stas Tue May 22 18:16:38 2007 UTC
Modified files: (Branch: PHP_4_4)
/php-src/main main.c php_globals.h php_variables.c
Log:
fix for CVE-2007-1285 - crash on deep input variable nesting
http://cvs.php.net/viewvc.cgi/php-src/main/main.c?r1=1.512.2.63.2.14&r2=1.512.2.63.2.15&diff_format=u
Index: php-src/main/main.c
diff -u php-src/main/main.c:1.512.2.63.2.14 php-src/main/main.c:1.512.2.63.2.15
--- php-src/main/main.c:1.512.2.63.2.14 Mon Jan 1 09:46:50 2007
+++ php-src/main/main.c Tue May 22 18:16:37 2007
@@ -18,7 +18,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: main.c,v 1.512.2.63.2.14 2007/01/01 09:46:50 sebastian Exp $ */
+/* $Id: main.c,v 1.512.2.63.2.15 2007/05/22 18:16:37 stas Exp $ */
/* {{{ includes
*/
@@ -338,6 +338,7 @@
STD_PHP_INI_ENTRY("upload_max_filesize", "2M",
PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateInt,
upload_max_filesize, php_core_globals, core_globals)
STD_PHP_INI_ENTRY("post_max_size", "8M",
PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateInt,
post_max_size, sapi_globals_struct,sapi_globals)
STD_PHP_INI_ENTRY("upload_tmp_dir", NULL,
PHP_INI_SYSTEM, OnUpdateStringUnempty, upload_tmp_dir,
php_core_globals, core_globals)
+ STD_PHP_INI_ENTRY("max_input_nesting_level", "500",
PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero,
max_input_nesting_level, php_core_globals, core_globals)
STD_PHP_INI_ENTRY("user_dir", NULL,
PHP_INI_SYSTEM, OnUpdateString, user_dir,
php_core_globals, core_globals)
STD_PHP_INI_ENTRY("variables_order", NULL,
PHP_INI_ALL, OnUpdateStringUnempty, variables_order,
php_core_globals, core_globals)
http://cvs.php.net/viewvc.cgi/php-src/main/php_globals.h?r1=1.84.2.6.8.2&r2=1.84.2.6.8.3&diff_format=u
Index: php-src/main/php_globals.h
diff -u php-src/main/php_globals.h:1.84.2.6.8.2
php-src/main/php_globals.h:1.84.2.6.8.3
--- php-src/main/php_globals.h:1.84.2.6.8.2 Mon Jan 1 09:46:50 2007
+++ php-src/main/php_globals.h Tue May 22 18:16:38 2007
@@ -141,6 +141,7 @@
zend_bool always_populate_raw_post_data;
long serialize_precision;
+ long max_input_nesting_level;
};
http://cvs.php.net/viewvc.cgi/php-src/main/php_variables.c?r1=1.45.2.13.2.10&r2=1.45.2.13.2.11&diff_format=u
Index: php-src/main/php_variables.c
diff -u php-src/main/php_variables.c:1.45.2.13.2.10
php-src/main/php_variables.c:1.45.2.13.2.11
--- php-src/main/php_variables.c:1.45.2.13.2.10 Fri Apr 13 00:42:48 2007
+++ php-src/main/php_variables.c Tue May 22 18:16:38 2007
@@ -16,7 +16,7 @@
| Zeev Suraski <[EMAIL PROTECTED]> |
+----------------------------------------------------------------------+
*/
-/* $Id: php_variables.c,v 1.45.2.13.2.10 2007/04/13 00:42:48 stas Exp $ */
+/* $Id: php_variables.c,v 1.45.2.13.2.11 2007/05/22 18:16:38 stas Exp $ */
#include <stdio.h>
#include "php.h"
@@ -66,6 +66,7 @@
zval *gpc_element, **gpc_element_p;
zend_bool is_array;
HashTable *symtable1=NULL;
+ int nest_level = 0;
assert(var != NULL);
@@ -128,6 +129,10 @@
char *escaped_index = NULL, *index_s;
int new_idx_len = 0;
+ if(++nest_level > PG(max_input_nesting_level)) {
+ /* too many levels of nesting */
+ php_error_docref(NULL TSRMLS_CC, E_ERROR,
"Input variable nesting level more than allowed %d (change
max_input_nesting_level in php.ini to increase the limit)",
PG(max_input_nesting_level));
+ }
ip++;
index_s = ip;
if (isspace(*ip)) {
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
