1
Origin: http://svn.php.net/viewvc?view=revision&revision=321038
2
and http://svn.php.net/viewvc?view=revision&revision=321040
3
and http://svn.php.net/viewvc?view=revision&revision=321335
4
Subject: Added max_input_vars directive to prevent attacks based on
7
Fixes CVE-2011-4885; note that this introduces CVE-2012-0830
9
Ubuntu Note: this patch differs upstream in that we drop the changes to
10
the default php.ini configuration files, to eliminate prompting of the
11
admin when upgrading the package.
15
main/php_globals.h | 2 ++
16
main/php_variables.c | 20 ++++++++++++++++----
17
3 files changed, 19 insertions(+), 4 deletions(-)
19
Index: b/main/php_globals.h
20
===================================================================
21
--- a/main/php_globals.h
22
+++ b/main/php_globals.h
23
@@ -170,6 +170,8 @@ struct _php_core_globals {
26
zend_bool in_error_log;
28
+ long max_input_vars;
32
Index: b/main/php_variables.c
33
===================================================================
34
--- a/main/php_variables.c
35
+++ b/main/php_variables.c
36
@@ -191,9 +191,14 @@ PHPAPI void php_register_variable_ex(cha
38
if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE
39
|| Z_TYPE_PP(gpc_element_p) != IS_ARRAY) {
40
- MAKE_STD_ZVAL(gpc_element);
41
- array_init(gpc_element);
42
- zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
43
+ if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) {
44
+ if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) {
45
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
47
+ MAKE_STD_ZVAL(gpc_element);
48
+ array_init(gpc_element);
49
+ zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
52
if (index != escaped_index) {
54
@@ -236,7 +241,14 @@ plain_var:
55
zend_symtable_exists(symtable1, escaped_index, index_len + 1)) {
56
zval_ptr_dtor(&gpc_element);
58
- zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
59
+ if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) {
60
+ if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) {
61
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
63
+ zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
65
+ zval_ptr_dtor(&gpc_element);
68
if (escaped_index != index) {
71
===================================================================
74
@@ -503,6 +503,7 @@ PHP_INI_BEGIN()
75
STD_PHP_INI_ENTRY("post_max_size", "8M", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLong, post_max_size, sapi_globals_struct,sapi_globals)
76
STD_PHP_INI_ENTRY("upload_tmp_dir", NULL, PHP_INI_SYSTEM, OnUpdateStringUnempty, upload_tmp_dir, php_core_globals, core_globals)
77
STD_PHP_INI_ENTRY("max_input_nesting_level", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_nesting_level, php_core_globals, core_globals)
78
+ STD_PHP_INI_ENTRY("max_input_vars", "1000", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_vars, php_core_globals, core_globals)
80
STD_PHP_INI_ENTRY("user_dir", NULL, PHP_INI_SYSTEM, OnUpdateString, user_dir, php_core_globals, core_globals)
81
STD_PHP_INI_ENTRY("variables_order", "EGPCS", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateStringUnempty, variables_order, php_core_globals, core_globals)