/[smeserver]/rpms/php/sme8/php-5.3.3-CVE-2011-4885.patch
ViewVC logotype

Contents of /rpms/php/sme8/php-5.3.3-CVE-2011-4885.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph

Revision 1.2 - (show annotations) (download)
Fri Feb 3 15:51:39 2012 UTC (12 years, 3 months ago) by slords
Branch: MAIN
CVS Tags: php-5_3_3-15_el5_sme, php-5_3_3-16_el5_sme, php-5_3_3-14_el5_sme, php-5_3_3-1_el5_sme_6, php-5_3_3-13_el5_sme_1, php-5_3_3-13_el5_sme_2, php-5_3_3-17_el5_sme, php-5_3_3-13_el5_sme, HEAD
Changes since 1.1: +112 -0 lines 
* Fri Feb 3 2012 Shad L. Lords <slords@mail.com> - 5.3.3-1.6.sme
- Obsolete php-domxml and php-dom [SME: 6733]
- Update Obsoletes and Conflicts [SME: 6436]
1 From 6517ac845b4ed91cd8762d3aa22de5f3c9b0e067 Mon Sep 17 00:00:00 2001
2 From: "Vojtech Vitek (V-Teq)" <vvitek@redhat.com>
3 Date: Tue, 3 Jan 2012 02:04:09 +0100
4 Subject: [PATCH] Add max_input_vars directive to prevent attacks based on
5 hash collisions
6
7 Based on:
8 http://svn.php.net/viewvc?view=revision&revision=321038
9 http://svn.php.net/viewvc?view=revision&revision=321040
10 http://svn.php.net/viewvc?view=revision&revision=321335
11 ---
12 main/main.c | 1 +
13 main/php_globals.h | 2 ++
14 main/php_variables.c | 20 ++++++++++++++++----
15 php.ini-development | 3 +++
16 php.ini-production | 3 +++
17 5 files changed, 25 insertions(+), 4 deletions(-)
18
19 diff --git a/main/main.c b/main/main.c
20 index 45751ad..708e772 100644
21 --- a/main/main.c
22 +++ b/main/main.c
23 @@ -496,6 +496,7 @@ PHP_INI_BEGIN()
24 STD_PHP_INI_ENTRY("post_max_size", "8M", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLong, post_max_size, sapi_globals_struct,sapi_globals)
25 STD_PHP_INI_ENTRY("upload_tmp_dir", NULL, PHP_INI_SYSTEM, OnUpdateStringUnempty, upload_tmp_dir, php_core_globals, core_globals)
26 STD_PHP_INI_ENTRY("max_input_nesting_level", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_nesting_level, php_core_globals, core_globals)
27 + STD_PHP_INI_ENTRY("max_input_vars", "1000", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_vars, php_core_globals, core_globals)
28
29 STD_PHP_INI_ENTRY("user_dir", NULL, PHP_INI_SYSTEM, OnUpdateString, user_dir, php_core_globals, core_globals)
30 STD_PHP_INI_ENTRY("variables_order", "EGPCS", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateStringUnempty, variables_order, php_core_globals, core_globals)
31 diff --git a/main/php_globals.h b/main/php_globals.h
32 index dda28f2..5d898fa 100644
33 --- a/main/php_globals.h
34 +++ b/main/php_globals.h
35 @@ -170,6 +170,8 @@ struct _php_core_globals {
36 char *mail_log;
37
38 zend_bool in_error_log;
39 +
40 + long max_input_vars;
41 };
42
43
44 diff --git a/main/php_variables.c b/main/php_variables.c
45 index de80b09..9b05793 100644
46 --- a/main/php_variables.c
47 +++ b/main/php_variables.c
48 @@ -191,9 +191,14 @@ PHPAPI void php_register_variable_ex(char *var_name, zval *val, zval *track_vars
49 }
50 if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE
51 || Z_TYPE_PP(gpc_element_p) != IS_ARRAY) {
52 - MAKE_STD_ZVAL(gpc_element);
53 - array_init(gpc_element);
54 - zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
55 + if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) {
56 + if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) {
57 + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
58 + }
59 + MAKE_STD_ZVAL(gpc_element);
60 + array_init(gpc_element);
61 + zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
62 + }
63 }
64 if (index != escaped_index) {
65 efree(escaped_index);
66 @@ -236,7 +241,14 @@ plain_var:
67 zend_symtable_exists(symtable1, escaped_index, index_len + 1)) {
68 zval_ptr_dtor(&gpc_element);
69 } else {
70 - zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
71 + if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) {
72 + if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) {
73 + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
74 + }
75 + zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
76 + } else {
77 + zval_ptr_dtor(&gpc_element);
78 + }
79 }
80 if (escaped_index != index) {
81 efree(escaped_index);
82 diff --git a/php.ini-development b/php.ini-development
83 index 60d1000..12a8783 100644
84 --- a/php.ini-development
85 +++ b/php.ini-development
86 @@ -453,6 +453,9 @@ max_input_time = 60
87 ; http://php.net/max-input-nesting-level
88 ;max_input_nesting_level = 64
89
90 +; How many GET/POST/COOKIE input variables may be accepted
91 +; max_input_vars = 1000
92 +
93 ; Maximum amount of memory a script may consume (128MB)
94 ; http://php.net/memory-limit
95 memory_limit = 128M
96 diff --git a/php.ini-production b/php.ini-production
97 index 5ace330..487f823 100644
98 --- a/php.ini-production
99 +++ b/php.ini-production
100 @@ -453,6 +453,9 @@ max_input_time = 60
101 ; http://php.net/max-input-nesting-level
102 ;max_input_nesting_level = 64
103
104 +; How many GET/POST/COOKIE input variables may be accepted
105 +; max_input_vars = 1000
106 +
107 ; Maximum amount of memory a script may consume (128MB)
108 ; http://php.net/memory-limit
109 memory_limit = 128M
110 --
111 1.7.6.2
112
admin@koozali.org
 ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed