/[smeserver]/rpms/php/sme8/php-5.3.3-CVE-2011-4885.patch
ViewVC logotype

Annotation of /rpms/php/sme8/php-5.3.3-CVE-2011-4885.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1.2.1 - (hide annotations) (download)
Fri Feb 3 15:48:14 2012 UTC (12 years, 9 months ago) by slords
Branch: redhat-upstream
CVS Tags: php-5_3_3-13_el5_9_1, php-5_3_3-1_el5_7_6, php-5_3_3-13_el6
Changes since 1.1: +112 -0 lines
Upstream import

1 slords 1.1.2.1 From 6517ac845b4ed91cd8762d3aa22de5f3c9b0e067 Mon Sep 17 00:00:00 2001
2     From: "Vojtech Vitek (V-Teq)" <vvitek@redhat.com>
3     Date: Tue, 3 Jan 2012 02:04:09 +0100
4     Subject: [PATCH] Add max_input_vars directive to prevent attacks based on
5     hash collisions
6    
7     Based on:
8     http://svn.php.net/viewvc?view=revision&revision=321038
9     http://svn.php.net/viewvc?view=revision&revision=321040
10     http://svn.php.net/viewvc?view=revision&revision=321335
11     ---
12     main/main.c | 1 +
13     main/php_globals.h | 2 ++
14     main/php_variables.c | 20 ++++++++++++++++----
15     php.ini-development | 3 +++
16     php.ini-production | 3 +++
17     5 files changed, 25 insertions(+), 4 deletions(-)
18    
19     diff --git a/main/main.c b/main/main.c
20     index 45751ad..708e772 100644
21     --- a/main/main.c
22     +++ b/main/main.c
23     @@ -496,6 +496,7 @@ PHP_INI_BEGIN()
24     STD_PHP_INI_ENTRY("post_max_size", "8M", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLong, post_max_size, sapi_globals_struct,sapi_globals)
25     STD_PHP_INI_ENTRY("upload_tmp_dir", NULL, PHP_INI_SYSTEM, OnUpdateStringUnempty, upload_tmp_dir, php_core_globals, core_globals)
26     STD_PHP_INI_ENTRY("max_input_nesting_level", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_nesting_level, php_core_globals, core_globals)
27     + STD_PHP_INI_ENTRY("max_input_vars", "1000", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_vars, php_core_globals, core_globals)
28    
29     STD_PHP_INI_ENTRY("user_dir", NULL, PHP_INI_SYSTEM, OnUpdateString, user_dir, php_core_globals, core_globals)
30     STD_PHP_INI_ENTRY("variables_order", "EGPCS", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateStringUnempty, variables_order, php_core_globals, core_globals)
31     diff --git a/main/php_globals.h b/main/php_globals.h
32     index dda28f2..5d898fa 100644
33     --- a/main/php_globals.h
34     +++ b/main/php_globals.h
35     @@ -170,6 +170,8 @@ struct _php_core_globals {
36     char *mail_log;
37    
38     zend_bool in_error_log;
39     +
40     + long max_input_vars;
41     };
42    
43    
44     diff --git a/main/php_variables.c b/main/php_variables.c
45     index de80b09..9b05793 100644
46     --- a/main/php_variables.c
47     +++ b/main/php_variables.c
48     @@ -191,9 +191,14 @@ PHPAPI void php_register_variable_ex(char *var_name, zval *val, zval *track_vars
49     }
50     if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE
51     || Z_TYPE_PP(gpc_element_p) != IS_ARRAY) {
52     - MAKE_STD_ZVAL(gpc_element);
53     - array_init(gpc_element);
54     - zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
55     + if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) {
56     + if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) {
57     + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
58     + }
59     + MAKE_STD_ZVAL(gpc_element);
60     + array_init(gpc_element);
61     + zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
62     + }
63     }
64     if (index != escaped_index) {
65     efree(escaped_index);
66     @@ -236,7 +241,14 @@ plain_var:
67     zend_symtable_exists(symtable1, escaped_index, index_len + 1)) {
68     zval_ptr_dtor(&gpc_element);
69     } else {
70     - zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
71     + if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) {
72     + if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) {
73     + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
74     + }
75     + zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
76     + } else {
77     + zval_ptr_dtor(&gpc_element);
78     + }
79     }
80     if (escaped_index != index) {
81     efree(escaped_index);
82     diff --git a/php.ini-development b/php.ini-development
83     index 60d1000..12a8783 100644
84     --- a/php.ini-development
85     +++ b/php.ini-development
86     @@ -453,6 +453,9 @@ max_input_time = 60
87     ; http://php.net/max-input-nesting-level
88     ;max_input_nesting_level = 64
89    
90     +; How many GET/POST/COOKIE input variables may be accepted
91     +; max_input_vars = 1000
92     +
93     ; Maximum amount of memory a script may consume (128MB)
94     ; http://php.net/memory-limit
95     memory_limit = 128M
96     diff --git a/php.ini-production b/php.ini-production
97     index 5ace330..487f823 100644
98     --- a/php.ini-production
99     +++ b/php.ini-production
100     @@ -453,6 +453,9 @@ max_input_time = 60
101     ; http://php.net/max-input-nesting-level
102     ;max_input_nesting_level = 64
103    
104     +; How many GET/POST/COOKIE input variables may be accepted
105     +; max_input_vars = 1000
106     +
107     ; Maximum amount of memory a script may consume (128MB)
108     ; http://php.net/memory-limit
109     memory_limit = 128M
110     --
111     1.7.6.2
112    

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed