Re: [PHP-CVS] svn: /php/php-src/ branches/PHP_5_4/NEWS branches/PHP_5_4/main/main.c branches/PHP_5_4/main/php_globals.h branches/PHP_5_4/main/php_variables.c trunk/main/main.c trunk/main/php_globals.h
Dmitry, Please update php.ini-*. Thanks, Chris On 12/14/2011 12:56 AM, Dmitry Stogov wrote: dmitry Wed, 14 Dec 2011 08:56:35 + Revision: http://svn.php.net/viewvc?view=revision&revision=321003 Log: Added max_input_vars directive to prevent attacks based on hash collisions Changed paths: U php/php-src/branches/PHP_5_4/NEWS U php/php-src/branches/PHP_5_4/main/main.c U php/php-src/branches/PHP_5_4/main/php_globals.h U php/php-src/branches/PHP_5_4/main/php_variables.c U php/php-src/trunk/main/main.c U php/php-src/trunk/main/php_globals.h U php/php-src/trunk/main/php_variables.c Modified: php/php-src/branches/PHP_5_4/NEWS === --- php/php-src/branches/PHP_5_4/NEWS 2011-12-14 04:02:56 UTC (rev 321002) +++ php/php-src/branches/PHP_5_4/NEWS 2011-12-14 08:56:35 UTC (rev 321003) @@ -1,6 +1,9 @@ PHP NEWS ||| ?? Dec 2011, PHP 5.4.0 RC4 +- Core: + . Added max_input_vars directive to prevent attacks based on hash collisions +(Dmitry). - CLI SAPI: . Fixed bug #60477 (Segfault after two multipart/form-data POST requests, one 200 RQ and one 404). (Laruence) @@ -9,6 +12,8 @@ 08 Dec 2011, PHP 5.4.0 RC3 - Core: + . Fixed bug #60444 (Segmentation fault with include& class extending). +(Laruence, Dmitry). . Fixed bug #60350 (No string escape code for ESC (ascii 27), normally \e). (php at mickweiss dot com) . Fixed bug #60240 (invalid read/writes when unserializing specially crafted Modified: php/php-src/branches/PHP_5_4/main/main.c === --- php/php-src/branches/PHP_5_4/main/main.c2011-12-14 04:02:56 UTC (rev 321002) +++ php/php-src/branches/PHP_5_4/main/main.c2011-12-14 08:56:35 UTC (rev 321003) @@ -531,6 +531,7 @@ STD_PHP_INI_ENTRY("post_max_size","8M", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLong, post_max_size, sapi_globals_struct,sapi_globals) STD_PHP_INI_ENTRY("upload_tmp_dir", NULL, PHP_INI_SYSTEM, OnUpdateStringUnempty, upload_tmp_dir, php_core_globals, core_globals) STD_PHP_INI_ENTRY("max_input_nesting_level", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_nesting_level, php_core_globals, core_globals) + STD_PHP_INI_ENTRY("max_input_vars", "1000", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_vars, php_core_globals, core_globals) STD_PHP_INI_ENTRY("user_dir", NULL, PHP_INI_SYSTEM, OnUpdateString, user_dir, php_core_globals, core_globals) STD_PHP_INI_ENTRY("variables_order", "EGPCS", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateStringUnempty, variables_order, php_core_globals, core_globals) Modified: php/php-src/branches/PHP_5_4/main/php_globals.h === --- php/php-src/branches/PHP_5_4/main/php_globals.h 2011-12-14 04:02:56 UTC (rev 321002) +++ php/php-src/branches/PHP_5_4/main/php_globals.h 2011-12-14 08:56:35 UTC (rev 321003) @@ -146,6 +146,7 @@ zend_bool com_initialized; #endif long max_input_nesting_level; + long max_input_vars; zend_bool in_user_include; char *user_ini_filename; Modified: php/php-src/branches/PHP_5_4/main/php_variables.c === --- php/php-src/branches/PHP_5_4/main/php_variables.c 2011-12-14 04:02:56 UTC (rev 321002) +++ php/php-src/branches/PHP_5_4/main/php_variables.c 2011-12-14 08:56:35 UTC (rev 321003) @@ -179,6 +179,9 @@ escaped_index = index; if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **)&gpc_element_p) == FAILURE || Z_TYPE_PP(gpc_element_p) != IS_ARRAY) { + if (zend_hash_num_elements(symtable1)>= PG(max_input_vars)) { + php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); + } MAKE_STD_ZVAL(gpc_element); array_init(gpc_element); z
Re: [PHP-CVS] svn: /php/php-src/ branches/PHP_5_4/NEWS branches/PHP_5_4/main/main.c branches/PHP_5_4/main/php_globals.h branches/PHP_5_4/main/php_variables.c trunk/main/main.c trunk/main/php_globals.h
hi Dmitry, Please add a note to the UPGRADING guide as well. Thanks, On Wed, Dec 14, 2011 at 9:56 AM, Dmitry Stogov wrote: > dmitry Wed, 14 Dec 2011 08:56:35 + > > Revision: http://svn.php.net/viewvc?view=revision&revision=321003 > > Log: > Added max_input_vars directive to prevent attacks based on hash collisions > > Changed paths: > U php/php-src/branches/PHP_5_4/NEWS > U php/php-src/branches/PHP_5_4/main/main.c > U php/php-src/branches/PHP_5_4/main/php_globals.h > U php/php-src/branches/PHP_5_4/main/php_variables.c > U php/php-src/trunk/main/main.c > U php/php-src/trunk/main/php_globals.h > U php/php-src/trunk/main/php_variables.c > > Modified: php/php-src/branches/PHP_5_4/NEWS > === > --- php/php-src/branches/PHP_5_4/NEWS 2011-12-14 04:02:56 UTC (rev 321002) > +++ php/php-src/branches/PHP_5_4/NEWS 2011-12-14 08:56:35 UTC (rev 321003) > @@ -1,6 +1,9 @@ > PHP > NEWS > ||| > ?? Dec 2011, PHP 5.4.0 RC4 > +- Core: > + . Added max_input_vars directive to prevent attacks based on hash > collisions > + (Dmitry). > - CLI SAPI: > . Fixed bug #60477 (Segfault after two multipart/form-data POST requests, > one 200 RQ and one 404). (Laruence) > @@ -9,6 +12,8 @@ > > 08 Dec 2011, PHP 5.4.0 RC3 > - Core: > + . Fixed bug #60444 (Segmentation fault with include & class extending). > + (Laruence, Dmitry). > . Fixed bug #60350 (No string escape code for ESC (ascii 27), normally \e). > (php at mickweiss dot com) > . Fixed bug #60240 (invalid read/writes when unserializing specially crafted > > Modified: php/php-src/branches/PHP_5_4/main/main.c > === > --- php/php-src/branches/PHP_5_4/main/main.c 2011-12-14 04:02:56 UTC (rev > 321002) > +++ php/php-src/branches/PHP_5_4/main/main.c 2011-12-14 08:56:35 UTC (rev > 321003) > @@ -531,6 +531,7 @@ > STD_PHP_INI_ENTRY("post_max_size", "8M", > PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLong, > post_max_size, sapi_globals_struct,sapi_globals) > STD_PHP_INI_ENTRY("upload_tmp_dir", NULL, > PHP_INI_SYSTEM, OnUpdateStringUnempty, upload_tmp_dir, > php_core_globals, core_globals) > STD_PHP_INI_ENTRY("max_input_nesting_level", "64", > PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, > max_input_nesting_level, php_core_globals, > core_globals) > + STD_PHP_INI_ENTRY("max_input_vars", "1000", > PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, > max_input_vars, php_core_globals, > core_globals) > > STD_PHP_INI_ENTRY("user_dir", NULL, > PHP_INI_SYSTEM, OnUpdateString, user_dir, > php_core_globals, core_globals) > STD_PHP_INI_ENTRY("variables_order", "EGPCS", > PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateStringUnempty, > variables_order, php_core_globals, core_globals) > > Modified: php/php-src/branches/PHP_5_4/main/php_globals.h > === > --- php/php-src/branches/PHP_5_4/main/php_globals.h 2011-12-14 04:02:56 > UTC (rev 321002) > +++ php/php-src/branches/PHP_5_4/main/php_globals.h 2011-12-14 08:56:35 > UTC (rev 321003) > @@ -146,6 +146,7 @@ > zend_bool com_initialized; > #endif > long max_input_nesting_level; > + long max_input_vars; > zend_bool in_user_include; > > char *user_ini_filename; > > Modified: php/php-src/branches/PHP_5_4/main/php_variables.c > === > --- php/php-src/branches/PHP_5_4/main/php_variables.c 2011-12-14 04:02:56 > UTC (rev 321002) > +++ php/php-src/branches/PHP_5_4/main/php_variables.c 2011-12-14 08:56:35 > UTC (rev 321003) > @@ -179,6 +179,9 @@ > escaped_index = index; > if (zend_symtable_find(symtable1, > escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE > || Z_TYPE_PP(gpc_element_p) != > IS_ARRAY) { > + if (zend_hash_num_elements(symtable1) > >= PG(max_input_vars)) { > + php_error_docref(NULL > TSRMLS_CC, E_ERROR, "Input variables exceeded %ld. To increase the limit > change max_input_vars in php.ini.", PG(max_input_vars)); > +
[PHP-CVS] svn: /php/php-src/ branches/PHP_5_4/NEWS branches/PHP_5_4/main/main.c branches/PHP_5_4/main/php_globals.h branches/PHP_5_4/main/php_variables.c trunk/main/main.c trunk/main/php_globals.h tru
dmitry Wed, 14 Dec 2011 08:56:35 + Revision: http://svn.php.net/viewvc?view=revision&revision=321003 Log: Added max_input_vars directive to prevent attacks based on hash collisions Changed paths: U php/php-src/branches/PHP_5_4/NEWS U php/php-src/branches/PHP_5_4/main/main.c U php/php-src/branches/PHP_5_4/main/php_globals.h U php/php-src/branches/PHP_5_4/main/php_variables.c U php/php-src/trunk/main/main.c U php/php-src/trunk/main/php_globals.h U php/php-src/trunk/main/php_variables.c Modified: php/php-src/branches/PHP_5_4/NEWS === --- php/php-src/branches/PHP_5_4/NEWS 2011-12-14 04:02:56 UTC (rev 321002) +++ php/php-src/branches/PHP_5_4/NEWS 2011-12-14 08:56:35 UTC (rev 321003) @@ -1,6 +1,9 @@ PHPNEWS ||| ?? Dec 2011, PHP 5.4.0 RC4 +- Core: + . Added max_input_vars directive to prevent attacks based on hash collisions +(Dmitry). - CLI SAPI: . Fixed bug #60477 (Segfault after two multipart/form-data POST requests, one 200 RQ and one 404). (Laruence) @@ -9,6 +12,8 @@ 08 Dec 2011, PHP 5.4.0 RC3 - Core: + . Fixed bug #60444 (Segmentation fault with include & class extending). +(Laruence, Dmitry). . Fixed bug #60350 (No string escape code for ESC (ascii 27), normally \e). (php at mickweiss dot com) . Fixed bug #60240 (invalid read/writes when unserializing specially crafted Modified: php/php-src/branches/PHP_5_4/main/main.c === --- php/php-src/branches/PHP_5_4/main/main.c2011-12-14 04:02:56 UTC (rev 321002) +++ php/php-src/branches/PHP_5_4/main/main.c2011-12-14 08:56:35 UTC (rev 321003) @@ -531,6 +531,7 @@ STD_PHP_INI_ENTRY("post_max_size", "8M", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLong, post_max_size, sapi_globals_struct,sapi_globals) STD_PHP_INI_ENTRY("upload_tmp_dir", NULL, PHP_INI_SYSTEM, OnUpdateStringUnempty, upload_tmp_dir, php_core_globals, core_globals) STD_PHP_INI_ENTRY("max_input_nesting_level", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_nesting_level,php_core_globals, core_globals) + STD_PHP_INI_ENTRY("max_input_vars", "1000", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_vars, php_core_globals, core_globals) STD_PHP_INI_ENTRY("user_dir", NULL, PHP_INI_SYSTEM, OnUpdateString, user_dir, php_core_globals, core_globals) STD_PHP_INI_ENTRY("variables_order","EGPCS", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateStringUnempty, variables_order,php_core_globals, core_globals) Modified: php/php-src/branches/PHP_5_4/main/php_globals.h === --- php/php-src/branches/PHP_5_4/main/php_globals.h 2011-12-14 04:02:56 UTC (rev 321002) +++ php/php-src/branches/PHP_5_4/main/php_globals.h 2011-12-14 08:56:35 UTC (rev 321003) @@ -146,6 +146,7 @@ zend_bool com_initialized; #endif long max_input_nesting_level; + long max_input_vars; zend_bool in_user_include; char *user_ini_filename; Modified: php/php-src/branches/PHP_5_4/main/php_variables.c === --- php/php-src/branches/PHP_5_4/main/php_variables.c 2011-12-14 04:02:56 UTC (rev 321002) +++ php/php-src/branches/PHP_5_4/main/php_variables.c 2011-12-14 08:56:35 UTC (rev 321003) @@ -179,6 +179,9 @@ escaped_index = index; if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE || Z_TYPE_PP(gpc_element_p) != IS_ARRAY) { + if (zend_hash_num_elements(symtable1) >= PG(max_input_vars)) { + php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); + } MAKE_STD_ZVAL(gpc_element); array_init(gpc_element); zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &g