[PHP-DEV] CVE-2007-1285 fix for 4.x

Stanislav Malyshev Mon, 21 May 2007 12:05:12 -0700

The attached patch fixes CVE-2007-1285 (nesting variables in inputcrash) for 4.x branch - release notes say it's fixed but in fact itnever was.


Objections?
--
Stanislav Malyshev, Zend Products Engineer
[EMAIL PROTECTED]  http://www.zend.com/

Index: main/main.c
===================================================================
RCS file: /repository/php-src/main/main.c,v
retrieving revision 1.512.2.63.2.14
diff -u -b -r1.512.2.63.2.14 main.c
--- main/main.c 1 Jan 2007 09:46:50 -0000       1.512.2.63.2.14
+++ main/main.c 21 May 2007 18:43:50 -0000
@@ -338,6 +338,7 @@
        STD_PHP_INI_ENTRY("upload_max_filesize",        "2M",           
PHP_INI_SYSTEM|PHP_INI_PERDIR,          OnUpdateInt,                    
upload_max_filesize,    php_core_globals,       core_globals)
        STD_PHP_INI_ENTRY("post_max_size",                      "8M",           
PHP_INI_SYSTEM|PHP_INI_PERDIR,          OnUpdateInt,                    
post_max_size,                  sapi_globals_struct,sapi_globals)
        STD_PHP_INI_ENTRY("upload_tmp_dir",                     NULL,           
PHP_INI_SYSTEM,         OnUpdateStringUnempty,  upload_tmp_dir,                 
php_core_globals,       core_globals)
+    STD_PHP_INI_ENTRY("max_input_nesting_level", "500",      
PHP_INI_SYSTEM|PHP_INI_PERDIR,      OnUpdateLongGEZero, 
max_input_nesting_level,            php_core_globals,   core_globals)
 
        STD_PHP_INI_ENTRY("user_dir",                           NULL,           
PHP_INI_SYSTEM,         OnUpdateString,                 user_dir,               
                php_core_globals,       core_globals)
        STD_PHP_INI_ENTRY("variables_order",            NULL,           
PHP_INI_ALL,            OnUpdateStringUnempty,  variables_order,                
php_core_globals,       core_globals)
Index: main/php_globals.h
===================================================================
RCS file: /repository/php-src/main/php_globals.h,v
retrieving revision 1.84.2.6.8.2
diff -u -b -r1.84.2.6.8.2 php_globals.h
--- main/php_globals.h  1 Jan 2007 09:46:50 -0000       1.84.2.6.8.2
+++ main/php_globals.h  21 May 2007 18:43:50 -0000
@@ -141,6 +141,7 @@
        zend_bool always_populate_raw_post_data;
        
        long serialize_precision;
+       long max_input_nesting_level;
 };
 
 
Index: main/php_variables.c
===================================================================
RCS file: /repository/php-src/main/php_variables.c,v
retrieving revision 1.45.2.13.2.10
diff -u -b -r1.45.2.13.2.10 php_variables.c
--- main/php_variables.c        13 Apr 2007 00:42:48 -0000      1.45.2.13.2.10
+++ main/php_variables.c        21 May 2007 18:43:50 -0000
@@ -66,6 +66,7 @@
        zval *gpc_element, **gpc_element_p;
        zend_bool is_array;
        HashTable *symtable1=NULL;
+       int nest_level = 0;
 
        assert(var != NULL);
        
@@ -128,6 +129,10 @@
                        char *escaped_index = NULL, *index_s;
                        int new_idx_len = 0;
 
+                       if(++nest_level > PG(max_input_nesting_level)) {
+                               /* too many levels of nesting */
+                               php_error_docref(NULL TSRMLS_CC, E_ERROR, 
"Input variable nesting level more than allowed %d (change 
max_input_nesting_level in php.ini to increase the limit)", 
PG(max_input_nesting_level));  
+                       }
                        ip++;
                        index_s = ip;
                        if (isspace(*ip)) {

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] CVE-2007-1285 fix for 4.x

Reply via email to