[PHP-CVS] svn: /php/php-src/branches/PHP_5_3/ NEWS main/main.c main/php_globals.h main/php_variables.c
dmitry Thu, 15 Dec 2011 08:47:03 + Revision: http://svn.php.net/viewvc?view=revisionrevision=321038 Log: Added max_input_vars directive to prevent attacks based on hash collisions Changed paths: U php/php-src/branches/PHP_5_3/NEWS U php/php-src/branches/PHP_5_3/main/main.c U php/php-src/branches/PHP_5_3/main/php_globals.h U php/php-src/branches/PHP_5_3/main/php_variables.c Modified: php/php-src/branches/PHP_5_3/NEWS === --- php/php-src/branches/PHP_5_3/NEWS 2011-12-15 07:28:28 UTC (rev 321037) +++ php/php-src/branches/PHP_5_3/NEWS 2011-12-15 08:47:03 UTC (rev 321038) @@ -2,6 +2,10 @@ ||| ?? ??? 2011, PHP 5.3.9 +- Core: + . Added max_input_vars directive to prevent attacks based on hash collisions +(Dmitry). + - Streams: . Fixed bug #60455 (stream_get_line misbehaves if EOF is not detected together with the last read). (Gustavo) Modified: php/php-src/branches/PHP_5_3/main/main.c === --- php/php-src/branches/PHP_5_3/main/main.c2011-12-15 07:28:28 UTC (rev 321037) +++ php/php-src/branches/PHP_5_3/main/main.c2011-12-15 08:47:03 UTC (rev 321038) @@ -512,6 +512,7 @@ STD_PHP_INI_ENTRY(post_max_size, 8M, PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLong, post_max_size, sapi_globals_struct,sapi_globals) STD_PHP_INI_ENTRY(upload_tmp_dir, NULL, PHP_INI_SYSTEM, OnUpdateStringUnempty, upload_tmp_dir, php_core_globals, core_globals) STD_PHP_INI_ENTRY(max_input_nesting_level, 64, PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_nesting_level,php_core_globals, core_globals) + STD_PHP_INI_ENTRY(max_input_vars, 1000, PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_vars, php_core_globals, core_globals) STD_PHP_INI_ENTRY(user_dir, NULL, PHP_INI_SYSTEM, OnUpdateString, user_dir, php_core_globals, core_globals) STD_PHP_INI_ENTRY(variables_order,EGPCS, PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateStringUnempty, variables_order,php_core_globals, core_globals) Modified: php/php-src/branches/PHP_5_3/main/php_globals.h === --- php/php-src/branches/PHP_5_3/main/php_globals.h 2011-12-15 07:28:28 UTC (rev 321037) +++ php/php-src/branches/PHP_5_3/main/php_globals.h 2011-12-15 08:47:03 UTC (rev 321038) @@ -174,6 +174,8 @@ #ifdef PHP_WIN32 zend_bool windows_show_crt_warning; #endif + + long max_input_vars; }; Modified: php/php-src/branches/PHP_5_3/main/php_variables.c === --- php/php-src/branches/PHP_5_3/main/php_variables.c 2011-12-15 07:28:28 UTC (rev 321037) +++ php/php-src/branches/PHP_5_3/main/php_variables.c 2011-12-15 08:47:03 UTC (rev 321038) @@ -191,6 +191,9 @@ } if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) gpc_element_p) == FAILURE || Z_TYPE_PP(gpc_element_p) != IS_ARRAY) { + if (zend_hash_num_elements(symtable1) = PG(max_input_vars)) { + php_error_docref(NULL TSRMLS_CC, E_ERROR, Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini., PG(max_input_vars)); + } MAKE_STD_ZVAL(gpc_element); array_init(gpc_element); zend_symtable_update(symtable1, escaped_index, index_len + 1, gpc_element, sizeof(zval *), (void **) gpc_element_p); @@ -236,6 +239,9 @@ zend_symtable_exists(symtable1, escaped_index, index_len + 1)) { zval_ptr_dtor(gpc_element); } else { + if (zend_hash_num_elements(symtable1) = PG(max_input_vars)) { + php_error_docref(NULL TSRMLS_CC, E_ERROR, Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini., PG(max_input_vars)); + } zend_symtable_update(symtable1, escaped_index, index_len + 1, gpc_element, sizeof(zval *), (void
Re: [PHP-CVS] svn: /php/php-src/branches/PHP_5_3/ NEWS main/main.c main/php_globals.h main/php_variables.c
hi Dmitry, As of yesterday, please add it to php.ini and to the UPGRADING guide :) Thanks! On Thu, Dec 15, 2011 at 9:47 AM, Dmitry Stogov dmi...@php.net wrote: dmitry Thu, 15 Dec 2011 08:47:03 + Revision: http://svn.php.net/viewvc?view=revisionrevision=321038 Log: Added max_input_vars directive to prevent attacks based on hash collisions Changed paths: U php/php-src/branches/PHP_5_3/NEWS U php/php-src/branches/PHP_5_3/main/main.c U php/php-src/branches/PHP_5_3/main/php_globals.h U php/php-src/branches/PHP_5_3/main/php_variables.c Modified: php/php-src/branches/PHP_5_3/NEWS === --- php/php-src/branches/PHP_5_3/NEWS 2011-12-15 07:28:28 UTC (rev 321037) +++ php/php-src/branches/PHP_5_3/NEWS 2011-12-15 08:47:03 UTC (rev 321038) @@ -2,6 +2,10 @@ ||| ?? ??? 2011, PHP 5.3.9 +- Core: + . Added max_input_vars directive to prevent attacks based on hash collisions + (Dmitry). + - Streams: . Fixed bug #60455 (stream_get_line misbehaves if EOF is not detected together with the last read). (Gustavo) Modified: php/php-src/branches/PHP_5_3/main/main.c === --- php/php-src/branches/PHP_5_3/main/main.c 2011-12-15 07:28:28 UTC (rev 321037) +++ php/php-src/branches/PHP_5_3/main/main.c 2011-12-15 08:47:03 UTC (rev 321038) @@ -512,6 +512,7 @@ STD_PHP_INI_ENTRY(post_max_size, 8M, PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLong, post_max_size, sapi_globals_struct,sapi_globals) STD_PHP_INI_ENTRY(upload_tmp_dir, NULL, PHP_INI_SYSTEM, OnUpdateStringUnempty, upload_tmp_dir, php_core_globals, core_globals) STD_PHP_INI_ENTRY(max_input_nesting_level, 64, PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_nesting_level, php_core_globals, core_globals) + STD_PHP_INI_ENTRY(max_input_vars, 1000, PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_vars, php_core_globals, core_globals) STD_PHP_INI_ENTRY(user_dir, NULL, PHP_INI_SYSTEM, OnUpdateString, user_dir, php_core_globals, core_globals) STD_PHP_INI_ENTRY(variables_order, EGPCS, PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateStringUnempty, variables_order, php_core_globals, core_globals) Modified: php/php-src/branches/PHP_5_3/main/php_globals.h === --- php/php-src/branches/PHP_5_3/main/php_globals.h 2011-12-15 07:28:28 UTC (rev 321037) +++ php/php-src/branches/PHP_5_3/main/php_globals.h 2011-12-15 08:47:03 UTC (rev 321038) @@ -174,6 +174,8 @@ #ifdef PHP_WIN32 zend_bool windows_show_crt_warning; #endif + + long max_input_vars; }; Modified: php/php-src/branches/PHP_5_3/main/php_variables.c === --- php/php-src/branches/PHP_5_3/main/php_variables.c 2011-12-15 07:28:28 UTC (rev 321037) +++ php/php-src/branches/PHP_5_3/main/php_variables.c 2011-12-15 08:47:03 UTC (rev 321038) @@ -191,6 +191,9 @@ } if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) gpc_element_p) == FAILURE || Z_TYPE_PP(gpc_element_p) != IS_ARRAY) { + if (zend_hash_num_elements(symtable1) = PG(max_input_vars)) { + php_error_docref(NULL TSRMLS_CC, E_ERROR, Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini., PG(max_input_vars)); + } MAKE_STD_ZVAL(gpc_element); array_init(gpc_element); zend_symtable_update(symtable1, escaped_index, index_len + 1, gpc_element, sizeof(zval *), (void **) gpc_element_p); @@ -236,6 +239,9 @@ zend_symtable_exists(symtable1, escaped_index, index_len + 1)) { zval_ptr_dtor(gpc_element); } else { + if (zend_hash_num_elements(symtable1) = PG(max_input_vars)) { + php_error_docref(NULL TSRMLS_CC, E_ERROR, Input variables exceeded %ld.