From 6517ac845b4ed91cd8762d3aa22de5f3c9b0e067 Mon Sep 17 00:00:00 2001
From: "Vojtech Vitek (V-Teq)" <vvitek@redhat.com>
Date: Tue, 3 Jan 2012 02:04:09 +0100
Subject: [PATCH] Add max_input_vars directive to prevent attacks based on
 hash collisions

Based on:
http://svn.php.net/viewvc?view=revision&revision=321038
http://svn.php.net/viewvc?view=revision&revision=321040
http://svn.php.net/viewvc?view=revision&revision=321335
---
 main/main.c          |    1 +
 main/php_globals.h   |    2 ++
 main/php_variables.c |   20 ++++++++++++++++----
 php.ini-development  |    3 +++
 php.ini-production   |    3 +++
 5 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/main/main.c b/main/main.c
index 45751ad..708e772 100644
--- a/main/main.c
+++ b/main/main.c
@@ -496,6 +496,7 @@ PHP_INI_BEGIN()
 	STD_PHP_INI_ENTRY("post_max_size",			"8M",		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateLong,			post_max_size,			sapi_globals_struct,sapi_globals)
 	STD_PHP_INI_ENTRY("upload_tmp_dir",			NULL,		PHP_INI_SYSTEM,		OnUpdateStringUnempty,	upload_tmp_dir,			php_core_globals,	core_globals)
 	STD_PHP_INI_ENTRY("max_input_nesting_level", "64",		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateLongGEZero,	max_input_nesting_level,			php_core_globals,	core_globals)
+	STD_PHP_INI_ENTRY("max_input_vars",			"1000",		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateLongGEZero,	max_input_vars,						php_core_globals,	core_globals)
 
 	STD_PHP_INI_ENTRY("user_dir",				NULL,		PHP_INI_SYSTEM,		OnUpdateString,			user_dir,				php_core_globals,	core_globals)
 	STD_PHP_INI_ENTRY("variables_order",		"EGPCS",	PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateStringUnempty,	variables_order,		php_core_globals,	core_globals)
diff --git a/main/php_globals.h b/main/php_globals.h
index dda28f2..5d898fa 100644
--- a/main/php_globals.h
+++ b/main/php_globals.h
@@ -170,6 +170,8 @@ struct _php_core_globals {
 	char *mail_log;
 
 	zend_bool in_error_log;
+
+	long max_input_vars;
 };
 
 
diff --git a/main/php_variables.c b/main/php_variables.c
index de80b09..9b05793 100644
--- a/main/php_variables.c
+++ b/main/php_variables.c
@@ -191,9 +191,14 @@ PHPAPI void php_register_variable_ex(char *var_name, zval *val, zval *track_vars
 				}
 				if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE
 					|| Z_TYPE_PP(gpc_element_p) != IS_ARRAY) {
-					MAKE_STD_ZVAL(gpc_element);
-					array_init(gpc_element);
-					zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
+					if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) {
+						if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) {
+							php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
+						}
+						MAKE_STD_ZVAL(gpc_element);
+						array_init(gpc_element);
+						zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
+					}
 				}
 				if (index != escaped_index) {
 					efree(escaped_index);
@@ -236,7 +241,14 @@ plain_var:
 				zend_symtable_exists(symtable1, escaped_index, index_len + 1)) {
 				zval_ptr_dtor(&gpc_element);
 			} else {
-				zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
+				if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) {
+					if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) {
+						php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
+					}
+					zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
+				} else {
+					zval_ptr_dtor(&gpc_element);
+				}
 			}
 			if (escaped_index != index) {
 				efree(escaped_index);
diff --git a/php.ini-development b/php.ini-development
index 60d1000..12a8783 100644
--- a/php.ini-development
+++ b/php.ini-development
@@ -453,6 +453,9 @@ max_input_time = 60
 ; http://php.net/max-input-nesting-level
 ;max_input_nesting_level = 64
 
+; How many GET/POST/COOKIE input variables may be accepted
+; max_input_vars = 1000
+
 ; Maximum amount of memory a script may consume (128MB)
 ; http://php.net/memory-limit
 memory_limit = 128M
diff --git a/php.ini-production b/php.ini-production
index 5ace330..487f823 100644
--- a/php.ini-production
+++ b/php.ini-production
@@ -453,6 +453,9 @@ max_input_time = 60
 ; http://php.net/max-input-nesting-level
 ;max_input_nesting_level = 64
 
+; How many GET/POST/COOKIE input variables may be accepted
+; max_input_vars = 1000
+
 ; Maximum amount of memory a script may consume (128MB)
 ; http://php.net/memory-limit
 memory_limit = 128M
-- 
1.7.6.2