Skip to content
Browse files

Added max_input_vars directive to prevent attacks based on hash colli…

…sions
  • Loading branch information...
1 parent 4b14c11 commit 4ffedc700dffa57b72ffda663f2a015e0f658451 Dmitry Stogov committed Dec 14, 2011
Showing with 8 additions and 0 deletions.
  1. +1 −0 main/main.c
  2. +1 −0 main/php_globals.h
  3. +6 −0 main/php_variables.c
View
1 main/main.c
@@ -531,6 +531,7 @@ PHP_INI_BEGIN()
STD_PHP_INI_ENTRY("post_max_size", "8M", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLong, post_max_size, sapi_globals_struct,sapi_globals)
STD_PHP_INI_ENTRY("upload_tmp_dir", NULL, PHP_INI_SYSTEM, OnUpdateStringUnempty, upload_tmp_dir, php_core_globals, core_globals)
STD_PHP_INI_ENTRY("max_input_nesting_level", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_nesting_level, php_core_globals, core_globals)
+ STD_PHP_INI_ENTRY("max_input_vars", "1000", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_vars, php_core_globals, core_globals)
STD_PHP_INI_ENTRY("user_dir", NULL, PHP_INI_SYSTEM, OnUpdateString, user_dir, php_core_globals, core_globals)
STD_PHP_INI_ENTRY("variables_order", "EGPCS", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateStringUnempty, variables_order, php_core_globals, core_globals)
View
1 main/php_globals.h
@@ -146,6 +146,7 @@ struct _php_core_globals {
zend_bool com_initialized;
#endif
long max_input_nesting_level;
+ long max_input_vars;
zend_bool in_user_include;
char *user_ini_filename;
View
6 main/php_variables.c
@@ -179,6 +179,9 @@ PHPAPI void php_register_variable_ex(char *var_name, zval *val, zval *track_vars
escaped_index = index;
if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE
|| Z_TYPE_PP(gpc_element_p) != IS_ARRAY) {
+ if (zend_hash_num_elements(symtable1) >= PG(max_input_vars)) {
+ php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
+ }
MAKE_STD_ZVAL(gpc_element);
array_init(gpc_element);
zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
@@ -220,6 +223,9 @@ PHPAPI void php_register_variable_ex(char *var_name, zval *val, zval *track_vars
zend_symtable_exists(symtable1, escaped_index, index_len + 1)) {
zval_ptr_dtor(&gpc_element);
} else {
+ if (zend_hash_num_elements(symtable1) >= PG(max_input_vars)) {
+ php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
+ }
zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
}
if (escaped_index != index) {

0 comments on commit 4ffedc7

Please sign in to comment.
Something went wrong with that request. Please try again.