit the number of file uploads per-request to 100 by default, to prevent possible DOS via temporary file exhaustion. --- diff --git a/NEWS b/NEWS index 730d887ace..a473c9cf70 100644 --- a/NEWS +++ b/NEWS @@ -7,6 +7,10 @@ PHP NEWS - Implemented FR #49571 (CURLOPT_POSTREDIR not implemented). (Sriram Natarajan) - Implemented FR #49253 (added support for libcurl's CERTINFO option). (Linus Nielsen Feltzing ) + +- Introduced a max_file_uploads INI setting, which is set to limit the + number of file uploads per-request to 100 by default, to prevent possible + DOS via temporary file exhaustion. (Ilia) - Fixed memory leak in extension loading when an error occurs on Windows. (Pierre) diff --git a/main/main.c b/main/main.c index 4236890b33..08f3cdc3e3 100644 --- a/main/main.c +++ b/main/main.c @@ -515,6 +515,7 @@ PHP_INI_BEGIN() PHP_INI_ENTRY("mail.force_extra_parameters",NULL, PHP_INI_SYSTEM|PHP_INI_PERDIR, OnChangeMailForceExtra) PHP_INI_ENTRY("disable_functions", "", PHP_INI_SYSTEM, NULL) PHP_INI_ENTRY("disable_classes", "", PHP_INI_SYSTEM, NULL) + PHP_INI_ENTRY("max_file_uploads", "100", PHP_INI_SYSTEM, NULL) STD_PHP_INI_BOOLEAN("allow_url_fopen", "1", PHP_INI_SYSTEM, OnUpdateBool, allow_url_fopen, php_core_globals, core_globals) STD_PHP_INI_BOOLEAN("allow_url_include", "0", PHP_INI_SYSTEM, OnUpdateBool, allow_url_include, php_core_globals, core_globals) diff --git a/main/rfc1867.c b/main/rfc1867.c index 48130c0de7..ed22312233 100644 --- a/main/rfc1867.c +++ b/main/rfc1867.c @@ -795,6 +795,12 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) zend_llist header; void *event_extra_data = NULL; int llen = 0; + char *max_uploads = INI_STR("max_file_uploads"); + int upload_cnt = 0; + + if (max_uploads && *max_uploads) { + upload_cnt = atoi(max_uploads); + } if (SG(request_info).content_length > SG(post_max_size)) { sapi_module.sapi_error(E_WARNING, "POST Content-Length of %ld bytes exceeds the limit of %ld bytes", SG(request_info).content_length, SG(post_max_size)); @@ -973,6 +979,9 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* If file_uploads=off, skip the file part */ if (!PG(file_uploads)) { skip_upload = 1; + } else if (upload_cnt <= 0) { + skip_upload = 1; + sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded"); } /* Return with an error if the posted data is garbled */ @@ -1017,6 +1026,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) if (!skip_upload) { /* Handle file */ fd = php_open_temporary_fd_ex(PG(upload_tmp_dir), "php", &temp_filename, 1 TSRMLS_CC); + upload_cnt--; if (fd==-1) { sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file"); cancel_upload = UPLOAD_ERROR_E; diff --git a/php.ini-development b/php.ini-development index cb994bdf11..a45b67042d 100644 --- a/php.ini-development +++ b/php.ini-development @@ -878,6 +878,9 @@ file_uploads = On ; http://php.net/upload-max-filesize upload_max_filesize = 2M +; Maximum number of files that can be uploaded via a single request +max_file_uploads = 100 + ;;;;;;;;;;;;;;;;;; ; Fopen wrappers ; ;;;;;;;;;;;;;;;;;; diff --git a/php.ini-production b/php.ini-production index 3ef0957d75..9104155c88 100644 --- a/php.ini-production +++ b/php.ini-production @@ -878,6 +878,9 @@ file_uploads = On ; http://php.net/upload-max-filesize upload_max_filesize = 2M +; Maximum number of files that can be uploaded via a single request +max_file_uploads = 100 + ;;;;;;;;;;;;;;;;;; ; Fopen wrappers ; ;;;;;;;;;;;;;;;;;;