dmitry Tue, 14 Feb 2012 08:58:52 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=323202
Log: Improved max_input_vars directive to check nested variables Changed paths: U php/php-src/branches/PHP_5_3/NEWS U php/php-src/branches/PHP_5_3/main/php_variables.c U php/php-src/branches/PHP_5_3/main/rfc1867.c U php/php-src/branches/PHP_5_4/NEWS U php/php-src/branches/PHP_5_4/main/php_variables.c U php/php-src/branches/PHP_5_4/main/rfc1867.c U php/php-src/trunk/main/php_variables.c U php/php-src/trunk/main/rfc1867.c
Modified: php/php-src/branches/PHP_5_3/NEWS =================================================================== --- php/php-src/branches/PHP_5_3/NEWS 2012-02-14 08:39:15 UTC (rev 323201) +++ php/php-src/branches/PHP_5_3/NEWS 2012-02-14 08:58:52 UTC (rev 323202) @@ -1,6 +1,9 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 2012, PHP 5.3.11 +- Core: + . Improved max_input_vars directive to check nested variables (Dmitry). + - Session: . Fixed bug #60860 (session.save_handler=user without defined function core dumps). (Felipe) Modified: php/php-src/branches/PHP_5_3/main/php_variables.c =================================================================== --- php/php-src/branches/PHP_5_3/main/php_variables.c 2012-02-14 08:39:15 UTC (rev 323201) +++ php/php-src/branches/PHP_5_3/main/php_variables.c 2012-02-14 08:58:52 UTC (rev 323202) @@ -196,21 +196,9 @@ } if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE || Z_TYPE_PP(gpc_element_p) != IS_ARRAY) { - if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) { - if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); - } - MAKE_STD_ZVAL(gpc_element); - array_init(gpc_element); - zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); - } else { - if (index != escaped_index) { - efree(escaped_index); - } - zval_dtor(val); - efree(var_orig); - return; - } + MAKE_STD_ZVAL(gpc_element); + array_init(gpc_element); + zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); } if (index != escaped_index) { efree(escaped_index); @@ -255,14 +243,7 @@ zend_symtable_exists(symtable1, escaped_index, index_len + 1)) { zval_ptr_dtor(&gpc_element); } else { - if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) { - if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); - } - zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); - } else { - zval_ptr_dtor(&gpc_element); - } + zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); } if (escaped_index != index) { efree(escaped_index); @@ -276,6 +257,7 @@ { char *var, *val, *e, *s, *p; zval *array_ptr = (zval *) arg; + long count = 0; if (SG(request_info).post_data == NULL) { return; @@ -289,6 +271,10 @@ if ((val = memchr(s, '=', (p - s)))) { /* have a value */ unsigned int val_len, new_val_len; + if (++count > PG(max_input_vars)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); + return; + } var = s; php_url_decode(var, (val - s)); @@ -322,6 +308,7 @@ zval *array_ptr; int free_buffer = 0; char *strtok_buf = NULL; + long count = 0; switch (arg) { case PARSE_POST: @@ -411,6 +398,11 @@ } } + if (++count > PG(max_input_vars)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); + break; + } + if (val) { /* have a value */ int val_len; unsigned int new_val_len; Modified: php/php-src/branches/PHP_5_3/main/rfc1867.c =================================================================== --- php/php-src/branches/PHP_5_3/main/rfc1867.c 2012-02-14 08:39:15 UTC (rev 323201) +++ php/php-src/branches/PHP_5_3/main/rfc1867.c 2012-02-14 08:58:52 UTC (rev 323202) @@ -779,6 +779,7 @@ void *event_extra_data = NULL; int llen = 0; int upload_cnt = INI_INT("max_file_uploads"); + long count = 0; if (SG(post_max_size) > 0 && SG(request_info).content_length > SG(post_max_size)) { sapi_module.sapi_error(E_WARNING, "POST Content-Length of %ld bytes exceeds the limit of %ld bytes", SG(request_info).content_length, SG(post_max_size)); @@ -918,7 +919,7 @@ value = estrdup(""); } - if (sapi_module.input_filter(PARSE_POST, param, &value, value_len, &new_val_len TSRMLS_CC)) { + if (++count <= PG(max_input_vars) && sapi_module.input_filter(PARSE_POST, param, &value, value_len, &new_val_len TSRMLS_CC)) { if (php_rfc1867_callback != NULL) { multipart_event_formdata event_formdata; size_t newlength = new_val_len; @@ -945,15 +946,21 @@ #else safe_php_register_variable(param, value, new_val_len, array_ptr, 0 TSRMLS_CC); #endif - } else if (php_rfc1867_callback != NULL) { - multipart_event_formdata event_formdata; + } else { + if (count == PG(max_input_vars) + 1) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); + } - event_formdata.post_bytes_processed = SG(read_post_bytes); - event_formdata.name = param; - event_formdata.value = &value; - event_formdata.length = value_len; - event_formdata.newlength = NULL; - php_rfc1867_callback(MULTIPART_EVENT_FORMDATA, &event_formdata, &event_extra_data TSRMLS_CC); + if (php_rfc1867_callback != NULL) { + multipart_event_formdata event_formdata; + + event_formdata.post_bytes_processed = SG(read_post_bytes); + event_formdata.name = param; + event_formdata.value = &value; + event_formdata.length = value_len; + event_formdata.newlength = NULL; + php_rfc1867_callback(MULTIPART_EVENT_FORMDATA, &event_formdata, &event_extra_data TSRMLS_CC); + } } if (!strcasecmp(param, "MAX_FILE_SIZE")) { Modified: php/php-src/branches/PHP_5_4/NEWS =================================================================== --- php/php-src/branches/PHP_5_4/NEWS 2012-02-14 08:39:15 UTC (rev 323201) +++ php/php-src/branches/PHP_5_4/NEWS 2012-02-14 08:58:52 UTC (rev 323202) @@ -2,6 +2,7 @@ ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? Feb 2012, PHP 5.4.0 RC 8 - Core: + . Improved max_input_vars directive to check nested variables (Dmitry). . Fixed bug #60965 (Buffer overflow on htmlspecialchars/entities with $double=false). (Gustavo) Modified: php/php-src/branches/PHP_5_4/main/php_variables.c =================================================================== --- php/php-src/branches/PHP_5_4/main/php_variables.c 2012-02-14 08:39:15 UTC (rev 323201) +++ php/php-src/branches/PHP_5_4/main/php_variables.c 2012-02-14 08:58:52 UTC (rev 323202) @@ -183,18 +183,9 @@ } else { if (zend_symtable_find(symtable1, index, index_len + 1, (void **) &gpc_element_p) == FAILURE || Z_TYPE_PP(gpc_element_p) != IS_ARRAY) { - if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) { - if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); - } - MAKE_STD_ZVAL(gpc_element); - array_init(gpc_element); - zend_symtable_update(symtable1, index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); - } else { - zval_dtor(val); - free_alloca(var_orig, use_heap); - return; - } + MAKE_STD_ZVAL(gpc_element); + array_init(gpc_element); + zend_symtable_update(symtable1, index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); } } symtable1 = Z_ARRVAL_PP(gpc_element_p); @@ -231,14 +222,7 @@ zend_symtable_exists(symtable1, index, index_len + 1)) { zval_ptr_dtor(&gpc_element); } else { - if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) { - if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); - } - zend_symtable_update(symtable1, index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); - } else { - zval_ptr_dtor(&gpc_element); - } + zend_symtable_update(symtable1, index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); } } } @@ -249,6 +233,7 @@ { char *var, *val, *e, *s, *p; zval *array_ptr = (zval *) arg; + long count = 0; if (SG(request_info).post_data == NULL) { return; @@ -262,6 +247,10 @@ if ((val = memchr(s, '=', (p - s)))) { /* have a value */ unsigned int val_len, new_val_len; + if (++count > PG(max_input_vars)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); + return; + } var = s; php_url_decode(var, (val - s)); @@ -295,6 +284,7 @@ zval *array_ptr; int free_buffer = 0; char *strtok_buf = NULL; + long count = 0; switch (arg) { case PARSE_POST: @@ -384,6 +374,11 @@ } } + if (++count > PG(max_input_vars)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); + break; + } + if (val) { /* have a value */ int val_len; unsigned int new_val_len; Modified: php/php-src/branches/PHP_5_4/main/rfc1867.c =================================================================== --- php/php-src/branches/PHP_5_4/main/rfc1867.c 2012-02-14 08:39:15 UTC (rev 323201) +++ php/php-src/branches/PHP_5_4/main/rfc1867.c 2012-02-14 08:58:52 UTC (rev 323202) @@ -691,6 +691,7 @@ php_rfc1867_getword_t getword; php_rfc1867_getword_conf_t getword_conf; php_rfc1867_basename_t _basename; + long count = 0; if (php_rfc1867_encoding_translation(TSRMLS_C) && internal_encoding) { getword = php_rfc1867_getword; @@ -861,7 +862,7 @@ } } - if (sapi_module.input_filter(PARSE_POST, param, &value, value_len, &new_val_len TSRMLS_CC)) { + if (++count <= PG(max_input_vars) && sapi_module.input_filter(PARSE_POST, param, &value, value_len, &new_val_len TSRMLS_CC)) { if (php_rfc1867_callback != NULL) { multipart_event_formdata event_formdata; size_t newlength = new_val_len; @@ -879,15 +880,21 @@ new_val_len = newlength; } safe_php_register_variable(param, value, new_val_len, array_ptr, 0 TSRMLS_CC); - } else if (php_rfc1867_callback != NULL) { - multipart_event_formdata event_formdata; + } else { + if (count == PG(max_input_vars) + 1) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); + } + + if (php_rfc1867_callback != NULL) { + multipart_event_formdata event_formdata; - event_formdata.post_bytes_processed = SG(read_post_bytes); - event_formdata.name = param; - event_formdata.value = &value; - event_formdata.length = value_len; - event_formdata.newlength = NULL; - php_rfc1867_callback(MULTIPART_EVENT_FORMDATA, &event_formdata, &event_extra_data TSRMLS_CC); + event_formdata.post_bytes_processed = SG(read_post_bytes); + event_formdata.name = param; + event_formdata.value = &value; + event_formdata.length = value_len; + event_formdata.newlength = NULL; + php_rfc1867_callback(MULTIPART_EVENT_FORMDATA, &event_formdata, &event_extra_data TSRMLS_CC); + } } if (!strcasecmp(param, "MAX_FILE_SIZE")) { Modified: php/php-src/trunk/main/php_variables.c =================================================================== --- php/php-src/trunk/main/php_variables.c 2012-02-14 08:39:15 UTC (rev 323201) +++ php/php-src/trunk/main/php_variables.c 2012-02-14 08:58:52 UTC (rev 323202) @@ -183,18 +183,9 @@ } else { if (zend_symtable_find(symtable1, index, index_len + 1, (void **) &gpc_element_p) == FAILURE || Z_TYPE_PP(gpc_element_p) != IS_ARRAY) { - if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) { - if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); - } - MAKE_STD_ZVAL(gpc_element); - array_init(gpc_element); - zend_symtable_update(symtable1, index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); - } else { - zval_dtor(val); - free_alloca(var_orig, use_heap); - return; - } + MAKE_STD_ZVAL(gpc_element); + array_init(gpc_element); + zend_symtable_update(symtable1, index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); } } symtable1 = Z_ARRVAL_PP(gpc_element_p); @@ -231,14 +222,7 @@ zend_symtable_exists(symtable1, index, index_len + 1)) { zval_ptr_dtor(&gpc_element); } else { - if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) { - if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); - } - zend_symtable_update(symtable1, index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); - } else { - zval_ptr_dtor(&gpc_element); - } + zend_symtable_update(symtable1, index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); } } } @@ -249,6 +233,7 @@ { char *var, *val, *e, *s, *p; zval *array_ptr = (zval *) arg; + long count = 0; if (SG(request_info).post_data == NULL) { return; @@ -262,6 +247,10 @@ if ((val = memchr(s, '=', (p - s)))) { /* have a value */ unsigned int val_len, new_val_len; + if (++count > PG(max_input_vars)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); + return; + } var = s; php_url_decode(var, (val - s)); @@ -295,6 +284,7 @@ zval *array_ptr; int free_buffer = 0; char *strtok_buf = NULL; + long count = 0; switch (arg) { case PARSE_POST: @@ -384,6 +374,11 @@ } } + if (++count > PG(max_input_vars)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); + break; + } + if (val) { /* have a value */ int val_len; unsigned int new_val_len; Modified: php/php-src/trunk/main/rfc1867.c =================================================================== --- php/php-src/trunk/main/rfc1867.c 2012-02-14 08:39:15 UTC (rev 323201) +++ php/php-src/trunk/main/rfc1867.c 2012-02-14 08:58:52 UTC (rev 323202) @@ -691,6 +691,7 @@ php_rfc1867_getword_t getword; php_rfc1867_getword_conf_t getword_conf; php_rfc1867_basename_t _basename; + long count = 0; if (php_rfc1867_encoding_translation(TSRMLS_C) && internal_encoding) { getword = php_rfc1867_getword; @@ -861,7 +862,7 @@ } } - if (sapi_module.input_filter(PARSE_POST, param, &value, value_len, &new_val_len TSRMLS_CC)) { + if (++count <= PG(max_input_vars) && sapi_module.input_filter(PARSE_POST, param, &value, value_len, &new_val_len TSRMLS_CC)) { if (php_rfc1867_callback != NULL) { multipart_event_formdata event_formdata; size_t newlength = new_val_len; @@ -879,15 +880,21 @@ new_val_len = newlength; } safe_php_register_variable(param, value, new_val_len, array_ptr, 0 TSRMLS_CC); - } else if (php_rfc1867_callback != NULL) { - multipart_event_formdata event_formdata; + } else { + if (count == PG(max_input_vars) + 1) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); + } + + if (php_rfc1867_callback != NULL) { + multipart_event_formdata event_formdata; - event_formdata.post_bytes_processed = SG(read_post_bytes); - event_formdata.name = param; - event_formdata.value = &value; - event_formdata.length = value_len; - event_formdata.newlength = NULL; - php_rfc1867_callback(MULTIPART_EVENT_FORMDATA, &event_formdata, &event_extra_data TSRMLS_CC); + event_formdata.post_bytes_processed = SG(read_post_bytes); + event_formdata.name = param; + event_formdata.value = &value; + event_formdata.length = value_len; + event_formdata.newlength = NULL; + php_rfc1867_callback(MULTIPART_EVENT_FORMDATA, &event_formdata, &event_extra_data TSRMLS_CC); + } } if (!strcasecmp(param, "MAX_FILE_SIZE")) {
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php