iliaa                                    Tue, 27 Oct 2009 16:13:48 +0000

Revision: http://svn.php.net/viewvc?view=revision&revision=289990

Log:
Introduced a max_file_uploads INI setting, which is set to limit the
number of file uploads per-request to 100 by default, to prevent possible
DOS via temporary file exhaustion.

Changed paths:
    U   php/php-src/branches/PHP_5_2/NEWS
    U   php/php-src/branches/PHP_5_2/main/main.c
    U   php/php-src/branches/PHP_5_2/main/php_version.h
    U   php/php-src/branches/PHP_5_2/main/rfc1867.c
    U   php/php-src/branches/PHP_5_2/php.ini-dist
    U   php/php-src/branches/PHP_5_2/php.ini-recommended
    U   php/php-src/branches/PHP_5_3/NEWS
    U   php/php-src/branches/PHP_5_3/main/main.c
    U   php/php-src/branches/PHP_5_3/main/rfc1867.c
    U   php/php-src/branches/PHP_5_3/php.ini-development
    U   php/php-src/branches/PHP_5_3/php.ini-production
    U   php/php-src/trunk/main/main.c
    U   php/php-src/trunk/main/rfc1867.c
    U   php/php-src/trunk/php.ini-development
    U   php/php-src/trunk/php.ini-production

Modified: php/php-src/branches/PHP_5_2/NEWS
===================================================================
--- php/php-src/branches/PHP_5_2/NEWS	2009-10-27 14:42:50 UTC (rev 289989)
+++ php/php-src/branches/PHP_5_2/NEWS	2009-10-27 16:13:48 UTC (rev 289990)
@@ -3,6 +3,9 @@
 ?? ??? 2009, PHP 5.2.12
 - Updated timezone database to version 2009.14 (2009n). (Derick)

+- Introduced a max_file_uploads INI setting, which is set to limit the
+  number of file uploads per-request to 100 by default, to prevent possible
+  DOS via temporary file exhaustion. (Ilia)
 - Fixed a safe_mode bypass in tempnam() identified by Grzegorz Stachowiak.
   (Rasmus)
 - Fixed a open_basedir bypass in posix_mkfifo() identified by Grzegorz

Modified: php/php-src/branches/PHP_5_2/main/main.c
===================================================================
--- php/php-src/branches/PHP_5_2/main/main.c	2009-10-27 14:42:50 UTC (rev 289989)
+++ php/php-src/branches/PHP_5_2/main/main.c	2009-10-27 16:13:48 UTC (rev 289990)
@@ -452,6 +452,7 @@
 	PHP_INI_ENTRY("mail.force_extra_parameters",NULL,		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnChangeMailForceExtra)
 	PHP_INI_ENTRY("disable_functions",			"",			PHP_INI_SYSTEM,		NULL)
 	PHP_INI_ENTRY("disable_classes",			"",			PHP_INI_SYSTEM,		NULL)
+	PHP_INI_ENTRY("max_file_uploads",			"100",			PHP_INI_SYSTEM,		NULL)

 	STD_PHP_INI_BOOLEAN("allow_url_fopen",		"1",		PHP_INI_SYSTEM,		OnUpdateBool,		allow_url_fopen,		php_core_globals,	core_globals)
 	STD_PHP_INI_BOOLEAN("allow_url_include",	"0",		PHP_INI_SYSTEM,		OnUpdateBool,		allow_url_include,		php_core_globals,	core_globals)

Modified: php/php-src/branches/PHP_5_2/main/php_version.h
===================================================================
--- php/php-src/branches/PHP_5_2/main/php_version.h	2009-10-27 14:42:50 UTC (rev 289989)
+++ php/php-src/branches/PHP_5_2/main/php_version.h	2009-10-27 16:13:48 UTC (rev 289990)
@@ -2,7 +2,7 @@
 /* edit configure.in to change version number */
 #define PHP_MAJOR_VERSION 5
 #define PHP_MINOR_VERSION 2
-#define PHP_RELEASE_VERSION 12
+#define PHP_RELEASE_VERSION 11
 #define PHP_EXTRA_VERSION "-dev"
-#define PHP_VERSION "5.2.12-dev"
-#define PHP_VERSION_ID 50212
+#define PHP_VERSION "5.2.11-dev"
+#define PHP_VERSION_ID 50211

Modified: php/php-src/branches/PHP_5_2/main/rfc1867.c
===================================================================
--- php/php-src/branches/PHP_5_2/main/rfc1867.c	2009-10-27 14:42:50 UTC (rev 289989)
+++ php/php-src/branches/PHP_5_2/main/rfc1867.c	2009-10-27 16:13:48 UTC (rev 289990)
@@ -32,6 +32,7 @@
 #include "php_globals.h"
 #include "php_variables.h"
 #include "rfc1867.h"
+#include "php_ini.h"

 #define DEBUG_FILE_UPLOAD ZEND_DEBUG

@@ -794,7 +795,13 @@
 	zend_llist header;
 	void *event_extra_data = NULL;
 	int llen = 0;
+	char *max_uploads = INI_STR("max_file_uploads");
+	int upload_cnt = 0;

+	if (max_uploads && *max_uploads) {
+		upload_cnt = atoi(max_uploads);
+	}
+
 	if (SG(request_info).content_length > SG(post_max_size)) {
 		sapi_module.sapi_error(E_WARNING, "POST Content-Length of %ld bytes exceeds the limit of %ld bytes", SG(request_info).content_length, SG(post_max_size));
 		return;
@@ -972,6 +979,9 @@
 			/* If file_uploads=off, skip the file part */
 			if (!PG(file_uploads)) {
 				skip_upload = 1;
+			} else if (upload_cnt <= 0) {
+				skip_upload = 1;
+				sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded");
 			}

 			/* Return with an error if the posted data is garbled */
@@ -1016,6 +1026,7 @@
 			if (!skip_upload) {
 				/* Handle file */
 				fd = php_open_temporary_fd_ex(PG(upload_tmp_dir), "php", &temp_filename, 1 TSRMLS_CC);
+				upload_cnt--;
 				if (fd==-1) {
 					sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file");
 					cancel_upload = UPLOAD_ERROR_E;

Modified: php/php-src/branches/PHP_5_2/php.ini-dist
===================================================================
--- php/php-src/branches/PHP_5_2/php.ini-dist	2009-10-27 14:42:50 UTC (rev 289989)
+++ php/php-src/branches/PHP_5_2/php.ini-dist	2009-10-27 16:13:48 UTC (rev 289990)
@@ -552,6 +552,9 @@
 upload_max_filesize = 2M


+; Maximum number of files that can be uploaded via a single request
+max_file_uploads = 100
+
 ;;;;;;;;;;;;;;;;;;
 ; Fopen wrappers ;
 ;;;;;;;;;;;;;;;;;;

Modified: php/php-src/branches/PHP_5_2/php.ini-recommended
===================================================================
--- php/php-src/branches/PHP_5_2/php.ini-recommended	2009-10-27 14:42:50 UTC (rev 289989)
+++ php/php-src/branches/PHP_5_2/php.ini-recommended	2009-10-27 16:13:48 UTC (rev 289990)
@@ -603,6 +603,9 @@
 upload_max_filesize = 2M


+; Maximum number of files that can be uploaded via a single request
+max_file_uploads = 100
+
 ;;;;;;;;;;;;;;;;;;
 ; Fopen wrappers ;
 ;;;;;;;;;;;;;;;;;;

Modified: php/php-src/branches/PHP_5_3/NEWS
===================================================================
--- php/php-src/branches/PHP_5_3/NEWS	2009-10-27 14:42:50 UTC (rev 289989)
+++ php/php-src/branches/PHP_5_3/NEWS	2009-10-27 16:13:48 UTC (rev 289990)
@@ -7,6 +7,10 @@
 - Implemented FR #49571 (CURLOPT_POSTREDIR not implemented). (Sriram Natarajan)
 - Implemented FR #49253 (added support for libcurl's CERTINFO option).
   (Linus Nielsen Feltzing <li...@haxx.se>)
+
+- Introduced a max_file_uploads INI setting, which is set to limit the
+  number of file uploads per-request to 100 by default, to prevent possible
+  DOS via temporary file exhaustion. (Ilia)

 - Fixed memory leak in extension loading when an error occurs on Windows.
   (Pierre)

Modified: php/php-src/branches/PHP_5_3/main/main.c
===================================================================
--- php/php-src/branches/PHP_5_3/main/main.c	2009-10-27 14:42:50 UTC (rev 289989)
+++ php/php-src/branches/PHP_5_3/main/main.c	2009-10-27 16:13:48 UTC (rev 289990)
@@ -515,6 +515,7 @@
 	PHP_INI_ENTRY("mail.force_extra_parameters",NULL,		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnChangeMailForceExtra)
 	PHP_INI_ENTRY("disable_functions",			"",			PHP_INI_SYSTEM,		NULL)
 	PHP_INI_ENTRY("disable_classes",			"",			PHP_INI_SYSTEM,		NULL)
+	PHP_INI_ENTRY("max_file_uploads",			"100",			PHP_INI_SYSTEM,		NULL)

 	STD_PHP_INI_BOOLEAN("allow_url_fopen",		"1",		PHP_INI_SYSTEM,		OnUpdateBool,		allow_url_fopen,		php_core_globals,		core_globals)
 	STD_PHP_INI_BOOLEAN("allow_url_include",	"0",		PHP_INI_SYSTEM,		OnUpdateBool,		allow_url_include,		php_core_globals,		core_globals)

Modified: php/php-src/branches/PHP_5_3/main/rfc1867.c
===================================================================
--- php/php-src/branches/PHP_5_3/main/rfc1867.c	2009-10-27 14:42:50 UTC (rev 289989)
+++ php/php-src/branches/PHP_5_3/main/rfc1867.c	2009-10-27 16:13:48 UTC (rev 289990)
@@ -795,7 +795,13 @@
 	zend_llist header;
 	void *event_extra_data = NULL;
 	int llen = 0;
+	char *max_uploads = INI_STR("max_file_uploads");
+	int upload_cnt = 0;

+	if (max_uploads && *max_uploads) {
+		upload_cnt = atoi(max_uploads);
+	}
+
 	if (SG(request_info).content_length > SG(post_max_size)) {
 		sapi_module.sapi_error(E_WARNING, "POST Content-Length of %ld bytes exceeds the limit of %ld bytes", SG(request_info).content_length, SG(post_max_size));
 		return;
@@ -973,6 +979,9 @@
 			/* If file_uploads=off, skip the file part */
 			if (!PG(file_uploads)) {
 				skip_upload = 1;
+			} else if (upload_cnt <= 0) {
+				skip_upload = 1;
+				sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded");
 			}

 			/* Return with an error if the posted data is garbled */
@@ -1017,6 +1026,7 @@
 			if (!skip_upload) {
 				/* Handle file */
 				fd = php_open_temporary_fd_ex(PG(upload_tmp_dir), "php", &temp_filename, 1 TSRMLS_CC);
+				upload_cnt--;
 				if (fd==-1) {
 					sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file");
 					cancel_upload = UPLOAD_ERROR_E;

Modified: php/php-src/branches/PHP_5_3/php.ini-development
===================================================================
--- php/php-src/branches/PHP_5_3/php.ini-development	2009-10-27 14:42:50 UTC (rev 289989)
+++ php/php-src/branches/PHP_5_3/php.ini-development	2009-10-27 16:13:48 UTC (rev 289990)
@@ -878,6 +878,9 @@
 ; http://php.net/upload-max-filesize
 upload_max_filesize = 2M

+; Maximum number of files that can be uploaded via a single request
+max_file_uploads = 100
+
 ;;;;;;;;;;;;;;;;;;
 ; Fopen wrappers ;
 ;;;;;;;;;;;;;;;;;;

Modified: php/php-src/branches/PHP_5_3/php.ini-production
===================================================================
--- php/php-src/branches/PHP_5_3/php.ini-production	2009-10-27 14:42:50 UTC (rev 289989)
+++ php/php-src/branches/PHP_5_3/php.ini-production	2009-10-27 16:13:48 UTC (rev 289990)
@@ -878,6 +878,9 @@
 ; http://php.net/upload-max-filesize
 upload_max_filesize = 2M

+; Maximum number of files that can be uploaded via a single request
+max_file_uploads = 100
+
 ;;;;;;;;;;;;;;;;;;
 ; Fopen wrappers ;
 ;;;;;;;;;;;;;;;;;;

Modified: php/php-src/trunk/main/main.c
===================================================================
--- php/php-src/trunk/main/main.c	2009-10-27 14:42:50 UTC (rev 289989)
+++ php/php-src/trunk/main/main.c	2009-10-27 16:13:48 UTC (rev 289990)
@@ -602,6 +602,7 @@
 	PHP_INI_ENTRY("mail.force_extra_parameters",NULL,		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnChangeMailForceExtra)
 	PHP_INI_ENTRY("disable_functions",			"",			PHP_INI_SYSTEM,		NULL)
 	PHP_INI_ENTRY("disable_classes",			"",			PHP_INI_SYSTEM,		NULL)
+	PHP_INI_ENTRY("max_file_uploads",			"100",			PHP_INI_SYSTEM,		NULL)

 	STD_PHP_INI_BOOLEAN("allow_url_fopen",		"1",		PHP_INI_ALL,		OnUpdateAllowUrl,	allow_url_fopen_list,	php_core_globals,	core_globals)
 	STD_PHP_INI_BOOLEAN("allow_url_include",	"0",		PHP_INI_ALL,		OnUpdateAllowUrl,	allow_url_include_list,	php_core_globals,	core_globals)

Modified: php/php-src/trunk/main/rfc1867.c
===================================================================
--- php/php-src/trunk/main/rfc1867.c	2009-10-27 14:42:50 UTC (rev 289989)
+++ php/php-src/trunk/main/rfc1867.c	2009-10-27 16:13:48 UTC (rev 289990)
@@ -594,7 +594,13 @@
 	zend_llist header;
 	void *event_extra_data = NULL;
 	int llen = 0;
+	char *max_uploads = INI_STR("max_file_uploads");
+	int upload_cnt = 0;

+	if (max_uploads && *max_uploads) {
+		upload_cnt = atoi(max_uploads);
+	}
+
 	if (SG(request_info).content_length > SG(post_max_size)) {
 		sapi_module.sapi_error(E_WARNING, "POST Content-Length of %ld bytes exceeds the limit of %ld bytes", SG(request_info).content_length, SG(post_max_size));
 		return;
@@ -740,6 +746,9 @@
 			/* If file_uploads=off, skip the file part */
 			if (!PG(file_uploads)) {
 				skip_upload = 1;
+			} else if (upload_cnt <= 0) {
+				skip_upload = 1;
+				sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded");
 			}

 			/* Return with an error if the posted data is garbled */
@@ -784,6 +793,7 @@
 			if (!skip_upload) {
 				/* Handle file */
 				fd = php_open_temporary_fd(PG(upload_tmp_dir), "php", &temp_filename TSRMLS_CC);
+				upload_cnt--;
 				if (fd==-1) {
 					sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file");
 					cancel_upload = UPLOAD_ERROR_E;

Modified: php/php-src/trunk/php.ini-development
===================================================================
--- php/php-src/trunk/php.ini-development	2009-10-27 14:42:50 UTC (rev 289989)
+++ php/php-src/trunk/php.ini-development	2009-10-27 16:13:48 UTC (rev 289990)
@@ -878,6 +878,9 @@
 ; http://php.net/upload-max-filesize
 upload_max_filesize = 2M

+; Maximum number of files that can be uploaded via a single request
+max_file_uploads = 100
+
 ;;;;;;;;;;;;;;;;;;
 ; Fopen wrappers ;
 ;;;;;;;;;;;;;;;;;;

Modified: php/php-src/trunk/php.ini-production
===================================================================
--- php/php-src/trunk/php.ini-production	2009-10-27 14:42:50 UTC (rev 289989)
+++ php/php-src/trunk/php.ini-production	2009-10-27 16:13:48 UTC (rev 289990)
@@ -878,6 +878,9 @@
 ; http://php.net/upload-max-filesize
 upload_max_filesize = 2M

+; Maximum number of files that can be uploaded via a single request
+max_file_uploads = 100
+
 ;;;;;;;;;;;;;;;;;;
 ; Fopen wrappers ;
 ;;;;;;;;;;;;;;;;;;
-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to