dmitry Thu, 15 Dec 2011 10:31:02 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=321040
Log: Added max_input_vars directive to prevent attacks based on hash collisions Changed paths: U php/php-src/branches/PHP_5_3/UPGRADING U php/php-src/branches/PHP_5_3/php.ini-development U php/php-src/branches/PHP_5_3/php.ini-production U php/php-src/branches/PHP_5_4/UPGRADING U php/php-src/branches/PHP_5_4/php.ini-development U php/php-src/branches/PHP_5_4/php.ini-production U php/php-src/trunk/UPGRADING U php/php-src/trunk/php.ini-development U php/php-src/trunk/php.ini-production Modified: php/php-src/branches/PHP_5_3/UPGRADING =================================================================== --- php/php-src/branches/PHP_5_3/UPGRADING 2011-12-15 09:16:31 UTC (rev 321039) +++ php/php-src/branches/PHP_5_3/UPGRADING 2011-12-15 10:31:02 UTC (rev 321040) @@ -163,6 +163,11 @@ xsl.security_prefs. This option will be marked as deprecated in 5.4 again. Use the method XsltProcess::setSecurityPrefs($options) there. +- the following new directives were added + + - max_input_vars - specifies how many GET/POST/COOKIE input variables may be + accepted. default value 1000. + ============= 5. Deprecated ============= Modified: php/php-src/branches/PHP_5_3/php.ini-development =================================================================== --- php/php-src/branches/PHP_5_3/php.ini-development 2011-12-15 09:16:31 UTC (rev 321039) +++ php/php-src/branches/PHP_5_3/php.ini-development 2011-12-15 10:31:02 UTC (rev 321040) @@ -457,6 +457,9 @@ ; http://php.net/max-input-nesting-level ;max_input_nesting_level = 64 +; How many GET/POST/COOKIE input variables may be accepted +; max_input_vars = 1000 + ; Maximum amount of memory a script may consume (128MB) ; http://php.net/memory-limit memory_limit = 128M Modified: php/php-src/branches/PHP_5_3/php.ini-production =================================================================== --- php/php-src/branches/PHP_5_3/php.ini-production 2011-12-15 09:16:31 UTC (rev 321039) +++ php/php-src/branches/PHP_5_3/php.ini-production 2011-12-15 10:31:02 UTC (rev 321040) @@ -457,6 +457,9 @@ ; http://php.net/max-input-nesting-level ;max_input_nesting_level = 64 +; How many GET/POST/COOKIE input variables may be accepted +; max_input_vars = 1000 + ; Maximum amount of memory a script may consume (128MB) ; http://php.net/memory-limit memory_limit = 128M Modified: php/php-src/branches/PHP_5_4/UPGRADING =================================================================== --- php/php-src/branches/PHP_5_4/UPGRADING 2011-12-15 09:16:31 UTC (rev 321039) +++ php/php-src/branches/PHP_5_4/UPGRADING 2011-12-15 10:31:02 UTC (rev 321040) @@ -75,7 +75,11 @@ - safe_mode_protected_env_vars - zend.ze1_compatibility_mode +- the following new directives were added + - max_input_vars - specifies how many GET/POST/COOKIE input variables may be + accepted. default value 1000. + ============================= 2. Reserved words and classes ============================= Modified: php/php-src/branches/PHP_5_4/php.ini-development =================================================================== --- php/php-src/branches/PHP_5_4/php.ini-development 2011-12-15 09:16:31 UTC (rev 321039) +++ php/php-src/branches/PHP_5_4/php.ini-development 2011-12-15 10:31:02 UTC (rev 321040) @@ -397,6 +397,9 @@ ; http://php.net/max-input-nesting-level ;max_input_nesting_level = 64 +; How many GET/POST/COOKIE input variables may be accepted +; max_input_vars = 1000 + ; Maximum amount of memory a script may consume (128MB) ; http://php.net/memory-limit memory_limit = 128M Modified: php/php-src/branches/PHP_5_4/php.ini-production =================================================================== --- php/php-src/branches/PHP_5_4/php.ini-production 2011-12-15 09:16:31 UTC (rev 321039) +++ php/php-src/branches/PHP_5_4/php.ini-production 2011-12-15 10:31:02 UTC (rev 321040) @@ -397,6 +397,9 @@ ; http://php.net/max-input-nesting-level ;max_input_nesting_level = 64 +; How many GET/POST/COOKIE input variables may be accepted +; max_input_vars = 1000 + ; Maximum amount of memory a script may consume (128MB) ; http://php.net/memory-limit memory_limit = 128M Modified: php/php-src/trunk/UPGRADING =================================================================== --- php/php-src/trunk/UPGRADING 2011-12-15 09:16:31 UTC (rev 321039) +++ php/php-src/trunk/UPGRADING 2011-12-15 10:31:02 UTC (rev 321040) @@ -82,6 +82,11 @@ - safe_mode_protected_env_vars - zend.ze1_compatibility_mode +- the following new directives were added + + - max_input_vars - specifies how many GET/POST/COOKIE input variables may be + accepted. default value 1000. + ============================= 2. Reserved words and classes ============================= Modified: php/php-src/trunk/php.ini-development =================================================================== --- php/php-src/trunk/php.ini-development 2011-12-15 09:16:31 UTC (rev 321039) +++ php/php-src/trunk/php.ini-development 2011-12-15 10:31:02 UTC (rev 321040) @@ -397,6 +397,9 @@ ; http://php.net/max-input-nesting-level ;max_input_nesting_level = 64 +; How many GET/POST/COOKIE input variables may be accepted +; max_input_vars = 1000 + ; Maximum amount of memory a script may consume (128MB) ; http://php.net/memory-limit memory_limit = 128M Modified: php/php-src/trunk/php.ini-production =================================================================== --- php/php-src/trunk/php.ini-production 2011-12-15 09:16:31 UTC (rev 321039) +++ php/php-src/trunk/php.ini-production 2011-12-15 10:31:02 UTC (rev 321040) @@ -397,6 +397,9 @@ ; http://php.net/max-input-nesting-level ;max_input_nesting_level = 64 +; How many GET/POST/COOKIE input variables may be accepted +; max_input_vars = 1000 + ; Maximum amount of memory a script may consume (128MB) ; http://php.net/memory-limit memory_limit = 128M
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php