Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:28918
Return-Path: <s.masugata@digicom.dnp.co.jp>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 88551 invoked by uid 1010); 18 Apr 2007 12:27:26 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 88536 invoked from network); 18 Apr 2007 12:27:26 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Apr 2007 12:27:26 -0000
Authentication-Results: pb1.pair.com header.from=s.masugata@digicom.dnp.co.jp; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=s.masugata@digicom.dnp.co.jp; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain digicom.dnp.co.jp designates 202.214.150.3 as permitted sender)
X-PHP-List-Original-Sender: s.masugata@digicom.dnp.co.jp
X-Host-Fingerprint: 202.214.150.3 moondance.dnp.co.jp Solaris 8 (1)
Received: from [202.214.150.3] ([202.214.150.3:41309] helo=moondance.dnp.co.jp)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 0D/09-10422-AAE06264 for <internals@lists.php.net>; Wed, 18 Apr 2007 08:27:24 -0400
Received: from mike.cansec.dnp.co.jp (mike.cansec.dnp.co.jp [192.168.0.129])
	by moondance.dnp.co.jp (DNP//IOC-5.5/Fw+Ex/MTA) with ESMTP id l3ICRJLs008319
	for <internals@lists.php.net>; Wed, 18 Apr 2007 21:27:19 +0900 (JST)
Received: from mike.cansec.dnp.co.jp (localhost [127.0.0.1])
	by mike.cansec.dnp.co.jp (CANSEC//CANSEC/MTA/20040520) with ESMTP id l3ICRJmW001097
	for <internals@lists.php.net>; Wed, 18 Apr 2007 21:27:19 +0900 (JST)
Received: from asuka.digicom.dnp.co.jp (asuka.digicom.dnp.co.jp [10.160.128.190])
	by mike.cansec.dnp.co.jp (CANSEC//CANSEC/MTA/20040520) with ESMTP id l3ICRITc001081
	for <internals@lists.php.net>; Wed, 18 Apr 2007 21:27:18 +0900 (JST)
Received: from asuka.digicom.dnp.co.jp (localhost [127.0.0.1])
	by asuka.digicom.dnp.co.jp (8.13.6/8.13.6) with ESMTP id l3ICRIIX009276
	for <internals@lists.php.net.procmail>; Wed, 18 Apr 2007 21:27:18 +0900 (JST)
	(envelope-from s.masugata@digicom.dnp.co.jp)
Received: (from root@localhost)
	by asuka.digicom.dnp.co.jp (8.13.6/8.13.6/Submit) id l3ICRI01009270
	for internals@lists.php.net.procmail; Wed, 18 Apr 2007 21:27:18 +0900 (JST)
	(envelope-from s.masugata@digicom.dnp.co.jp)
Received: from [10.161.52.139] ([10.161.52.139])
	by asuka.digicom.dnp.co.jp (8.13.6/8.13.6) with ESMTP id l3ICRHEE009239;
	Wed, 18 Apr 2007 21:27:17 +0900 (JST)
	(envelope-from s.masugata@digicom.dnp.co.jp)
Date: Wed, 18 Apr 2007 21:27:17 +0900
To: derick@php.net
Cc: masugata@php.net, internals@lists.php.net
Message-ID: <20070418212302.9AB2.S.MASUGATA@digicom.dnp.co.jp>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Mailer: Becky! ver. 2.25.02 [ja]
Subject: [PATCH] max_input_nesting_level in PHP_4_4 Branch
From: s.masugata@digicom.dnp.co.jp (Seiji Masugata)

Hello, Derick. :-)

http://www.php-security.org/MOPB/MOPB-02-2007.html
http://www.php-security.org/MOPB/MOPB-03-2007.html
http://news.php.net/php.cvs/43349

Is this change plan to PHP_4_4 Branch?

I think that it should become a similar operation.
My patch works in PHP_4_4 Branch.

Regards.

--
Seiji Masugagta

--- php4-STABLE-200704180830,orig/main/main.c	2007-01-01 20:33:06.000000000 +0900
+++ php4-STABLE-200704180830/main/main.c	2007-04-18 20:04:09.295587660 +0900
@@ -338,6 +338,7 @@
 	STD_PHP_INI_ENTRY("upload_max_filesize",	"2M",		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateInt,			upload_max_filesize,	php_core_globals,	core_globals)
 	STD_PHP_INI_ENTRY("post_max_size",			"8M",		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateInt,			post_max_size,			sapi_globals_struct,sapi_globals)
 	STD_PHP_INI_ENTRY("upload_tmp_dir",			NULL,		PHP_INI_SYSTEM,		OnUpdateStringUnempty,	upload_tmp_dir,			php_core_globals,	core_globals)
+	STD_PHP_INI_ENTRY("max_input_nesting_level", "64",		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateLongGEZero,	max_input_nesting_level,			php_core_globals,	core_globals)
 
 	STD_PHP_INI_ENTRY("user_dir",				NULL,		PHP_INI_SYSTEM,		OnUpdateString,			user_dir,				php_core_globals,	core_globals)
 	STD_PHP_INI_ENTRY("variables_order",		NULL,		PHP_INI_ALL,		OnUpdateStringUnempty,	variables_order,		php_core_globals,	core_globals)
--- php4-STABLE-200704180830,orig/main/php_globals.h	2007-01-01 20:33:06.000000000 +0900
+++ php4-STABLE-200704180830/main/php_globals.h	2007-04-18 20:04:10.145471450 +0900
@@ -90,6 +90,7 @@
 	char *extension_dir;
 
 	char *upload_tmp_dir;
+	long max_input_nesting_level;
 	long upload_max_filesize;
 	
 	char *error_append_string;
--- php4-STABLE-200704180830,orig/main/php_variables.c	2007-04-13 11:33:32.000000000 +0900
+++ php4-STABLE-200704180830/main/php_variables.c	2007-04-18 20:07:32.987735574 +0900
@@ -63,6 +63,7 @@
 	char *ip;		/* index pointer */
 	char *index;
 	int var_len, index_len;
+	int nest_level = 0;
 	zval *gpc_element, **gpc_element_p;
 	zend_bool is_array;
 	HashTable *symtable1=NULL;
@@ -128,6 +129,11 @@
 			char *escaped_index = NULL, *index_s;
 			int new_idx_len = 0;
 
+			if(++nest_level > PG(max_input_nesting_level)) {
+				/* too many levels of nesting */
+				php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variable nesting level more than allowed %ld (change max_input_nesting_level in php.ini to increase the limit)", PG(max_input_nesting_level));
+			}
+
 			ip++;
 			index_s = ip;
 			if (isspace(*ip)) {
@@ -184,6 +190,7 @@
 				*ip = 0;
 			} else {
 				is_array = 0;
+				nest_level = 0;
 			}
 		} else {
 plain_var: