diff options
| author | Dmitry Stogov <dmitry@php.net> | 2011-12-14 08:56:35 +0000 |
|---|---|---|
| committer | Dmitry Stogov <dmitry@php.net> | 2011-12-14 08:56:35 +0000 |
| commit | 4ffedc700dffa57b72ffda663f2a015e0f658451 (patch) | |
| tree | 970593a03ce7d3f20d270e8986d170d022b9f565 | |
| parent | 4b14c11dcd4d27519b9c03d7acf638f9bface169 (diff) | |
| download | php-git-4ffedc700dffa57b72ffda663f2a015e0f658451.tar.gz | |
Added max_input_vars directive to prevent attacks based on hash collisions
| -rw-r--r-- | main/main.c | 1 | ||||
| -rw-r--r-- | main/php_globals.h | 1 | ||||
| -rw-r--r-- | main/php_variables.c | 6 |
3 files changed, 8 insertions, 0 deletions
diff --git a/main/main.c b/main/main.c index b92e2d7046..5c25ac4f4c 100644 --- a/main/main.c +++ b/main/main.c @@ -531,6 +531,7 @@ PHP_INI_BEGIN() STD_PHP_INI_ENTRY("post_max_size", "8M", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLong, post_max_size, sapi_globals_struct,sapi_globals) STD_PHP_INI_ENTRY("upload_tmp_dir", NULL, PHP_INI_SYSTEM, OnUpdateStringUnempty, upload_tmp_dir, php_core_globals, core_globals) STD_PHP_INI_ENTRY("max_input_nesting_level", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_nesting_level, php_core_globals, core_globals) + STD_PHP_INI_ENTRY("max_input_vars", "1000", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_vars, php_core_globals, core_globals) STD_PHP_INI_ENTRY("user_dir", NULL, PHP_INI_SYSTEM, OnUpdateString, user_dir, php_core_globals, core_globals) STD_PHP_INI_ENTRY("variables_order", "EGPCS", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateStringUnempty, variables_order, php_core_globals, core_globals) diff --git a/main/php_globals.h b/main/php_globals.h index bfd1c6025f..70238d68fe 100644 --- a/main/php_globals.h +++ b/main/php_globals.h @@ -146,6 +146,7 @@ struct _php_core_globals { zend_bool com_initialized; #endif long max_input_nesting_level; + long max_input_vars; zend_bool in_user_include; char *user_ini_filename; diff --git a/main/php_variables.c b/main/php_variables.c index cfb2380210..976e9d5066 100644 --- a/main/php_variables.c +++ b/main/php_variables.c @@ -179,6 +179,9 @@ PHPAPI void php_register_variable_ex(char *var_name, zval *val, zval *track_vars escaped_index = index; if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE || Z_TYPE_PP(gpc_element_p) != IS_ARRAY) { + if (zend_hash_num_elements(symtable1) >= PG(max_input_vars)) { + php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); + } MAKE_STD_ZVAL(gpc_element); array_init(gpc_element); zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); @@ -220,6 +223,9 @@ plain_var: zend_symtable_exists(symtable1, escaped_index, index_len + 1)) { zval_ptr_dtor(&gpc_element); } else { + if (zend_hash_num_elements(symtable1) >= PG(max_input_vars)) { + php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); + } zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); } if (escaped_index != index) { |