dmitry Tue, 14 Feb 2012 08:58:52 +0000
Revision: http://svn.php.net/viewvc?view=revision&revision=323202
Log:
Improved max_input_vars directive to check nested variables
Changed paths:
U php/php-src/branches/PHP_5_3/NEWS
U php/php-src/branches/PHP_5_3/main/php_variables.c
U php/php-src/branches/PHP_5_3/main/rfc1867.c
U php/php-src/branches/PHP_5_4/NEWS
U php/php-src/branches/PHP_5_4/main/php_variables.c
U php/php-src/branches/PHP_5_4/main/rfc1867.c
U php/php-src/trunk/main/php_variables.c
U php/php-src/trunk/main/rfc1867.c
Modified: php/php-src/branches/PHP_5_3/NEWS
===================================================================
--- php/php-src/branches/PHP_5_3/NEWS 2012-02-14 08:39:15 UTC (rev 323201)
+++ php/php-src/branches/PHP_5_3/NEWS 2012-02-14 08:58:52 UTC (rev 323202)
@@ -1,6 +1,9 @@
PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? ??? 2012, PHP 5.3.11
+- Core:
+ . Improved max_input_vars directive to check nested variables (Dmitry).
+
- Session:
. Fixed bug #60860 (session.save_handler=user without defined function core
dumps). (Felipe)
Modified: php/php-src/branches/PHP_5_3/main/php_variables.c
===================================================================
--- php/php-src/branches/PHP_5_3/main/php_variables.c 2012-02-14 08:39:15 UTC (rev 323201)
+++ php/php-src/branches/PHP_5_3/main/php_variables.c 2012-02-14 08:58:52 UTC (rev 323202)
@@ -196,21 +196,9 @@
}
if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE
|| Z_TYPE_PP(gpc_element_p) != IS_ARRAY) {
- if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) {
- if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) {
- php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
- }
- MAKE_STD_ZVAL(gpc_element);
- array_init(gpc_element);
- zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
- } else {
- if (index != escaped_index) {
- efree(escaped_index);
- }
- zval_dtor(val);
- efree(var_orig);
- return;
- }
+ MAKE_STD_ZVAL(gpc_element);
+ array_init(gpc_element);
+ zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
}
if (index != escaped_index) {
efree(escaped_index);
@@ -255,14 +243,7 @@
zend_symtable_exists(symtable1, escaped_index, index_len + 1)) {
zval_ptr_dtor(&gpc_element);
} else {
- if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) {
- if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) {
- php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
- }
- zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
- } else {
- zval_ptr_dtor(&gpc_element);
- }
+ zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
}
if (escaped_index != index) {
efree(escaped_index);
@@ -276,6 +257,7 @@
{
char *var, *val, *e, *s, *p;
zval *array_ptr = (zval *) arg;
+ long count = 0;
if (SG(request_info).post_data == NULL) {
return;
@@ -289,6 +271,10 @@
if ((val = memchr(s, '=', (p - s)))) { /* have a value */
unsigned int val_len, new_val_len;
+ if (++count > PG(max_input_vars)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
+ return;
+ }
var = s;
php_url_decode(var, (val - s));
@@ -322,6 +308,7 @@
zval *array_ptr;
int free_buffer = 0;
char *strtok_buf = NULL;
+ long count = 0;
switch (arg) {
case PARSE_POST:
@@ -411,6 +398,11 @@
}
}
+ if (++count > PG(max_input_vars)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
+ break;
+ }
+
if (val) { /* have a value */
int val_len;
unsigned int new_val_len;
Modified: php/php-src/branches/PHP_5_3/main/rfc1867.c
===================================================================
--- php/php-src/branches/PHP_5_3/main/rfc1867.c 2012-02-14 08:39:15 UTC (rev 323201)
+++ php/php-src/branches/PHP_5_3/main/rfc1867.c 2012-02-14 08:58:52 UTC (rev 323202)
@@ -779,6 +779,7 @@
void *event_extra_data = NULL;
int llen = 0;
int upload_cnt = INI_INT("max_file_uploads");
+ long count = 0;
if (SG(post_max_size) > 0 && SG(request_info).content_length > SG(post_max_size)) {
sapi_module.sapi_error(E_WARNING, "POST Content-Length of %ld bytes exceeds the limit of %ld bytes", SG(request_info).content_length, SG(post_max_size));
@@ -918,7 +919,7 @@
value = estrdup("");
}
- if (sapi_module.input_filter(PARSE_POST, param, &value, value_len, &new_val_len TSRMLS_CC)) {
+ if (++count <= PG(max_input_vars) && sapi_module.input_filter(PARSE_POST, param, &value, value_len, &new_val_len TSRMLS_CC)) {
if (php_rfc1867_callback != NULL) {
multipart_event_formdata event_formdata;
size_t newlength = new_val_len;
@@ -945,15 +946,21 @@
#else
safe_php_register_variable(param, value, new_val_len, array_ptr, 0 TSRMLS_CC);
#endif
- } else if (php_rfc1867_callback != NULL) {
- multipart_event_formdata event_formdata;
+ } else {
+ if (count == PG(max_input_vars) + 1) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
+ }
- event_formdata.post_bytes_processed = SG(read_post_bytes);
- event_formdata.name = param;
- event_formdata.value = &value;
- event_formdata.length = value_len;
- event_formdata.newlength = NULL;
- php_rfc1867_callback(MULTIPART_EVENT_FORMDATA, &event_formdata, &event_extra_data TSRMLS_CC);
+ if (php_rfc1867_callback != NULL) {
+ multipart_event_formdata event_formdata;
+
+ event_formdata.post_bytes_processed = SG(read_post_bytes);
+ event_formdata.name = param;
+ event_formdata.value = &value;
+ event_formdata.length = value_len;
+ event_formdata.newlength = NULL;
+ php_rfc1867_callback(MULTIPART_EVENT_FORMDATA, &event_formdata, &event_extra_data TSRMLS_CC);
+ }
}
if (!strcasecmp(param, "MAX_FILE_SIZE")) {
Modified: php/php-src/branches/PHP_5_4/NEWS
===================================================================
--- php/php-src/branches/PHP_5_4/NEWS 2012-02-14 08:39:15 UTC (rev 323201)
+++ php/php-src/branches/PHP_5_4/NEWS 2012-02-14 08:58:52 UTC (rev 323202)
@@ -2,6 +2,7 @@
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? Feb 2012, PHP 5.4.0 RC 8
- Core:
+ . Improved max_input_vars directive to check nested variables (Dmitry).
. Fixed bug #60965 (Buffer overflow on htmlspecialchars/entities with
$double=false). (Gustavo)
Modified: php/php-src/branches/PHP_5_4/main/php_variables.c
===================================================================
--- php/php-src/branches/PHP_5_4/main/php_variables.c 2012-02-14 08:39:15 UTC (rev 323201)
+++ php/php-src/branches/PHP_5_4/main/php_variables.c 2012-02-14 08:58:52 UTC (rev 323202)
@@ -183,18 +183,9 @@
} else {
if (zend_symtable_find(symtable1, index, index_len + 1, (void **) &gpc_element_p) == FAILURE
|| Z_TYPE_PP(gpc_element_p) != IS_ARRAY) {
- if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) {
- if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) {
- php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
- }
- MAKE_STD_ZVAL(gpc_element);
- array_init(gpc_element);
- zend_symtable_update(symtable1, index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
- } else {
- zval_dtor(val);
- free_alloca(var_orig, use_heap);
- return;
- }
+ MAKE_STD_ZVAL(gpc_element);
+ array_init(gpc_element);
+ zend_symtable_update(symtable1, index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
}
}
symtable1 = Z_ARRVAL_PP(gpc_element_p);
@@ -231,14 +222,7 @@
zend_symtable_exists(symtable1, index, index_len + 1)) {
zval_ptr_dtor(&gpc_element);
} else {
- if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) {
- if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) {
- php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
- }
- zend_symtable_update(symtable1, index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
- } else {
- zval_ptr_dtor(&gpc_element);
- }
+ zend_symtable_update(symtable1, index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
}
}
}
@@ -249,6 +233,7 @@
{
char *var, *val, *e, *s, *p;
zval *array_ptr = (zval *) arg;
+ long count = 0;
if (SG(request_info).post_data == NULL) {
return;
@@ -262,6 +247,10 @@
if ((val = memchr(s, '=', (p - s)))) { /* have a value */
unsigned int val_len, new_val_len;
+ if (++count > PG(max_input_vars)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
+ return;
+ }
var = s;
php_url_decode(var, (val - s));
@@ -295,6 +284,7 @@
zval *array_ptr;
int free_buffer = 0;
char *strtok_buf = NULL;
+ long count = 0;
switch (arg) {
case PARSE_POST:
@@ -384,6 +374,11 @@
}
}
+ if (++count > PG(max_input_vars)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
+ break;
+ }
+
if (val) { /* have a value */
int val_len;
unsigned int new_val_len;
Modified: php/php-src/branches/PHP_5_4/main/rfc1867.c
===================================================================
--- php/php-src/branches/PHP_5_4/main/rfc1867.c 2012-02-14 08:39:15 UTC (rev 323201)
+++ php/php-src/branches/PHP_5_4/main/rfc1867.c 2012-02-14 08:58:52 UTC (rev 323202)
@@ -691,6 +691,7 @@
php_rfc1867_getword_t getword;
php_rfc1867_getword_conf_t getword_conf;
php_rfc1867_basename_t _basename;
+ long count = 0;
if (php_rfc1867_encoding_translation(TSRMLS_C) && internal_encoding) {
getword = php_rfc1867_getword;
@@ -861,7 +862,7 @@
}
}
- if (sapi_module.input_filter(PARSE_POST, param, &value, value_len, &new_val_len TSRMLS_CC)) {
+ if (++count <= PG(max_input_vars) && sapi_module.input_filter(PARSE_POST, param, &value, value_len, &new_val_len TSRMLS_CC)) {
if (php_rfc1867_callback != NULL) {
multipart_event_formdata event_formdata;
size_t newlength = new_val_len;
@@ -879,15 +880,21 @@
new_val_len = newlength;
}
safe_php_register_variable(param, value, new_val_len, array_ptr, 0 TSRMLS_CC);
- } else if (php_rfc1867_callback != NULL) {
- multipart_event_formdata event_formdata;
+ } else {
+ if (count == PG(max_input_vars) + 1) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
+ }
+
+ if (php_rfc1867_callback != NULL) {
+ multipart_event_formdata event_formdata;
- event_formdata.post_bytes_processed = SG(read_post_bytes);
- event_formdata.name = param;
- event_formdata.value = &value;
- event_formdata.length = value_len;
- event_formdata.newlength = NULL;
- php_rfc1867_callback(MULTIPART_EVENT_FORMDATA, &event_formdata, &event_extra_data TSRMLS_CC);
+ event_formdata.post_bytes_processed = SG(read_post_bytes);
+ event_formdata.name = param;
+ event_formdata.value = &value;
+ event_formdata.length = value_len;
+ event_formdata.newlength = NULL;
+ php_rfc1867_callback(MULTIPART_EVENT_FORMDATA, &event_formdata, &event_extra_data TSRMLS_CC);
+ }
}
if (!strcasecmp(param, "MAX_FILE_SIZE")) {
Modified: php/php-src/trunk/main/php_variables.c
===================================================================
--- php/php-src/trunk/main/php_variables.c 2012-02-14 08:39:15 UTC (rev 323201)
+++ php/php-src/trunk/main/php_variables.c 2012-02-14 08:58:52 UTC (rev 323202)
@@ -183,18 +183,9 @@
} else {
if (zend_symtable_find(symtable1, index, index_len + 1, (void **) &gpc_element_p) == FAILURE
|| Z_TYPE_PP(gpc_element_p) != IS_ARRAY) {
- if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) {
- if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) {
- php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
- }
- MAKE_STD_ZVAL(gpc_element);
- array_init(gpc_element);
- zend_symtable_update(symtable1, index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
- } else {
- zval_dtor(val);
- free_alloca(var_orig, use_heap);
- return;
- }
+ MAKE_STD_ZVAL(gpc_element);
+ array_init(gpc_element);
+ zend_symtable_update(symtable1, index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
}
}
symtable1 = Z_ARRVAL_PP(gpc_element_p);
@@ -231,14 +222,7 @@
zend_symtable_exists(symtable1, index, index_len + 1)) {
zval_ptr_dtor(&gpc_element);
} else {
- if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) {
- if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) {
- php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
- }
- zend_symtable_update(symtable1, index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
- } else {
- zval_ptr_dtor(&gpc_element);
- }
+ zend_symtable_update(symtable1, index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
}
}
}
@@ -249,6 +233,7 @@
{
char *var, *val, *e, *s, *p;
zval *array_ptr = (zval *) arg;
+ long count = 0;
if (SG(request_info).post_data == NULL) {
return;
@@ -262,6 +247,10 @@
if ((val = memchr(s, '=', (p - s)))) { /* have a value */
unsigned int val_len, new_val_len;
+ if (++count > PG(max_input_vars)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
+ return;
+ }
var = s;
php_url_decode(var, (val - s));
@@ -295,6 +284,7 @@
zval *array_ptr;
int free_buffer = 0;
char *strtok_buf = NULL;
+ long count = 0;
switch (arg) {
case PARSE_POST:
@@ -384,6 +374,11 @@
}
}
+ if (++count > PG(max_input_vars)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
+ break;
+ }
+
if (val) { /* have a value */
int val_len;
unsigned int new_val_len;
Modified: php/php-src/trunk/main/rfc1867.c
===================================================================
--- php/php-src/trunk/main/rfc1867.c 2012-02-14 08:39:15 UTC (rev 323201)
+++ php/php-src/trunk/main/rfc1867.c 2012-02-14 08:58:52 UTC (rev 323202)
@@ -691,6 +691,7 @@
php_rfc1867_getword_t getword;
php_rfc1867_getword_conf_t getword_conf;
php_rfc1867_basename_t _basename;
+ long count = 0;
if (php_rfc1867_encoding_translation(TSRMLS_C) && internal_encoding) {
getword = php_rfc1867_getword;
@@ -861,7 +862,7 @@
}
}
- if (sapi_module.input_filter(PARSE_POST, param, &value, value_len, &new_val_len TSRMLS_CC)) {
+ if (++count <= PG(max_input_vars) && sapi_module.input_filter(PARSE_POST, param, &value, value_len, &new_val_len TSRMLS_CC)) {
if (php_rfc1867_callback != NULL) {
multipart_event_formdata event_formdata;
size_t newlength = new_val_len;
@@ -879,15 +880,21 @@
new_val_len = newlength;
}
safe_php_register_variable(param, value, new_val_len, array_ptr, 0 TSRMLS_CC);
- } else if (php_rfc1867_callback != NULL) {
- multipart_event_formdata event_formdata;
+ } else {
+ if (count == PG(max_input_vars) + 1) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
+ }
+
+ if (php_rfc1867_callback != NULL) {
+ multipart_event_formdata event_formdata;
- event_formdata.post_bytes_processed = SG(read_post_bytes);
- event_formdata.name = param;
- event_formdata.value = &value;
- event_formdata.length = value_len;
- event_formdata.newlength = NULL;
- php_rfc1867_callback(MULTIPART_EVENT_FORMDATA, &event_formdata, &event_extra_data TSRMLS_CC);
+ event_formdata.post_bytes_processed = SG(read_post_bytes);
+ event_formdata.name = param;
+ event_formdata.value = &value;
+ event_formdata.length = value_len;
+ event_formdata.newlength = NULL;
+ php_rfc1867_callback(MULTIPART_EVENT_FORMDATA, &event_formdata, &event_extra_data TSRMLS_CC);
+ }
}
if (!strcasecmp(param, "MAX_FILE_SIZE")) {
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
