iliaa Tue, 27 Oct 2009 16:13:48 +0000
Revision: http://svn.php.net/viewvc?view=revision&revision=289990
Log:
Introduced a max_file_uploads INI setting, which is set to limit the
number of file uploads per-request to 100 by default, to prevent possible
DOS via temporary file exhaustion.
Changed paths:
U php/php-src/branches/PHP_5_2/NEWS
U php/php-src/branches/PHP_5_2/main/main.c
U php/php-src/branches/PHP_5_2/main/php_version.h
U php/php-src/branches/PHP_5_2/main/rfc1867.c
U php/php-src/branches/PHP_5_2/php.ini-dist
U php/php-src/branches/PHP_5_2/php.ini-recommended
U php/php-src/branches/PHP_5_3/NEWS
U php/php-src/branches/PHP_5_3/main/main.c
U php/php-src/branches/PHP_5_3/main/rfc1867.c
U php/php-src/branches/PHP_5_3/php.ini-development
U php/php-src/branches/PHP_5_3/php.ini-production
U php/php-src/trunk/main/main.c
U php/php-src/trunk/main/rfc1867.c
U php/php-src/trunk/php.ini-development
U php/php-src/trunk/php.ini-production
Modified: php/php-src/branches/PHP_5_2/NEWS
===================================================================
--- php/php-src/branches/PHP_5_2/NEWS 2009-10-27 14:42:50 UTC (rev 289989)
+++ php/php-src/branches/PHP_5_2/NEWS 2009-10-27 16:13:48 UTC (rev 289990)
@@ -3,6 +3,9 @@
?? ??? 2009, PHP 5.2.12
- Updated timezone database to version 2009.14 (2009n). (Derick)
+- Introduced a max_file_uploads INI setting, which is set to limit the
+ number of file uploads per-request to 100 by default, to prevent possible
+ DOS via temporary file exhaustion. (Ilia)
- Fixed a safe_mode bypass in tempnam() identified by Grzegorz Stachowiak.
(Rasmus)
- Fixed a open_basedir bypass in posix_mkfifo() identified by Grzegorz
Modified: php/php-src/branches/PHP_5_2/main/main.c
===================================================================
--- php/php-src/branches/PHP_5_2/main/main.c 2009-10-27 14:42:50 UTC (rev 289989)
+++ php/php-src/branches/PHP_5_2/main/main.c 2009-10-27 16:13:48 UTC (rev 289990)
@@ -452,6 +452,7 @@
PHP_INI_ENTRY("mail.force_extra_parameters",NULL, PHP_INI_SYSTEM|PHP_INI_PERDIR, OnChangeMailForceExtra)
PHP_INI_ENTRY("disable_functions", "", PHP_INI_SYSTEM, NULL)
PHP_INI_ENTRY("disable_classes", "", PHP_INI_SYSTEM, NULL)
+ PHP_INI_ENTRY("max_file_uploads", "100", PHP_INI_SYSTEM, NULL)
STD_PHP_INI_BOOLEAN("allow_url_fopen", "1", PHP_INI_SYSTEM, OnUpdateBool, allow_url_fopen, php_core_globals, core_globals)
STD_PHP_INI_BOOLEAN("allow_url_include", "0", PHP_INI_SYSTEM, OnUpdateBool, allow_url_include, php_core_globals, core_globals)
Modified: php/php-src/branches/PHP_5_2/main/php_version.h
===================================================================
--- php/php-src/branches/PHP_5_2/main/php_version.h 2009-10-27 14:42:50 UTC (rev 289989)
+++ php/php-src/branches/PHP_5_2/main/php_version.h 2009-10-27 16:13:48 UTC (rev 289990)
@@ -2,7 +2,7 @@
/* edit configure.in to change version number */
#define PHP_MAJOR_VERSION 5
#define PHP_MINOR_VERSION 2
-#define PHP_RELEASE_VERSION 12
+#define PHP_RELEASE_VERSION 11
#define PHP_EXTRA_VERSION "-dev"
-#define PHP_VERSION "5.2.12-dev"
-#define PHP_VERSION_ID 50212
+#define PHP_VERSION "5.2.11-dev"
+#define PHP_VERSION_ID 50211
Modified: php/php-src/branches/PHP_5_2/main/rfc1867.c
===================================================================
--- php/php-src/branches/PHP_5_2/main/rfc1867.c 2009-10-27 14:42:50 UTC (rev 289989)
+++ php/php-src/branches/PHP_5_2/main/rfc1867.c 2009-10-27 16:13:48 UTC (rev 289990)
@@ -32,6 +32,7 @@
#include "php_globals.h"
#include "php_variables.h"
#include "rfc1867.h"
+#include "php_ini.h"
#define DEBUG_FILE_UPLOAD ZEND_DEBUG
@@ -794,7 +795,13 @@
zend_llist header;
void *event_extra_data = NULL;
int llen = 0;
+ char *max_uploads = INI_STR("max_file_uploads");
+ int upload_cnt = 0;
+ if (max_uploads && *max_uploads) {
+ upload_cnt = atoi(max_uploads);
+ }
+
if (SG(request_info).content_length > SG(post_max_size)) {
sapi_module.sapi_error(E_WARNING, "POST Content-Length of %ld bytes exceeds the limit of %ld bytes", SG(request_info).content_length, SG(post_max_size));
return;
@@ -972,6 +979,9 @@
/* If file_uploads=off, skip the file part */
if (!PG(file_uploads)) {
skip_upload = 1;
+ } else if (upload_cnt <= 0) {
+ skip_upload = 1;
+ sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded");
}
/* Return with an error if the posted data is garbled */
@@ -1016,6 +1026,7 @@
if (!skip_upload) {
/* Handle file */
fd = php_open_temporary_fd_ex(PG(upload_tmp_dir), "php", &temp_filename, 1 TSRMLS_CC);
+ upload_cnt--;
if (fd==-1) {
sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file");
cancel_upload = UPLOAD_ERROR_E;
Modified: php/php-src/branches/PHP_5_2/php.ini-dist
===================================================================
--- php/php-src/branches/PHP_5_2/php.ini-dist 2009-10-27 14:42:50 UTC (rev 289989)
+++ php/php-src/branches/PHP_5_2/php.ini-dist 2009-10-27 16:13:48 UTC (rev 289990)
@@ -552,6 +552,9 @@
upload_max_filesize = 2M
+; Maximum number of files that can be uploaded via a single request
+max_file_uploads = 100
+
;;;;;;;;;;;;;;;;;;
; Fopen wrappers ;
;;;;;;;;;;;;;;;;;;
Modified: php/php-src/branches/PHP_5_2/php.ini-recommended
===================================================================
--- php/php-src/branches/PHP_5_2/php.ini-recommended 2009-10-27 14:42:50 UTC (rev 289989)
+++ php/php-src/branches/PHP_5_2/php.ini-recommended 2009-10-27 16:13:48 UTC (rev 289990)
@@ -603,6 +603,9 @@
upload_max_filesize = 2M
+; Maximum number of files that can be uploaded via a single request
+max_file_uploads = 100
+
;;;;;;;;;;;;;;;;;;
; Fopen wrappers ;
;;;;;;;;;;;;;;;;;;
Modified: php/php-src/branches/PHP_5_3/NEWS
===================================================================
--- php/php-src/branches/PHP_5_3/NEWS 2009-10-27 14:42:50 UTC (rev 289989)
+++ php/php-src/branches/PHP_5_3/NEWS 2009-10-27 16:13:48 UTC (rev 289990)
@@ -7,6 +7,10 @@
- Implemented FR #49571 (CURLOPT_POSTREDIR not implemented). (Sriram Natarajan)
- Implemented FR #49253 (added support for libcurl's CERTINFO option).
(Linus Nielsen Feltzing <li...@haxx.se>)
+
+- Introduced a max_file_uploads INI setting, which is set to limit the
+ number of file uploads per-request to 100 by default, to prevent possible
+ DOS via temporary file exhaustion. (Ilia)
- Fixed memory leak in extension loading when an error occurs on Windows.
(Pierre)
Modified: php/php-src/branches/PHP_5_3/main/main.c
===================================================================
--- php/php-src/branches/PHP_5_3/main/main.c 2009-10-27 14:42:50 UTC (rev 289989)
+++ php/php-src/branches/PHP_5_3/main/main.c 2009-10-27 16:13:48 UTC (rev 289990)
@@ -515,6 +515,7 @@
PHP_INI_ENTRY("mail.force_extra_parameters",NULL, PHP_INI_SYSTEM|PHP_INI_PERDIR, OnChangeMailForceExtra)
PHP_INI_ENTRY("disable_functions", "", PHP_INI_SYSTEM, NULL)
PHP_INI_ENTRY("disable_classes", "", PHP_INI_SYSTEM, NULL)
+ PHP_INI_ENTRY("max_file_uploads", "100", PHP_INI_SYSTEM, NULL)
STD_PHP_INI_BOOLEAN("allow_url_fopen", "1", PHP_INI_SYSTEM, OnUpdateBool, allow_url_fopen, php_core_globals, core_globals)
STD_PHP_INI_BOOLEAN("allow_url_include", "0", PHP_INI_SYSTEM, OnUpdateBool, allow_url_include, php_core_globals, core_globals)
Modified: php/php-src/branches/PHP_5_3/main/rfc1867.c
===================================================================
--- php/php-src/branches/PHP_5_3/main/rfc1867.c 2009-10-27 14:42:50 UTC (rev 289989)
+++ php/php-src/branches/PHP_5_3/main/rfc1867.c 2009-10-27 16:13:48 UTC (rev 289990)
@@ -795,7 +795,13 @@
zend_llist header;
void *event_extra_data = NULL;
int llen = 0;
+ char *max_uploads = INI_STR("max_file_uploads");
+ int upload_cnt = 0;
+ if (max_uploads && *max_uploads) {
+ upload_cnt = atoi(max_uploads);
+ }
+
if (SG(request_info).content_length > SG(post_max_size)) {
sapi_module.sapi_error(E_WARNING, "POST Content-Length of %ld bytes exceeds the limit of %ld bytes", SG(request_info).content_length, SG(post_max_size));
return;
@@ -973,6 +979,9 @@
/* If file_uploads=off, skip the file part */
if (!PG(file_uploads)) {
skip_upload = 1;
+ } else if (upload_cnt <= 0) {
+ skip_upload = 1;
+ sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded");
}
/* Return with an error if the posted data is garbled */
@@ -1017,6 +1026,7 @@
if (!skip_upload) {
/* Handle file */
fd = php_open_temporary_fd_ex(PG(upload_tmp_dir), "php", &temp_filename, 1 TSRMLS_CC);
+ upload_cnt--;
if (fd==-1) {
sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file");
cancel_upload = UPLOAD_ERROR_E;
Modified: php/php-src/branches/PHP_5_3/php.ini-development
===================================================================
--- php/php-src/branches/PHP_5_3/php.ini-development 2009-10-27 14:42:50 UTC (rev 289989)
+++ php/php-src/branches/PHP_5_3/php.ini-development 2009-10-27 16:13:48 UTC (rev 289990)
@@ -878,6 +878,9 @@
; http://php.net/upload-max-filesize
upload_max_filesize = 2M
+; Maximum number of files that can be uploaded via a single request
+max_file_uploads = 100
+
;;;;;;;;;;;;;;;;;;
; Fopen wrappers ;
;;;;;;;;;;;;;;;;;;
Modified: php/php-src/branches/PHP_5_3/php.ini-production
===================================================================
--- php/php-src/branches/PHP_5_3/php.ini-production 2009-10-27 14:42:50 UTC (rev 289989)
+++ php/php-src/branches/PHP_5_3/php.ini-production 2009-10-27 16:13:48 UTC (rev 289990)
@@ -878,6 +878,9 @@
; http://php.net/upload-max-filesize
upload_max_filesize = 2M
+; Maximum number of files that can be uploaded via a single request
+max_file_uploads = 100
+
;;;;;;;;;;;;;;;;;;
; Fopen wrappers ;
;;;;;;;;;;;;;;;;;;
Modified: php/php-src/trunk/main/main.c
===================================================================
--- php/php-src/trunk/main/main.c 2009-10-27 14:42:50 UTC (rev 289989)
+++ php/php-src/trunk/main/main.c 2009-10-27 16:13:48 UTC (rev 289990)
@@ -602,6 +602,7 @@
PHP_INI_ENTRY("mail.force_extra_parameters",NULL, PHP_INI_SYSTEM|PHP_INI_PERDIR, OnChangeMailForceExtra)
PHP_INI_ENTRY("disable_functions", "", PHP_INI_SYSTEM, NULL)
PHP_INI_ENTRY("disable_classes", "", PHP_INI_SYSTEM, NULL)
+ PHP_INI_ENTRY("max_file_uploads", "100", PHP_INI_SYSTEM, NULL)
STD_PHP_INI_BOOLEAN("allow_url_fopen", "1", PHP_INI_ALL, OnUpdateAllowUrl, allow_url_fopen_list, php_core_globals, core_globals)
STD_PHP_INI_BOOLEAN("allow_url_include", "0", PHP_INI_ALL, OnUpdateAllowUrl, allow_url_include_list, php_core_globals, core_globals)
Modified: php/php-src/trunk/main/rfc1867.c
===================================================================
--- php/php-src/trunk/main/rfc1867.c 2009-10-27 14:42:50 UTC (rev 289989)
+++ php/php-src/trunk/main/rfc1867.c 2009-10-27 16:13:48 UTC (rev 289990)
@@ -594,7 +594,13 @@
zend_llist header;
void *event_extra_data = NULL;
int llen = 0;
+ char *max_uploads = INI_STR("max_file_uploads");
+ int upload_cnt = 0;
+ if (max_uploads && *max_uploads) {
+ upload_cnt = atoi(max_uploads);
+ }
+
if (SG(request_info).content_length > SG(post_max_size)) {
sapi_module.sapi_error(E_WARNING, "POST Content-Length of %ld bytes exceeds the limit of %ld bytes", SG(request_info).content_length, SG(post_max_size));
return;
@@ -740,6 +746,9 @@
/* If file_uploads=off, skip the file part */
if (!PG(file_uploads)) {
skip_upload = 1;
+ } else if (upload_cnt <= 0) {
+ skip_upload = 1;
+ sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded");
}
/* Return with an error if the posted data is garbled */
@@ -784,6 +793,7 @@
if (!skip_upload) {
/* Handle file */
fd = php_open_temporary_fd(PG(upload_tmp_dir), "php", &temp_filename TSRMLS_CC);
+ upload_cnt--;
if (fd==-1) {
sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file");
cancel_upload = UPLOAD_ERROR_E;
Modified: php/php-src/trunk/php.ini-development
===================================================================
--- php/php-src/trunk/php.ini-development 2009-10-27 14:42:50 UTC (rev 289989)
+++ php/php-src/trunk/php.ini-development 2009-10-27 16:13:48 UTC (rev 289990)
@@ -878,6 +878,9 @@
; http://php.net/upload-max-filesize
upload_max_filesize = 2M
+; Maximum number of files that can be uploaded via a single request
+max_file_uploads = 100
+
;;;;;;;;;;;;;;;;;;
; Fopen wrappers ;
;;;;;;;;;;;;;;;;;;
Modified: php/php-src/trunk/php.ini-production
===================================================================
--- php/php-src/trunk/php.ini-production 2009-10-27 14:42:50 UTC (rev 289989)
+++ php/php-src/trunk/php.ini-production 2009-10-27 16:13:48 UTC (rev 289990)
@@ -878,6 +878,9 @@
; http://php.net/upload-max-filesize
upload_max_filesize = 2M
+; Maximum number of files that can be uploaded via a single request
+max_file_uploads = 100
+
;;;;;;;;;;;;;;;;;;
; Fopen wrappers ;
;;;;;;;;;;;;;;;;;;
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
