Added max_input_vars directive to prevent attacks based on hash collisions

1 files changed, 6 insertions, 0 deletions

diff --git a/main/php_variables.c b/main/php_variables.c
index 73803e136d..40d549a937 100644
--- a/main/php_variables.c
+++ b/main/php_variables.c
@@ -191,6 +191,9 @@ PHPAPI void php_register_variable_ex(char *var_name, zval *val, zval *track_vars
 				}
 				if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE
 					|| Z_TYPE_PP(gpc_element_p) != IS_ARRAY) {
+					if (zend_hash_num_elements(symtable1) >= PG(max_input_vars)) {
+						php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
+					}
 					MAKE_STD_ZVAL(gpc_element);
 					array_init(gpc_element);
 					zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
@@ -236,6 +239,9 @@ plain_var:
 				zend_symtable_exists(symtable1, escaped_index, index_len + 1)) {
 				zval_ptr_dtor(&gpc_element);
 			} else {
+				if (zend_hash_num_elements(symtable1) >= PG(max_input_vars)) {
+					php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
+				}
 				zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
 			}
 			if (escaped_index != index) {