Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:29633
Return-Path: <stas@zend.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 66298 invoked by uid 1010); 21 May 2007 19:04:29 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 66283 invoked from network); 21 May 2007 19:04:29 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 21 May 2007 19:04:29 -0000
Authentication-Results: pb1.pair.com header.from=stas@zend.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=stas@zend.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain zend.com designates 63.205.162.114 as permitted sender)
X-PHP-List-Original-Sender: stas@zend.com
X-Host-Fingerprint: 63.205.162.114 unknown Windows 2000 SP4, XP SP1
Received: from [63.205.162.114] ([63.205.162.114:18426] helo=us-ex1.zend.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id D9/F1-03101-A3DE1564 for <internals@lists.php.net>; Mon, 21 May 2007 15:04:28 -0400
Received: from [127.0.0.1] ([192.168.16.109]) by us-ex1.zend.com with Microsoft SMTPSVC(6.0.3790.1830);
	 Mon, 21 May 2007 12:04:24 -0700
Message-ID: <4651ED31.4080609@zend.com>
Date: Mon, 21 May 2007 12:04:17 -0700
Organization: Zend Technologies
User-Agent: Thunderbird 2.0.0.0 (Windows/20070326)
MIME-Version: 1.0
To: 'PHP Internals' <internals@lists.php.net>
Content-Type: multipart/mixed;
 boundary="------------030507090708070104030105"
X-OriginalArrivalTime: 21 May 2007 19:04:24.0457 (UTC) FILETIME=[D8B9A790:01C79BDA]
Subject: CVE-2007-1285 fix for 4.x
From: stas@zend.com (Stanislav Malyshev)

--------------030507090708070104030105
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

The attached patch fixes CVE-2007-1285 (nesting variables in input 
crash) for 4.x branch - release notes say it's fixed but in fact it 
never was.

Objections?
-- 
Stanislav Malyshev, Zend Products Engineer
stas@zend.com  http://www.zend.com/

--------------030507090708070104030105
Content-Type: text/plain;
 name="nest4.4.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="nest4.4.diff"

Index: main/main.c
===================================================================
RCS file: /repository/php-src/main/main.c,v
retrieving revision 1.512.2.63.2.14
diff -u -b -r1.512.2.63.2.14 main.c
--- main/main.c	1 Jan 2007 09:46:50 -0000	1.512.2.63.2.14
+++ main/main.c	21 May 2007 18:43:50 -0000
@@ -338,6 +338,7 @@
 	STD_PHP_INI_ENTRY("upload_max_filesize",	"2M",		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateInt,			upload_max_filesize,	php_core_globals,	core_globals)
 	STD_PHP_INI_ENTRY("post_max_size",			"8M",		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateInt,			post_max_size,			sapi_globals_struct,sapi_globals)
 	STD_PHP_INI_ENTRY("upload_tmp_dir",			NULL,		PHP_INI_SYSTEM,		OnUpdateStringUnempty,	upload_tmp_dir,			php_core_globals,	core_globals)
+    STD_PHP_INI_ENTRY("max_input_nesting_level", "500",      PHP_INI_SYSTEM|PHP_INI_PERDIR,      OnUpdateLongGEZero, max_input_nesting_level,            php_core_globals,   core_globals)
 
 	STD_PHP_INI_ENTRY("user_dir",				NULL,		PHP_INI_SYSTEM,		OnUpdateString,			user_dir,				php_core_globals,	core_globals)
 	STD_PHP_INI_ENTRY("variables_order",		NULL,		PHP_INI_ALL,		OnUpdateStringUnempty,	variables_order,		php_core_globals,	core_globals)
Index: main/php_globals.h
===================================================================
RCS file: /repository/php-src/main/php_globals.h,v
retrieving revision 1.84.2.6.8.2
diff -u -b -r1.84.2.6.8.2 php_globals.h
--- main/php_globals.h	1 Jan 2007 09:46:50 -0000	1.84.2.6.8.2
+++ main/php_globals.h	21 May 2007 18:43:50 -0000
@@ -141,6 +141,7 @@
 	zend_bool always_populate_raw_post_data;
 	
 	long serialize_precision;
+	long max_input_nesting_level;
 };
 
 
Index: main/php_variables.c
===================================================================
RCS file: /repository/php-src/main/php_variables.c,v
retrieving revision 1.45.2.13.2.10
diff -u -b -r1.45.2.13.2.10 php_variables.c
--- main/php_variables.c	13 Apr 2007 00:42:48 -0000	1.45.2.13.2.10
+++ main/php_variables.c	21 May 2007 18:43:50 -0000
@@ -66,6 +66,7 @@
 	zval *gpc_element, **gpc_element_p;
 	zend_bool is_array;
 	HashTable *symtable1=NULL;
+	int nest_level = 0;
 
 	assert(var != NULL);
 	
@@ -128,6 +129,10 @@
 			char *escaped_index = NULL, *index_s;
 			int new_idx_len = 0;
 
+			if(++nest_level > PG(max_input_nesting_level)) {
+				/* too many levels of nesting */
+				php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variable nesting level more than allowed %d (change max_input_nesting_level in php.ini to increase the limit)", PG(max_input_nesting_level));	
+			}
 			ip++;
 			index_s = ip;
 			if (isspace(*ip)) {

--------------030507090708070104030105--