Re: [PHP-CVS] svn: /php/php-src/ branches/PHP_5_4/NEWS branches/PHP_5_4/main/main.c branches/PHP_5_4/main/php_globals.h branches/PHP_5_4/main/php_variables.c trunk/main/main.c trunk/main/php_globals.h
Dmitry,
Please update php.ini-*.
Thanks,
Chris
On 12/14/2011 12:56 AM, Dmitry Stogov wrote:
dmitry Wed, 14 Dec 2011 08:56:35 +
Revision: http://svn.php.net/viewvc?view=revision&revision=321003
Log:
Added max_input_vars directive to prevent attacks based on hash collisions
Changed paths:
U php/php-src/branches/PHP_5_4/NEWS
U php/php-src/branches/PHP_5_4/main/main.c
U php/php-src/branches/PHP_5_4/main/php_globals.h
U php/php-src/branches/PHP_5_4/main/php_variables.c
U php/php-src/trunk/main/main.c
U php/php-src/trunk/main/php_globals.h
U php/php-src/trunk/main/php_variables.c
Modified: php/php-src/branches/PHP_5_4/NEWS
===
--- php/php-src/branches/PHP_5_4/NEWS 2011-12-14 04:02:56 UTC (rev 321002)
+++ php/php-src/branches/PHP_5_4/NEWS 2011-12-14 08:56:35 UTC (rev 321003)
@@ -1,6 +1,9 @@
PHP
NEWS
|||
?? Dec 2011, PHP 5.4.0 RC4
+- Core:
+ . Added max_input_vars directive to prevent attacks based on hash collisions
+(Dmitry).
- CLI SAPI:
. Fixed bug #60477 (Segfault after two multipart/form-data POST requests,
one 200 RQ and one 404). (Laruence)
@@ -9,6 +12,8 @@
08 Dec 2011, PHP 5.4.0 RC3
- Core:
+ . Fixed bug #60444 (Segmentation fault with include& class extending).
+(Laruence, Dmitry).
. Fixed bug #60350 (No string escape code for ESC (ascii 27), normally \e).
(php at mickweiss dot com)
. Fixed bug #60240 (invalid read/writes when unserializing specially crafted
Modified: php/php-src/branches/PHP_5_4/main/main.c
===
--- php/php-src/branches/PHP_5_4/main/main.c2011-12-14 04:02:56 UTC (rev
321002)
+++ php/php-src/branches/PHP_5_4/main/main.c2011-12-14 08:56:35 UTC (rev
321003)
@@ -531,6 +531,7 @@
STD_PHP_INI_ENTRY("post_max_size","8M",
PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLong, post_max_size,
sapi_globals_struct,sapi_globals)
STD_PHP_INI_ENTRY("upload_tmp_dir", NULL,
PHP_INI_SYSTEM, OnUpdateStringUnempty, upload_tmp_dir,
php_core_globals, core_globals)
STD_PHP_INI_ENTRY("max_input_nesting_level", "64",
PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_nesting_level,
php_core_globals, core_globals)
+ STD_PHP_INI_ENTRY("max_input_vars", "1000",
PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_vars,
php_core_globals, core_globals)
STD_PHP_INI_ENTRY("user_dir", NULL,
PHP_INI_SYSTEM, OnUpdateString, user_dir,
php_core_globals, core_globals)
STD_PHP_INI_ENTRY("variables_order", "EGPCS",
PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateStringUnempty, variables_order,
php_core_globals, core_globals)
Modified: php/php-src/branches/PHP_5_4/main/php_globals.h
===
--- php/php-src/branches/PHP_5_4/main/php_globals.h 2011-12-14 04:02:56 UTC
(rev 321002)
+++ php/php-src/branches/PHP_5_4/main/php_globals.h 2011-12-14 08:56:35 UTC
(rev 321003)
@@ -146,6 +146,7 @@
zend_bool com_initialized;
#endif
long max_input_nesting_level;
+ long max_input_vars;
zend_bool in_user_include;
char *user_ini_filename;
Modified: php/php-src/branches/PHP_5_4/main/php_variables.c
===
--- php/php-src/branches/PHP_5_4/main/php_variables.c 2011-12-14 04:02:56 UTC
(rev 321002)
+++ php/php-src/branches/PHP_5_4/main/php_variables.c 2011-12-14 08:56:35 UTC
(rev 321003)
@@ -179,6 +179,9 @@
escaped_index = index;
if (zend_symtable_find(symtable1, escaped_index,
index_len + 1, (void **)&gpc_element_p) == FAILURE
|| Z_TYPE_PP(gpc_element_p) !=
IS_ARRAY) {
+ if (zend_hash_num_elements(symtable1)>=
PG(max_input_vars)) {
+ php_error_docref(NULL TSRMLS_CC, E_ERROR,
"Input variables exceeded %ld. To increase the limit change max_input_vars in
php.ini.", PG(max_input_vars));
+ }
MAKE_STD_ZVAL(gpc_element);
array_init(gpc_element);
z
Re: [PHP-CVS] svn: /php/php-src/ branches/PHP_5_4/NEWS branches/PHP_5_4/main/main.c branches/PHP_5_4/main/php_globals.h branches/PHP_5_4/main/php_variables.c trunk/main/main.c trunk/main/php_globals.h
hi Dmitry,
Please add a note to the UPGRADING guide as well.
Thanks,
On Wed, Dec 14, 2011 at 9:56 AM, Dmitry Stogov wrote:
> dmitry Wed, 14 Dec 2011 08:56:35 +
>
> Revision: http://svn.php.net/viewvc?view=revision&revision=321003
>
> Log:
> Added max_input_vars directive to prevent attacks based on hash collisions
>
> Changed paths:
> U php/php-src/branches/PHP_5_4/NEWS
> U php/php-src/branches/PHP_5_4/main/main.c
> U php/php-src/branches/PHP_5_4/main/php_globals.h
> U php/php-src/branches/PHP_5_4/main/php_variables.c
> U php/php-src/trunk/main/main.c
> U php/php-src/trunk/main/php_globals.h
> U php/php-src/trunk/main/php_variables.c
>
> Modified: php/php-src/branches/PHP_5_4/NEWS
> ===
> --- php/php-src/branches/PHP_5_4/NEWS 2011-12-14 04:02:56 UTC (rev 321002)
> +++ php/php-src/branches/PHP_5_4/NEWS 2011-12-14 08:56:35 UTC (rev 321003)
> @@ -1,6 +1,9 @@
> PHP
> NEWS
> |||
> ?? Dec 2011, PHP 5.4.0 RC4
> +- Core:
> + . Added max_input_vars directive to prevent attacks based on hash
> collisions
> + (Dmitry).
> - CLI SAPI:
> . Fixed bug #60477 (Segfault after two multipart/form-data POST requests,
> one 200 RQ and one 404). (Laruence)
> @@ -9,6 +12,8 @@
>
> 08 Dec 2011, PHP 5.4.0 RC3
> - Core:
> + . Fixed bug #60444 (Segmentation fault with include & class extending).
> + (Laruence, Dmitry).
> . Fixed bug #60350 (No string escape code for ESC (ascii 27), normally \e).
> (php at mickweiss dot com)
> . Fixed bug #60240 (invalid read/writes when unserializing specially crafted
>
> Modified: php/php-src/branches/PHP_5_4/main/main.c
> ===
> --- php/php-src/branches/PHP_5_4/main/main.c 2011-12-14 04:02:56 UTC (rev
> 321002)
> +++ php/php-src/branches/PHP_5_4/main/main.c 2011-12-14 08:56:35 UTC (rev
> 321003)
> @@ -531,6 +531,7 @@
> STD_PHP_INI_ENTRY("post_max_size", "8M",
> PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLong,
> post_max_size, sapi_globals_struct,sapi_globals)
> STD_PHP_INI_ENTRY("upload_tmp_dir", NULL,
> PHP_INI_SYSTEM, OnUpdateStringUnempty, upload_tmp_dir,
> php_core_globals, core_globals)
> STD_PHP_INI_ENTRY("max_input_nesting_level", "64",
> PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero,
> max_input_nesting_level, php_core_globals,
> core_globals)
> + STD_PHP_INI_ENTRY("max_input_vars", "1000",
> PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero,
> max_input_vars, php_core_globals,
> core_globals)
>
> STD_PHP_INI_ENTRY("user_dir", NULL,
> PHP_INI_SYSTEM, OnUpdateString, user_dir,
> php_core_globals, core_globals)
> STD_PHP_INI_ENTRY("variables_order", "EGPCS",
> PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateStringUnempty,
> variables_order, php_core_globals, core_globals)
>
> Modified: php/php-src/branches/PHP_5_4/main/php_globals.h
> ===
> --- php/php-src/branches/PHP_5_4/main/php_globals.h 2011-12-14 04:02:56
> UTC (rev 321002)
> +++ php/php-src/branches/PHP_5_4/main/php_globals.h 2011-12-14 08:56:35
> UTC (rev 321003)
> @@ -146,6 +146,7 @@
> zend_bool com_initialized;
> #endif
> long max_input_nesting_level;
> + long max_input_vars;
> zend_bool in_user_include;
>
> char *user_ini_filename;
>
> Modified: php/php-src/branches/PHP_5_4/main/php_variables.c
> ===
> --- php/php-src/branches/PHP_5_4/main/php_variables.c 2011-12-14 04:02:56
> UTC (rev 321002)
> +++ php/php-src/branches/PHP_5_4/main/php_variables.c 2011-12-14 08:56:35
> UTC (rev 321003)
> @@ -179,6 +179,9 @@
> escaped_index = index;
> if (zend_symtable_find(symtable1,
> escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE
> || Z_TYPE_PP(gpc_element_p) !=
> IS_ARRAY) {
> + if (zend_hash_num_elements(symtable1)
> >= PG(max_input_vars)) {
> + php_error_docref(NULL
> TSRMLS_CC, E_ERROR, "Input variables exceeded %ld. To increase the limit
> change max_input_vars in php.ini.", PG(max_input_vars));
> +
[PHP-CVS] svn: /php/php-src/ branches/PHP_5_4/NEWS branches/PHP_5_4/main/main.c branches/PHP_5_4/main/php_globals.h branches/PHP_5_4/main/php_variables.c trunk/main/main.c trunk/main/php_globals.h tru
dmitry Wed, 14 Dec 2011 08:56:35 +
Revision: http://svn.php.net/viewvc?view=revision&revision=321003
Log:
Added max_input_vars directive to prevent attacks based on hash collisions
Changed paths:
U php/php-src/branches/PHP_5_4/NEWS
U php/php-src/branches/PHP_5_4/main/main.c
U php/php-src/branches/PHP_5_4/main/php_globals.h
U php/php-src/branches/PHP_5_4/main/php_variables.c
U php/php-src/trunk/main/main.c
U php/php-src/trunk/main/php_globals.h
U php/php-src/trunk/main/php_variables.c
Modified: php/php-src/branches/PHP_5_4/NEWS
===
--- php/php-src/branches/PHP_5_4/NEWS 2011-12-14 04:02:56 UTC (rev 321002)
+++ php/php-src/branches/PHP_5_4/NEWS 2011-12-14 08:56:35 UTC (rev 321003)
@@ -1,6 +1,9 @@
PHPNEWS
|||
?? Dec 2011, PHP 5.4.0 RC4
+- Core:
+ . Added max_input_vars directive to prevent attacks based on hash collisions
+(Dmitry).
- CLI SAPI:
. Fixed bug #60477 (Segfault after two multipart/form-data POST requests,
one 200 RQ and one 404). (Laruence)
@@ -9,6 +12,8 @@
08 Dec 2011, PHP 5.4.0 RC3
- Core:
+ . Fixed bug #60444 (Segmentation fault with include & class extending).
+(Laruence, Dmitry).
. Fixed bug #60350 (No string escape code for ESC (ascii 27), normally \e).
(php at mickweiss dot com)
. Fixed bug #60240 (invalid read/writes when unserializing specially crafted
Modified: php/php-src/branches/PHP_5_4/main/main.c
===
--- php/php-src/branches/PHP_5_4/main/main.c2011-12-14 04:02:56 UTC (rev
321002)
+++ php/php-src/branches/PHP_5_4/main/main.c2011-12-14 08:56:35 UTC (rev
321003)
@@ -531,6 +531,7 @@
STD_PHP_INI_ENTRY("post_max_size", "8M",
PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLong,
post_max_size, sapi_globals_struct,sapi_globals)
STD_PHP_INI_ENTRY("upload_tmp_dir", NULL,
PHP_INI_SYSTEM, OnUpdateStringUnempty, upload_tmp_dir,
php_core_globals, core_globals)
STD_PHP_INI_ENTRY("max_input_nesting_level", "64",
PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero,
max_input_nesting_level,php_core_globals,
core_globals)
+ STD_PHP_INI_ENTRY("max_input_vars", "1000",
PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_vars,
php_core_globals, core_globals)
STD_PHP_INI_ENTRY("user_dir", NULL,
PHP_INI_SYSTEM, OnUpdateString, user_dir,
php_core_globals, core_globals)
STD_PHP_INI_ENTRY("variables_order","EGPCS",
PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateStringUnempty,
variables_order,php_core_globals, core_globals)
Modified: php/php-src/branches/PHP_5_4/main/php_globals.h
===
--- php/php-src/branches/PHP_5_4/main/php_globals.h 2011-12-14 04:02:56 UTC
(rev 321002)
+++ php/php-src/branches/PHP_5_4/main/php_globals.h 2011-12-14 08:56:35 UTC
(rev 321003)
@@ -146,6 +146,7 @@
zend_bool com_initialized;
#endif
long max_input_nesting_level;
+ long max_input_vars;
zend_bool in_user_include;
char *user_ini_filename;
Modified: php/php-src/branches/PHP_5_4/main/php_variables.c
===
--- php/php-src/branches/PHP_5_4/main/php_variables.c 2011-12-14 04:02:56 UTC
(rev 321002)
+++ php/php-src/branches/PHP_5_4/main/php_variables.c 2011-12-14 08:56:35 UTC
(rev 321003)
@@ -179,6 +179,9 @@
escaped_index = index;
if (zend_symtable_find(symtable1,
escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE
|| Z_TYPE_PP(gpc_element_p) !=
IS_ARRAY) {
+ if (zend_hash_num_elements(symtable1)
>= PG(max_input_vars)) {
+ php_error_docref(NULL
TSRMLS_CC, E_ERROR, "Input variables exceeded %ld. To increase the limit change
max_input_vars in php.ini.", PG(max_input_vars));
+ }
MAKE_STD_ZVAL(gpc_element);
array_init(gpc_element);
zend_symtable_update(symtable1,
escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **)
&g
