main/php: security fix (CVE-2011-4885)

fixes #919 (cherry picked from commit 048cf16b51fd845e1c8aeb09437cec687e83228f)
author: Natanael Copa <ncopa@alpinelinux.org> 2012-01-10 15:55:45 +0000
committer: Natanael Copa <ncopa@alpinelinux.org> 2012-01-10 15:56:44 +0000
commit: 651558b41f361eb94133a5a1c1c9f767e9574036 (patch)
tree: 7e9afd9363bf00297b06740a7d6473e9ebd36ce7
parent: aec8070d40f61980210134fec4b6ef9ba937a5a7 (diff)
download: aports-651558b41f361eb94133a5a1c1c9f767e9574036.tar.bz2
aports-651558b41f361eb94133a5a1c1c9f767e9574036.tar.xz
2 files changed, 66 insertions, 1 deletions
diff --git a/main/php/APKBUILD b/main/php/APKBUILD
index 0162ca229..d8a0bbe8e 100644
--- a/main/php/APKBUILD
+++ b/main/php/APKBUILD
@@ -3,7 +3,7 @@
 pkgname=php
 pkgver=5.3.8
 _suhosinver=5.3.7-0.9.10
-pkgrel=1
+pkgrel=2
 pkgdesc="The PHP language runtime engine"
 url="http://www.php.net/"
 arch="all"
@@ -73,6 +73,7 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-common $pkgname-cgi
 
 #  http://download.suhosin.org/suhosin-patch-${_suhosinver}.patch.gz
 source="http://www.php.net/distributions/${pkgname}-${pkgver}.tar.bz2
+	max_input_vars.patch
 	php-install-pear-xml.patch
 	suhosin-patch-${_suhosinver}.patch
 	php-fpm.initd
@@ -443,6 +444,7 @@ mssql()		{ _mv_ext mssql; }
 pdo_dblib()	{ _mv_ext pdo_dblib "php-pdo freetds"; }
 
 md5sums="704cd414a0565d905e1074ffdc1fadfb  php-5.3.8.tar.bz2
+031c6fdcfbd45366fea32b697893d511  max_input_vars.patch
 5111e3be06d391f8772587c675240fab  php-install-pear-xml.patch
 8bd8840465d6bcd8e1e5d2cec80a1bfc  suhosin-patch-5.3.7-0.9.10.patch
 8f2bb2b744a2de50025842cb51fb6a3a  php-fpm.initd
diff --git a/main/php/max_input_vars.patch b/main/php/max_input_vars.patch
new file mode 100644
index 000000000..8366a3dd6
--- /dev/null
+++ b/main/php/max_input_vars.patch
@@ -0,0 +1,63 @@
+Index: PHP_5_3/NEWS
+===================================================================
+--- PHP_5_3/NEWS	(revision 321037)
++++ PHP_5_3/NEWS	(revision 321038)
+@@ -2,6 +2,10 @@
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+ ?? ??? 2011, PHP 5.3.9
+ 
++- Core:
++  . Added max_input_vars directive to prevent attacks based on hash collisions
++    (Dmitry).
++
+ - Streams:
+   . Fixed bug #60455 (stream_get_line misbehaves if EOF is not detected together
+     with the last read). (Gustavo)
+Index: PHP_5_3/main/php_variables.c
+===================================================================
+--- PHP_5_3/main/php_variables.c	(revision 321037)
++++ PHP_5_3/main/php_variables.c	(revision 321038)
+@@ -191,6 +191,9 @@
+ 				}
+ 				if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE
+ 					|| Z_TYPE_PP(gpc_element_p) != IS_ARRAY) {
++					if (zend_hash_num_elements(symtable1) >= PG(max_input_vars)) {
++						php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
++					}
+ 					MAKE_STD_ZVAL(gpc_element);
+ 					array_init(gpc_element);
+ 					zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
+@@ -236,6 +239,9 @@
+ 				zend_symtable_exists(symtable1, escaped_index, index_len + 1)) {
+ 				zval_ptr_dtor(&gpc_element);
+ 			} else {
++				if (zend_hash_num_elements(symtable1) >= PG(max_input_vars)) {
++					php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
++				}
+ 				zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
+ 			}
+ 			if (escaped_index != index) {
+Index: PHP_5_3/main/main.c
+===================================================================
+--- PHP_5_3/main/main.c	(revision 321037)
++++ PHP_5_3/main/main.c	(revision 321038)
+@@ -512,6 +512,7 @@
+ 	STD_PHP_INI_ENTRY("post_max_size",			"8M",		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateLong,			post_max_size,			sapi_globals_struct,sapi_globals)
+ 	STD_PHP_INI_ENTRY("upload_tmp_dir",			NULL,		PHP_INI_SYSTEM,		OnUpdateStringUnempty,	upload_tmp_dir,			php_core_globals,	core_globals)
+ 	STD_PHP_INI_ENTRY("max_input_nesting_level", "64",		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateLongGEZero,	max_input_nesting_level,			php_core_globals,	core_globals)
++	STD_PHP_INI_ENTRY("max_input_vars",			"1000",		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateLongGEZero,	max_input_vars,						php_core_globals,	core_globals)
+ 
+ 	STD_PHP_INI_ENTRY("user_dir",				NULL,		PHP_INI_SYSTEM,		OnUpdateString,			user_dir,				php_core_globals,	core_globals)
+ 	STD_PHP_INI_ENTRY("variables_order",		"EGPCS",	PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateStringUnempty,	variables_order,		php_core_globals,	core_globals)
+--- ./main/php_globals.h.orig
++++ ./main/php_globals.h
+@@ -170,6 +170,9 @@
+ 	char *mail_log;
+ 
+ 	zend_bool in_error_log;
++
++	long max_input_vars;
++
+ };
+ 
+
author	Natanael Copa <ncopa@alpinelinux.org>	2012-01-10 15:55:45 +0000
committer	Natanael Copa <ncopa@alpinelinux.org>	2012-01-10 15:56:44 +0000
commit	651558b41f361eb94133a5a1c1c9f767e9574036 (patch)
tree	7e9afd9363bf00297b06740a7d6473e9ebd36ce7
parent	aec8070d40f61980210134fec4b6ef9ba937a5a7 (diff)
download	aports-651558b41f361eb94133a5a1c1c9f767e9574036.tar.bz2 aports-651558b41f361eb94133a5a1c1c9f767e9574036.tar.xz