File php-5.3.5-CVE-2011-4885.patch of Package php5
http://svn.php.net/viewvc?view=revision&revision=321038
http://svn.php.net/viewvc?view=revision&revision=321040
http://svn.php.net/viewvc?view=revision&revision=321335
Index: php.ini-development
===================================================================
--- php.ini-development.orig
+++ php.ini-development
@@ -453,6 +453,9 @@ max_input_time = 60
; http://php.net/max-input-nesting-level
;max_input_nesting_level = 64
+; How many GET/POST/COOKIE input variables may be accepted
+; max_input_vars = 1000
+
; Maximum amount of memory a script may consume (128MB)
; http://php.net/memory-limit
memory_limit = 128M
Index: php.ini-production
===================================================================
--- php.ini-production.orig
+++ php.ini-production
@@ -453,6 +453,9 @@ max_input_time = 60
; http://php.net/max-input-nesting-level
;max_input_nesting_level = 64
+; How many GET/POST/COOKIE input variables may be accepted
+; max_input_vars = 1000
+
; Maximum amount of memory a script may consume (128MB)
; http://php.net/memory-limit
memory_limit = 128M
Index: main/main.c
===================================================================
--- main/main.c.orig
+++ main/main.c
@@ -512,6 +512,7 @@ PHP_INI_BEGIN()
STD_PHP_INI_ENTRY("post_max_size", "8M", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLong, post_max_size, sapi_globals_struct,sapi_globals)
STD_PHP_INI_ENTRY("upload_tmp_dir", NULL, PHP_INI_SYSTEM, OnUpdateStringUnempty, upload_tmp_dir, php_core_globals, core_globals)
STD_PHP_INI_ENTRY("max_input_nesting_level", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_nesting_level, php_core_globals, core_globals)
+ STD_PHP_INI_ENTRY("max_input_vars", "1000", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_vars, php_core_globals, core_globals)
STD_PHP_INI_ENTRY("user_dir", NULL, PHP_INI_SYSTEM, OnUpdateString, user_dir, php_core_globals, core_globals)
STD_PHP_INI_ENTRY("variables_order", "EGPCS", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateStringUnempty, variables_order, php_core_globals, core_globals)
Index: main/php_globals.h
===================================================================
--- main/php_globals.h.orig
+++ main/php_globals.h
@@ -170,6 +170,8 @@ struct _php_core_globals {
char *mail_log;
zend_bool in_error_log;
+
+ long max_input_vars;
};
Index: main/php_variables.c
===================================================================
--- main/php_variables.c.orig
+++ main/php_variables.c
@@ -191,9 +191,14 @@ PHPAPI void php_register_variable_ex(cha
}
if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE
|| Z_TYPE_PP(gpc_element_p) != IS_ARRAY) {
- MAKE_STD_ZVAL(gpc_element);
- array_init(gpc_element);
- zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
+ if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) {
+ if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
+ }
+ MAKE_STD_ZVAL(gpc_element);
+ array_init(gpc_element);
+ zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
+ }
}
if (index != escaped_index) {
efree(escaped_index);
@@ -236,7 +241,14 @@ plain_var:
zend_symtable_exists(symtable1, escaped_index, index_len + 1)) {
zval_ptr_dtor(&gpc_element);
} else {
- zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
+ if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) {
+ if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
+ }
+ zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
+ } else {
+ zval_ptr_dtor(&gpc_element);
+ }
}
if (escaped_index != index) {
efree(escaped_index);