File php-5.3.5-CVE-2011-4885.patch of Package php5

http://svn.php.net/viewvc?view=revision&revision=321038
http://svn.php.net/viewvc?view=revision&revision=321040
http://svn.php.net/viewvc?view=revision&revision=321335
Index: php.ini-development
===================================================================
--- php.ini-development.orig
+++ php.ini-development
@@ -453,6 +453,9 @@ max_input_time = 60
 ; http://php.net/max-input-nesting-level
 ;max_input_nesting_level = 64
 
+; How many GET/POST/COOKIE input variables may be accepted
+; max_input_vars = 1000
+
 ; Maximum amount of memory a script may consume (128MB)
 ; http://php.net/memory-limit
 memory_limit = 128M
Index: php.ini-production
===================================================================
--- php.ini-production.orig
+++ php.ini-production
@@ -453,6 +453,9 @@ max_input_time = 60
 ; http://php.net/max-input-nesting-level
 ;max_input_nesting_level = 64
 
+; How many GET/POST/COOKIE input variables may be accepted
+; max_input_vars = 1000
+
 ; Maximum amount of memory a script may consume (128MB)
 ; http://php.net/memory-limit
 memory_limit = 128M
Index: main/main.c
===================================================================
--- main/main.c.orig
+++ main/main.c
@@ -512,6 +512,7 @@ PHP_INI_BEGIN()
 	STD_PHP_INI_ENTRY("post_max_size",			"8M",		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateLong,			post_max_size,			sapi_globals_struct,sapi_globals)
 	STD_PHP_INI_ENTRY("upload_tmp_dir",			NULL,		PHP_INI_SYSTEM,		OnUpdateStringUnempty,	upload_tmp_dir,			php_core_globals,	core_globals)
 	STD_PHP_INI_ENTRY("max_input_nesting_level", "64",		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateLongGEZero,	max_input_nesting_level,			php_core_globals,	core_globals)
+	STD_PHP_INI_ENTRY("max_input_vars",			"1000",		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateLongGEZero,	max_input_vars,						php_core_globals,	core_globals)
 
 	STD_PHP_INI_ENTRY("user_dir",				NULL,		PHP_INI_SYSTEM,		OnUpdateString,			user_dir,				php_core_globals,	core_globals)
 	STD_PHP_INI_ENTRY("variables_order",		"EGPCS",	PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateStringUnempty,	variables_order,		php_core_globals,	core_globals)
Index: main/php_globals.h
===================================================================
--- main/php_globals.h.orig
+++ main/php_globals.h
@@ -170,6 +170,8 @@ struct _php_core_globals {
 	char *mail_log;
 
 	zend_bool in_error_log;
+
+	long max_input_vars;
 };
 
 
Index: main/php_variables.c
===================================================================
--- main/php_variables.c.orig
+++ main/php_variables.c
@@ -191,9 +191,14 @@ PHPAPI void php_register_variable_ex(cha
 				}
 				if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE
 					|| Z_TYPE_PP(gpc_element_p) != IS_ARRAY) {
-					MAKE_STD_ZVAL(gpc_element);
-					array_init(gpc_element);
-					zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
+					if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) {
+						if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) {
+							php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
+						}
+						MAKE_STD_ZVAL(gpc_element);
+						array_init(gpc_element);
+						zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
+					}
 				}
 				if (index != escaped_index) {
 					efree(escaped_index);
@@ -236,7 +241,14 @@ plain_var:
 				zend_symtable_exists(symtable1, escaped_index, index_len + 1)) {
 				zval_ptr_dtor(&gpc_element);
 			} else {
-				zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
+				if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) {
+					if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) {
+						php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
+					}
+					zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
+				} else {
+					zval_ptr_dtor(&gpc_element);
+				}
 			}
 			if (escaped_index != index) {
 				efree(escaped_index);
openSUSE Build Service is sponsored by