Search
j0ke.net Open Build Service
>
Projects
>
internetx
:
php5
:
5.2.17
:
monolithic
>
php5-monolithic
> php-5.2.14-CVE-2011-4885.patch
Sign Up
|
Log In
Username
Password
Cancel
Overview
Repositories
Revisions
Requests
Users
Advanced
Attributes
Meta
File php-5.2.14-CVE-2011-4885.patch of Package php5-monolithic
http://svn.php.net/viewvc?view=revision&revision=321038 http://svn.php.net/viewvc?view=revision&revision=321040 http://svn.php.net/viewvc?view=revision&revision=321335 Index: php.ini-dist =================================================================== --- php.ini-dist.orig +++ php.ini-dist @@ -255,6 +255,7 @@ expose_php = On max_execution_time = 30 ; Maximum execution time of each script, in seconds max_input_time = 60 ; Maximum amount of time each script may spend parsing request data ;max_input_nesting_level = 64 ; Maximum input variable nesting level +;max_input_vars = 1000 ; How many GET/POST/COOKIE input variables may be accepted memory_limit = 128M ; Maximum amount of memory a script may consume (128MB) Index: php.ini-recommended =================================================================== --- php.ini-recommended.orig +++ php.ini-recommended @@ -306,6 +306,7 @@ expose_php = On max_execution_time = 30 ; Maximum execution time of each script, in seconds max_input_time = 60 ; Maximum amount of time each script may spend parsing request data ;max_input_nesting_level = 64 ; Maximum input variable nesting level +;max_input_vars = 1000 ; How many GET/POST/COOKIE input variables may be accepted memory_limit = 128M ; Maximum amount of memory a script may consume (128MB) Index: main/main.c =================================================================== --- main/main.c.orig +++ main/main.c @@ -439,6 +439,7 @@ PHP_INI_BEGIN() STD_PHP_INI_ENTRY("post_max_size", "8M", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLong, post_max_size, sapi_globals_struct,sapi_globals) STD_PHP_INI_ENTRY("upload_tmp_dir", NULL, PHP_INI_SYSTEM, OnUpdateStringUnempty, upload_tmp_dir, php_core_globals, core_globals) STD_PHP_INI_ENTRY("max_input_nesting_level", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_nesting_level, php_core_globals, core_globals) + STD_PHP_INI_ENTRY("max_input_vars", "1000", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_vars, php_core_globals, core_globals) STD_PHP_INI_ENTRY("user_dir", NULL, PHP_INI_SYSTEM, OnUpdateString, user_dir, php_core_globals, core_globals) STD_PHP_INI_ENTRY("variables_order", "EGPCS", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateStringUnempty, variables_order, php_core_globals, core_globals) Index: main/php_globals.h =================================================================== --- main/php_globals.h.orig +++ main/php_globals.h @@ -162,6 +162,8 @@ struct _php_core_globals { long max_input_nesting_level; zend_bool in_user_include; zend_bool in_error_log; + + long max_input_vars; }; Index: main/php_variables.c =================================================================== --- main/php_variables.c.orig +++ main/php_variables.c @@ -29,6 +29,7 @@ #include "SAPI.h" #include "php_logos.h" #include "zend_globals.h" +#include "zend_ini.h" /* for systems that need to override reading of environment variables */ void _php_import_environment_variables(zval *array_ptr TSRMLS_DC); @@ -187,9 +188,14 @@ PHPAPI void php_register_variable_ex(cha } if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE || Z_TYPE_PP(gpc_element_p) != IS_ARRAY) { - MAKE_STD_ZVAL(gpc_element); - array_init(gpc_element); - zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); + if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) { + if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); + } + MAKE_STD_ZVAL(gpc_element); + array_init(gpc_element); + zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); + } } if (index != escaped_index) { efree(escaped_index); @@ -232,7 +238,14 @@ plain_var: zend_symtable_exists(symtable1, escaped_index, index_len + 1)) { zval_ptr_dtor(&gpc_element); } else { - zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); + if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) { + if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); + } + zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); + } else { + zval_ptr_dtor(&gpc_element); + } } if (escaped_index != index) { efree(escaped_index);