[PHP-CVS] svn: /php/php-src/branches/PHP_5_3/ NEWS main/main.c main/php_globals.h main/php_variables.c
dmitry Thu, 15 Dec 2011 08:47:03 +
Revision: http://svn.php.net/viewvc?view=revisionrevision=321038
Log:
Added max_input_vars directive to prevent attacks based on hash collisions
Changed paths:
U php/php-src/branches/PHP_5_3/NEWS
U php/php-src/branches/PHP_5_3/main/main.c
U php/php-src/branches/PHP_5_3/main/php_globals.h
U php/php-src/branches/PHP_5_3/main/php_variables.c
Modified: php/php-src/branches/PHP_5_3/NEWS
===
--- php/php-src/branches/PHP_5_3/NEWS 2011-12-15 07:28:28 UTC (rev 321037)
+++ php/php-src/branches/PHP_5_3/NEWS 2011-12-15 08:47:03 UTC (rev 321038)
@@ -2,6 +2,10 @@
|||
?? ??? 2011, PHP 5.3.9
+- Core:
+ . Added max_input_vars directive to prevent attacks based on hash collisions
+(Dmitry).
+
- Streams:
. Fixed bug #60455 (stream_get_line misbehaves if EOF is not detected
together
with the last read). (Gustavo)
Modified: php/php-src/branches/PHP_5_3/main/main.c
===
--- php/php-src/branches/PHP_5_3/main/main.c2011-12-15 07:28:28 UTC (rev
321037)
+++ php/php-src/branches/PHP_5_3/main/main.c2011-12-15 08:47:03 UTC (rev
321038)
@@ -512,6 +512,7 @@
STD_PHP_INI_ENTRY(post_max_size, 8M,
PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLong,
post_max_size, sapi_globals_struct,sapi_globals)
STD_PHP_INI_ENTRY(upload_tmp_dir, NULL,
PHP_INI_SYSTEM, OnUpdateStringUnempty, upload_tmp_dir,
php_core_globals, core_globals)
STD_PHP_INI_ENTRY(max_input_nesting_level, 64,
PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero,
max_input_nesting_level,php_core_globals,
core_globals)
+ STD_PHP_INI_ENTRY(max_input_vars, 1000,
PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_vars,
php_core_globals, core_globals)
STD_PHP_INI_ENTRY(user_dir, NULL,
PHP_INI_SYSTEM, OnUpdateString, user_dir,
php_core_globals, core_globals)
STD_PHP_INI_ENTRY(variables_order,EGPCS,
PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateStringUnempty,
variables_order,php_core_globals, core_globals)
Modified: php/php-src/branches/PHP_5_3/main/php_globals.h
===
--- php/php-src/branches/PHP_5_3/main/php_globals.h 2011-12-15 07:28:28 UTC
(rev 321037)
+++ php/php-src/branches/PHP_5_3/main/php_globals.h 2011-12-15 08:47:03 UTC
(rev 321038)
@@ -174,6 +174,8 @@
#ifdef PHP_WIN32
zend_bool windows_show_crt_warning;
#endif
+
+ long max_input_vars;
};
Modified: php/php-src/branches/PHP_5_3/main/php_variables.c
===
--- php/php-src/branches/PHP_5_3/main/php_variables.c 2011-12-15 07:28:28 UTC
(rev 321037)
+++ php/php-src/branches/PHP_5_3/main/php_variables.c 2011-12-15 08:47:03 UTC
(rev 321038)
@@ -191,6 +191,9 @@
}
if (zend_symtable_find(symtable1,
escaped_index, index_len + 1, (void **) gpc_element_p) == FAILURE
|| Z_TYPE_PP(gpc_element_p) !=
IS_ARRAY) {
+ if (zend_hash_num_elements(symtable1)
= PG(max_input_vars)) {
+ php_error_docref(NULL
TSRMLS_CC, E_ERROR, Input variables exceeded %ld. To increase the limit change
max_input_vars in php.ini., PG(max_input_vars));
+ }
MAKE_STD_ZVAL(gpc_element);
array_init(gpc_element);
zend_symtable_update(symtable1,
escaped_index, index_len + 1, gpc_element, sizeof(zval *), (void **)
gpc_element_p);
@@ -236,6 +239,9 @@
zend_symtable_exists(symtable1, escaped_index,
index_len + 1)) {
zval_ptr_dtor(gpc_element);
} else {
+ if (zend_hash_num_elements(symtable1) =
PG(max_input_vars)) {
+ php_error_docref(NULL TSRMLS_CC,
E_ERROR, Input variables exceeded %ld. To increase the limit change
max_input_vars in php.ini., PG(max_input_vars));
+ }
zend_symtable_update(symtable1, escaped_index,
index_len + 1, gpc_element, sizeof(zval *), (void
Re: [PHP-CVS] svn: /php/php-src/branches/PHP_5_3/ NEWS main/main.c main/php_globals.h main/php_variables.c
hi Dmitry,
As of yesterday, please add it to php.ini and to the UPGRADING guide :)
Thanks!
On Thu, Dec 15, 2011 at 9:47 AM, Dmitry Stogov dmi...@php.net wrote:
dmitry Thu, 15 Dec 2011 08:47:03 +
Revision: http://svn.php.net/viewvc?view=revisionrevision=321038
Log:
Added max_input_vars directive to prevent attacks based on hash collisions
Changed paths:
U php/php-src/branches/PHP_5_3/NEWS
U php/php-src/branches/PHP_5_3/main/main.c
U php/php-src/branches/PHP_5_3/main/php_globals.h
U php/php-src/branches/PHP_5_3/main/php_variables.c
Modified: php/php-src/branches/PHP_5_3/NEWS
===
--- php/php-src/branches/PHP_5_3/NEWS 2011-12-15 07:28:28 UTC (rev 321037)
+++ php/php-src/branches/PHP_5_3/NEWS 2011-12-15 08:47:03 UTC (rev 321038)
@@ -2,6 +2,10 @@
|||
?? ??? 2011, PHP 5.3.9
+- Core:
+ . Added max_input_vars directive to prevent attacks based on hash
collisions
+ (Dmitry).
+
- Streams:
. Fixed bug #60455 (stream_get_line misbehaves if EOF is not detected
together
with the last read). (Gustavo)
Modified: php/php-src/branches/PHP_5_3/main/main.c
===
--- php/php-src/branches/PHP_5_3/main/main.c 2011-12-15 07:28:28 UTC (rev
321037)
+++ php/php-src/branches/PHP_5_3/main/main.c 2011-12-15 08:47:03 UTC (rev
321038)
@@ -512,6 +512,7 @@
STD_PHP_INI_ENTRY(post_max_size, 8M,
PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLong,
post_max_size, sapi_globals_struct,sapi_globals)
STD_PHP_INI_ENTRY(upload_tmp_dir, NULL,
PHP_INI_SYSTEM, OnUpdateStringUnempty, upload_tmp_dir,
php_core_globals, core_globals)
STD_PHP_INI_ENTRY(max_input_nesting_level, 64,
PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero,
max_input_nesting_level, php_core_globals,
core_globals)
+ STD_PHP_INI_ENTRY(max_input_vars, 1000,
PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero,
max_input_vars, php_core_globals,
core_globals)
STD_PHP_INI_ENTRY(user_dir, NULL,
PHP_INI_SYSTEM, OnUpdateString, user_dir,
php_core_globals, core_globals)
STD_PHP_INI_ENTRY(variables_order, EGPCS,
PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateStringUnempty,
variables_order, php_core_globals, core_globals)
Modified: php/php-src/branches/PHP_5_3/main/php_globals.h
===
--- php/php-src/branches/PHP_5_3/main/php_globals.h 2011-12-15 07:28:28
UTC (rev 321037)
+++ php/php-src/branches/PHP_5_3/main/php_globals.h 2011-12-15 08:47:03
UTC (rev 321038)
@@ -174,6 +174,8 @@
#ifdef PHP_WIN32
zend_bool windows_show_crt_warning;
#endif
+
+ long max_input_vars;
};
Modified: php/php-src/branches/PHP_5_3/main/php_variables.c
===
--- php/php-src/branches/PHP_5_3/main/php_variables.c 2011-12-15 07:28:28
UTC (rev 321037)
+++ php/php-src/branches/PHP_5_3/main/php_variables.c 2011-12-15 08:47:03
UTC (rev 321038)
@@ -191,6 +191,9 @@
}
if (zend_symtable_find(symtable1,
escaped_index, index_len + 1, (void **) gpc_element_p) == FAILURE
|| Z_TYPE_PP(gpc_element_p) !=
IS_ARRAY) {
+ if (zend_hash_num_elements(symtable1)
= PG(max_input_vars)) {
+ php_error_docref(NULL
TSRMLS_CC, E_ERROR, Input variables exceeded %ld. To increase the limit
change max_input_vars in php.ini., PG(max_input_vars));
+ }
MAKE_STD_ZVAL(gpc_element);
array_init(gpc_element);
zend_symtable_update(symtable1,
escaped_index, index_len + 1, gpc_element, sizeof(zval *), (void **)
gpc_element_p);
@@ -236,6 +239,9 @@
zend_symtable_exists(symtable1, escaped_index,
index_len + 1)) {
zval_ptr_dtor(gpc_element);
} else {
+ if (zend_hash_num_elements(symtable1) =
PG(max_input_vars)) {
+ php_error_docref(NULL TSRMLS_CC,
E_ERROR, Input variables exceeded %ld.
