From 10a048bc3f09eb26d719280838a9837b2e931ffc Mon Sep 17 00:00:00 2001
From: Ilia Alshanetsky <iliaa@php.net>
Date: Tue, 27 Oct 2009 16:13:48 +0000
Subject: [PATCH] Introduced a max_file_uploads INI setting, which is set to
 limit the number of file uploads per-request to 100 by default, to prevent
 possible DOS via temporary file exhaustion.

---
 NEWS                |  3 +++
 main/main.c         |  1 +
 main/php_version.h  |  6 +++---
 main/rfc1867.c      | 11 +++++++++++
 php.ini-dist        |  3 +++
 php.ini-recommended |  3 +++
 6 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/NEWS b/NEWS
index 0d3f35f97a..173416f063 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,9 @@ PHP                                                                        NEWS
 ?? ??? 2009, PHP 5.2.12
 - Updated timezone database to version 2009.14 (2009n). (Derick)
 
+- Introduced a max_file_uploads INI setting, which is set to limit the
+  number of file uploads per-request to 100 by default, to prevent possible
+  DOS via temporary file exhaustion. (Ilia)
 - Fixed a safe_mode bypass in tempnam() identified by Grzegorz Stachowiak.  
   (Rasmus)
 - Fixed a open_basedir bypass in posix_mkfifo() identified by Grzegorz 
diff --git a/main/main.c b/main/main.c
index c47dffed3f..ceeb25c36e 100644
--- a/main/main.c
+++ b/main/main.c
@@ -452,6 +452,7 @@ PHP_INI_BEGIN()
 	PHP_INI_ENTRY("mail.force_extra_parameters",NULL,		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnChangeMailForceExtra)
 	PHP_INI_ENTRY("disable_functions",			"",			PHP_INI_SYSTEM,		NULL)
 	PHP_INI_ENTRY("disable_classes",			"",			PHP_INI_SYSTEM,		NULL)
+	PHP_INI_ENTRY("max_file_uploads",			"100",			PHP_INI_SYSTEM,		NULL)
 
 	STD_PHP_INI_BOOLEAN("allow_url_fopen",		"1",		PHP_INI_SYSTEM,		OnUpdateBool,		allow_url_fopen,		php_core_globals,	core_globals)
 	STD_PHP_INI_BOOLEAN("allow_url_include",	"0",		PHP_INI_SYSTEM,		OnUpdateBool,		allow_url_include,		php_core_globals,	core_globals)
diff --git a/main/php_version.h b/main/php_version.h
index 473ba21013..38bd4b0030 100644
--- a/main/php_version.h
+++ b/main/php_version.h
@@ -2,7 +2,7 @@
 /* edit configure.in to change version number */
 #define PHP_MAJOR_VERSION 5
 #define PHP_MINOR_VERSION 2
-#define PHP_RELEASE_VERSION 12
+#define PHP_RELEASE_VERSION 11
 #define PHP_EXTRA_VERSION "-dev"
-#define PHP_VERSION "5.2.12-dev"
-#define PHP_VERSION_ID 50212
+#define PHP_VERSION "5.2.11-dev"
+#define PHP_VERSION_ID 50211
diff --git a/main/rfc1867.c b/main/rfc1867.c
index 331c5bd394..730a520055 100644
--- a/main/rfc1867.c
+++ b/main/rfc1867.c
@@ -32,6 +32,7 @@
 #include "php_globals.h"
 #include "php_variables.h"
 #include "rfc1867.h"
+#include "php_ini.h"
 
 #define DEBUG_FILE_UPLOAD ZEND_DEBUG
 
@@ -794,6 +795,12 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler)
 	zend_llist header;
 	void *event_extra_data = NULL;
 	int llen = 0;
+	char *max_uploads = INI_STR("max_file_uploads");
+	int upload_cnt = 0;
+
+	if (max_uploads && *max_uploads) {
+		upload_cnt = atoi(max_uploads);
+	}
 
 	if (SG(request_info).content_length > SG(post_max_size)) {
 		sapi_module.sapi_error(E_WARNING, "POST Content-Length of %ld bytes exceeds the limit of %ld bytes", SG(request_info).content_length, SG(post_max_size));
@@ -972,6 +979,9 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler)
 			/* If file_uploads=off, skip the file part */
 			if (!PG(file_uploads)) {
 				skip_upload = 1;
+			} else if (upload_cnt <= 0) {
+				skip_upload = 1;
+				sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded");
 			}
 
 			/* Return with an error if the posted data is garbled */
@@ -1016,6 +1026,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler)
 			if (!skip_upload) {
 				/* Handle file */
 				fd = php_open_temporary_fd_ex(PG(upload_tmp_dir), "php", &temp_filename, 1 TSRMLS_CC);
+				upload_cnt--;
 				if (fd==-1) {
 					sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file");
 					cancel_upload = UPLOAD_ERROR_E;
diff --git a/php.ini-dist b/php.ini-dist
index 9c5d6b1188..b7b26d4357 100644
--- a/php.ini-dist
+++ b/php.ini-dist
@@ -552,6 +552,9 @@ file_uploads = On
 upload_max_filesize = 2M
 
 
+; Maximum number of files that can be uploaded via a single request
+max_file_uploads = 100
+
 ;;;;;;;;;;;;;;;;;;
 ; Fopen wrappers ;
 ;;;;;;;;;;;;;;;;;;
diff --git a/php.ini-recommended b/php.ini-recommended
index 784912ebb0..c33d93854a 100644
--- a/php.ini-recommended
+++ b/php.ini-recommended
@@ -603,6 +603,9 @@ file_uploads = On
 upload_max_filesize = 2M
 
 
+; Maximum number of files that can be uploaded via a single request
+max_file_uploads = 100
+
 ;;;;;;;;;;;;;;;;;;
 ; Fopen wrappers ;
 ;;;;;;;;;;;;;;;;;;
-- 
2.40.0