diff options
| author | Nikita Popov <nikita.ppv@gmail.com> | 2019-09-24 11:50:26 +0200 |
|---|---|---|
| committer | Nikita Popov <nikita.ppv@gmail.com> | 2019-09-30 10:28:24 +0200 |
| commit | 1806ce9cb019ee74ddb540cbc07daf121dcb5537 (patch) | |
| tree | f2e30e502885dd431416a8803cce95aaacc4dfe4 /php.ini-development | |
| parent | ce769a94a8d350e4fbe4f95639fff165f7568bab (diff) | |
| download | php-git-1806ce9cb019ee74ddb540cbc07daf121dcb5537.tar.gz | |
Add max_depth option to unserialize()
Add a max_depth option to unserialize and an unserialize_max_depth
ini setting, which can be used to control the depth limit. The
default value is 4096.
This option is intended to prevent stack overflows during the
unserialization of deeply nested structures.
This fixes bug #78549 and addresses oss-fuzz #17581, #17589, #17664,
and #17788.
Diffstat (limited to 'php.ini-development')
| -rw-r--r-- | php.ini-development | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/php.ini-development b/php.ini-development index 920dd5d23a..4ac6c44b1e 100644 --- a/php.ini-development +++ b/php.ini-development @@ -284,6 +284,13 @@ implicit_flush = Off ; callback-function. unserialize_callback_func = +; The unserialize_max_depth specifies the default depth limit for unserialized +; structures. Setting the depth limit too high may result in stack overflows +; during unserialization. The unserialize_max_depth ini setting can be +; overridden by the max_depth option on individual unserialize() calls. +; A value of 0 disables the depth limit. +;unserialize_max_depth = 4096 + ; When floats & doubles are serialized, store serialize_precision significant ; digits after the floating point. The default value ensures that when floats ; are decoded with unserialize, the data will remain the same. |