File php-5.2.14-CVE-2011-4885.patch of Package php-5.2.17

File php-5.2.14-CVE-2011-4885.patch of Package php-5.2.17 (Revision 19)

Currently displaying revision 19, show latest

http://svn.php.net/viewvc?view=revision&revision=321038
http://svn.php.net/viewvc?view=revision&revision=321040
http://svn.php.net/viewvc?view=revision&revision=321335
Index: php.ini-dist
===================================================================
--- php.ini-dist.orig
+++ php.ini-dist
@@ -255,6 +255,7 @@ expose_php = On
 max_execution_time = 30     ; Maximum execution time of each script, in seconds
 max_input_time = 60	; Maximum amount of time each script may spend parsing request data
 ;max_input_nesting_level = 64 ; Maximum input variable nesting level
+;max_input_vars = 1000 ; How many GET/POST/COOKIE input variables may be accepted
 memory_limit = 128M      ; Maximum amount of memory a script may consume (128MB)
 
 
Index: php.ini-recommended
===================================================================
--- php.ini-recommended.orig
+++ php.ini-recommended
@@ -306,6 +306,7 @@ expose_php = On
 max_execution_time = 30     ; Maximum execution time of each script, in seconds
 max_input_time = 60	; Maximum amount of time each script may spend parsing request data
 ;max_input_nesting_level = 64 ; Maximum input variable nesting level
+;max_input_vars = 1000 ; How many GET/POST/COOKIE input variables may be accepted
 memory_limit = 128M      ; Maximum amount of memory a script may consume (128MB)
 
 
Index: main/main.c
===================================================================
--- main/main.c.orig
+++ main/main.c
@@ -439,6 +439,7 @@ PHP_INI_BEGIN()
 	STD_PHP_INI_ENTRY("post_max_size",			"8M",		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateLong,			post_max_size,			sapi_globals_struct,sapi_globals)
 	STD_PHP_INI_ENTRY("upload_tmp_dir",			NULL,		PHP_INI_SYSTEM,		OnUpdateStringUnempty,	upload_tmp_dir,			php_core_globals,	core_globals)
 	STD_PHP_INI_ENTRY("max_input_nesting_level", "64",		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateLongGEZero,	max_input_nesting_level,			php_core_globals,	core_globals)
+	STD_PHP_INI_ENTRY("max_input_vars",			"1000",		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateLongGEZero,	max_input_vars,						php_core_globals,	core_globals)
 
 	STD_PHP_INI_ENTRY("user_dir",				NULL,		PHP_INI_SYSTEM,		OnUpdateString,			user_dir,				php_core_globals,	core_globals)
 	STD_PHP_INI_ENTRY("variables_order",		"EGPCS",	PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateStringUnempty,	variables_order,		php_core_globals,	core_globals)
Index: main/php_globals.h
===================================================================
--- main/php_globals.h.orig
+++ main/php_globals.h
@@ -162,6 +162,8 @@ struct _php_core_globals {
 	long max_input_nesting_level;
 	zend_bool in_user_include;
 	zend_bool in_error_log;
+
+	long max_input_vars;
 };
 
 
Index: main/php_variables.c
===================================================================
--- main/php_variables.c.orig
+++ main/php_variables.c
@@ -29,6 +29,7 @@
 #include "SAPI.h"
 #include "php_logos.h"
 #include "zend_globals.h"
+#include "zend_ini.h"
 
 /* for systems that need to override reading of environment variables */
 void _php_import_environment_variables(zval *array_ptr TSRMLS_DC);
@@ -187,9 +188,14 @@ PHPAPI void php_register_variable_ex(cha
 				}
 				if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE
 					|| Z_TYPE_PP(gpc_element_p) != IS_ARRAY) {
-					MAKE_STD_ZVAL(gpc_element);
-					array_init(gpc_element);
-					zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
+					if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) {
+						if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) {
+							php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
+						}
+						MAKE_STD_ZVAL(gpc_element);
+						array_init(gpc_element);
+						zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
+					}
 				}
 				if (index != escaped_index) {
 					efree(escaped_index);
@@ -232,7 +238,14 @@ plain_var:
 				zend_symtable_exists(symtable1, escaped_index, index_len + 1)) {
 				zval_ptr_dtor(&gpc_element);
 			} else {
-				zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
+				if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) {
+					if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) {
+						php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
+					}
+					zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
+				} else {
+					zval_ptr_dtor(&gpc_element);
+				}
 			}
 			if (escaped_index != index) {
 				efree(escaped_index);