Search
j0ke.net Open Build Service
>
Projects
>
internetx
:
php5
>
php-5.2.6
> php-5.2.17-CVE-2011-4885.patch
Sign Up
|
Log In
Username
Password
Cancel
Overview
Repositories
Revisions
Requests
Users
Advanced
Attributes
Meta
File php-5.2.17-CVE-2011-4885.patch of Package php-5.2.6
From b912b2e02d02534380e32d642f139cbdc76a0b09 Mon Sep 17 00:00:00 2001 From: "Vojtech Vitek (V-Teq)" <vvitek@redhat.com> Date: Thu, 5 Jan 2012 11:45:12 +0100 Subject: [PATCH] Add max_input_vars directive to prevent attacks based on hash collisions Based on: http://svn.php.net/viewvc?view=revision&revision=321038 http://svn.php.net/viewvc?view=revision&revision=321040 http://svn.php.net/viewvc?view=revision&revision=321335 --- main/main.c | 1 + main/php_globals.h | 2 ++ main/php_variables.c | 20 ++++++++++++++++---- 3 files changed, 19 insertions(+), 4 deletions(-) diff --git a/main/php_variables.c b/main/php_variables.c index c70544c..5e0b677 100644 --- a/main/php_variables.c +++ b/main/php_variables.c @@ -179,9 +179,14 @@ PHPAPI void php_register_variable_ex(char *var, zval *val, zval *track_vars_arra } if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE || Z_TYPE_PP(gpc_element_p) != IS_ARRAY) { - MAKE_STD_ZVAL(gpc_element); - array_init(gpc_element); - zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); + if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) { + if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); + } + MAKE_STD_ZVAL(gpc_element); + array_init(gpc_element); + zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); + } } if (index != escaped_index) { efree(escaped_index); @@ -224,7 +229,14 @@ plain_var: zend_symtable_exists(symtable1, escaped_index, index_len + 1)) { zval_ptr_dtor(&gpc_element); } else { - zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); + if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) { + if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); + } + zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); + } else { + zval_ptr_dtor(&gpc_element); + } } if (escaped_index != index) { efree(escaped_index); -- 1.7.6.2 --- php-5.2.17/main/main.c.orig 2010-06-19 22:47:24.000000000 +0200 +++ php-5.2.17/main/main.c 2012-02-08 12:29:58.164985316 +0100 @@ -436,6 +436,7 @@ STD_PHP_INI_ENTRY("post_max_size", "8M", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLong, post_max_size, sapi_globals_struct,sapi_globals) STD_PHP_INI_ENTRY("upload_tmp_dir", NULL, PHP_INI_SYSTEM, OnUpdateStringUnempty, upload_tmp_dir, php_core_globals, core_globals) STD_PHP_INI_ENTRY("max_input_nesting_level", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_nesting_level, php_core_globals, core_globals) + STD_PHP_INI_ENTRY("max_input_vars", "1000", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLong, max_input_vars, php_core_globals, core_globals) STD_PHP_INI_ENTRY("user_dir", NULL, PHP_INI_SYSTEM, OnUpdateString, user_dir, php_core_globals, core_globals) STD_PHP_INI_ENTRY("variables_order", "EGPCS", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateStringUnempty, variables_order, php_core_globals, core_globals) --- php-5.2.17/main/php_globals.h.orig 2010-01-03 10:23:27.000000000 +0100 +++ php-5.2.17/main/php_globals.h 2012-02-08 12:30:59.184987601 +0100 @@ -160,6 +160,7 @@ zend_bool com_initialized; #endif long max_input_nesting_level; + long max_input_vars; zend_bool in_user_include; zend_bool in_error_log; };