[Pkg-php-commits] [php/debian-lenny] max_file_uploads: prevent, by limiting, temporary files exhaustion DoS

Sat Nov 28 23:52:52 UTC 2009

---
 debian/patches/max_file_uploads.patch |   78 +++++++++++++++++++++++++++++++++
 debian/patches/series                 |    1 +
 2 files changed, 79 insertions(+), 0 deletions(-)
 create mode 100644 debian/patches/max_file_uploads.patch

diff --git a/debian/patches/max_file_uploads.patch b/debian/patches/max_file_uploads.patch
new file mode 100644
index 0000000..45134bf
--- /dev/null
+++ b/debian/patches/max_file_uploads.patch
@@ -0,0 +1,78 @@
+Index: php/main/main.c
+===================================================================
+--- php.orig/main/main.c
++++ php/main/main.c
+@@ -451,6 +451,7 @@ PHP_INI_BEGIN()
+ 	PHP_INI_ENTRY("mail.force_extra_parameters",NULL,		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnChangeMailForceExtra)
+ 	PHP_INI_ENTRY("disable_functions",			"",			PHP_INI_SYSTEM,		NULL)
+ 	PHP_INI_ENTRY("disable_classes",			"",			PHP_INI_SYSTEM,		NULL)
++	PHP_INI_ENTRY("max_file_uploads",			"50",			PHP_INI_SYSTEM,		NULL)
+ 
+ 	STD_PHP_INI_BOOLEAN("allow_url_fopen",		"1",		PHP_INI_SYSTEM,		OnUpdateBool,		allow_url_fopen,		php_core_globals,	core_globals)
+ 	STD_PHP_INI_BOOLEAN("allow_url_include",	"0",		PHP_INI_SYSTEM,		OnUpdateBool,		allow_url_include,		php_core_globals,	core_globals)
+Index: php/main/rfc1867.c
+===================================================================
+--- php.orig/main/rfc1867.c
++++ php/main/rfc1867.c
+@@ -32,6 +32,7 @@
+ #include "php_globals.h"
+ #include "php_variables.h"
+ #include "rfc1867.h"
++#include "php_ini.h"
+ 
+ #define DEBUG_FILE_UPLOAD ZEND_DEBUG
+ 
+@@ -795,6 +796,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_
+ 	zend_llist header;
+ 	void *event_extra_data = NULL;
+ 	int llen = 0;
++	int upload_cnt = INI_INT("max_file_uploads");
+ 
+ 	if (SG(request_info).content_length > SG(post_max_size)) {
+ 		sapi_module.sapi_error(E_WARNING, "POST Content-Length of %ld bytes exceeds the limit of %ld bytes", SG(request_info).content_length, SG(post_max_size));
+@@ -973,6 +975,9 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_
+ 			/* If file_uploads=off, skip the file part */
+ 			if (!PG(file_uploads)) {
+ 				skip_upload = 1;
++			} else if (upload_cnt <= 0) {
++				skip_upload = 1;
++				sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded");
+ 			}
+ 
+ 			/* Return with an error if the posted data is garbled */
+@@ -1017,6 +1022,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_
+ 			if (!skip_upload) {
+ 				/* Handle file */
+ 				fd = php_open_temporary_fd_ex(PG(upload_tmp_dir), "php", &temp_filename, 1 TSRMLS_CC);
++				upload_cnt--;
+ 				if (fd==-1) {
+ 					sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file");
+ 					cancel_upload = UPLOAD_ERROR_E;
+Index: php/php.ini-dist
+===================================================================
+--- php.orig/php.ini-dist
++++ php/php.ini-dist
+@@ -565,6 +565,9 @@ file_uploads = On
+ upload_max_filesize = 2M
+ 
+ 
++; Maximum number of files that can be uploaded via a single request
++max_file_uploads = 50
++
+ ;;;;;;;;;;;;;;;;;;
+ ; Fopen wrappers ;
+ ;;;;;;;;;;;;;;;;;;
+Index: php/php.ini-recommended
+===================================================================
+--- php.orig/php.ini-recommended
++++ php/php.ini-recommended
+@@ -599,6 +599,9 @@ file_uploads = On
+ upload_max_filesize = 2M
+ 
+ 
++; Maximum number of files that can be uploaded via a single request
++max_file_uploads = 50
++
+ ;;;;;;;;;;;;;;;;;;
+ ; Fopen wrappers ;
+ ;;;;;;;;;;;;;;;;;;
diff --git a/debian/patches/series b/debian/patches/series
index aee7f5e..1f45667 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -59,3 +59,4 @@ CVE-2009-2687.patch
 CVE-2009-2626.patch
 CVE-2009-3292.patch
 CVE-2009-3291.patch
+max_file_uploads.patch
-- 
1.6.3.3



