Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add an upper bound to the POST data SecurityComponent will consider.
'Kurita Takashi' has let us know that the previous patterns could be abused by an evil doer. One could potentially send a very large deeply nested POST data structure. Matching that structure could overflow the PCRE limits causing a segmentation fault. Adding an upper bound will solve the problem and I doubt anyone is doing POST data structures with more than 10 levels of nesting.
- Loading branch information
1988e89
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/(.\d{1,10})+$/ limits number of digits.
/(.\d+){1,10}$/ is right.
1988e89
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch, I will get that fixed.
1988e89
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in b3dfad6