| @@ -0,0 +1,77 @@
+From b912b2e02d02534380e32d642f139cbdc76a0b09 Mon Sep 17 00:00:00 2001
+From: "Vojtech Vitek (V-Teq)" <vvitek@redhat.com>
+Date: Thu, 5 Jan 2012 11:45:12 +0100
+Subject: [PATCH] Add max_input_vars directive to prevent attacks based on
+ hash collisions
+
+Based on:
+http://svn.php.net/viewvc?view=revision&revision=321038
+http://svn.php.net/viewvc?view=revision&revision=321040
+http://svn.php.net/viewvc?view=revision&revision=321335
+---
+ main/main.c | 1 +
+ main/php_globals.h | 2 ++
+ main/php_variables.c | 20 ++++++++++++++++----
+ 3 files changed, 19 insertions(+), 4 deletions(-)
+
+diff --git a/main/php_variables.c b/main/php_variables.c
+index c70544c..5e0b677 100644
+--- a/main/php_variables.c
++++ b/main/php_variables.c
+@@ -179,9 +179,14 @@ PHPAPI void php_register_variable_ex(char *var, zval *val, zval *track_vars_arra
+ }
+ if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE
+ || Z_TYPE_PP(gpc_element_p) != IS_ARRAY) {
+- MAKE_STD_ZVAL(gpc_element);
+- array_init(gpc_element);
+- zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
++ if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) {
++ if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
++ }
++ MAKE_STD_ZVAL(gpc_element);
++ array_init(gpc_element);
++ zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
++ }
+ }
+ if (index != escaped_index) {
+ efree(escaped_index);
+@@ -224,7 +229,14 @@ plain_var:
+ zend_symtable_exists(symtable1, escaped_index, index_len + 1)) {
+ zval_ptr_dtor(&gpc_element);
+ } else {
+- zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
++ if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) {
++ if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
++ }
++ zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
++ } else {
++ zval_ptr_dtor(&gpc_element);
++ }
+ }
+ if (escaped_index != index) {
+ efree(escaped_index);
+--
+1.7.6.2
+
+--- php-5.2.17/main/main.c.orig 2010-06-19 22:47:24.000000000 +0200
++++ php-5.2.17/main/main.c 2012-02-08 12:29:58.164985316 +0100
+@@ -436,6 +436,7 @@
+ STD_PHP_INI_ENTRY("post_max_size", "8M", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLong, post_max_size, sapi_globals_struct,sapi_globals)
+ STD_PHP_INI_ENTRY("upload_tmp_dir", NULL, PHP_INI_SYSTEM, OnUpdateStringUnempty, upload_tmp_dir, php_core_globals, core_globals)
+ STD_PHP_INI_ENTRY("max_input_nesting_level", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_nesting_level, php_core_globals, core_globals)
++ STD_PHP_INI_ENTRY("max_input_vars", "1000", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLong, max_input_vars, php_core_globals, core_globals)
+
+ STD_PHP_INI_ENTRY("user_dir", NULL, PHP_INI_SYSTEM, OnUpdateString, user_dir, php_core_globals, core_globals)
+ STD_PHP_INI_ENTRY("variables_order", "EGPCS", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateStringUnempty, variables_order, php_core_globals, core_globals)
+--- php-5.2.17/main/php_globals.h.orig 2010-01-03 10:23:27.000000000 +0100
++++ php-5.2.17/main/php_globals.h 2012-02-08 12:30:59.184987601 +0100
+@@ -160,6 +160,7 @@
+ zend_bool com_initialized;
+ #endif
+ long max_input_nesting_level;
++ long max_input_vars;
+ zend_bool in_user_include;
+ zend_bool in_error_log;
+ };
|
