summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--NEWS4
-rw-r--r--main/main.c1
-rw-r--r--main/rfc1867.c10
-rw-r--r--php.ini-development3
-rw-r--r--php.ini-production3
5 files changed, 21 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index 730d887..a473c9c 100644
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,10 @@ PHP NEWS
- Implemented FR #49571 (CURLOPT_POSTREDIR not implemented). (Sriram Natarajan)
- Implemented FR #49253 (added support for libcurl's CERTINFO option).
(Linus Nielsen Feltzing <linus@haxx.se>)
+
+- Introduced a max_file_uploads INI setting, which is set to limit the
+ number of file uploads per-request to 100 by default, to prevent possible
+ DOS via temporary file exhaustion. (Ilia)
- Fixed memory leak in extension loading when an error occurs on Windows.
(Pierre)
diff --git a/main/main.c b/main/main.c
index 4236890..08f3cdc 100644
--- a/main/main.c
+++ b/main/main.c
@@ -515,6 +515,7 @@ PHP_INI_BEGIN()
PHP_INI_ENTRY("mail.force_extra_parameters",NULL, PHP_INI_SYSTEM|PHP_INI_PERDIR, OnChangeMailForceExtra)
PHP_INI_ENTRY("disable_functions", "", PHP_INI_SYSTEM, NULL)
PHP_INI_ENTRY("disable_classes", "", PHP_INI_SYSTEM, NULL)
+ PHP_INI_ENTRY("max_file_uploads", "100", PHP_INI_SYSTEM, NULL)
STD_PHP_INI_BOOLEAN("allow_url_fopen", "1", PHP_INI_SYSTEM, OnUpdateBool, allow_url_fopen, php_core_globals, core_globals)
STD_PHP_INI_BOOLEAN("allow_url_include", "0", PHP_INI_SYSTEM, OnUpdateBool, allow_url_include, php_core_globals, core_globals)
diff --git a/main/rfc1867.c b/main/rfc1867.c
index 48130c0..ed22312 100644
--- a/main/rfc1867.c
+++ b/main/rfc1867.c
@@ -795,6 +795,12 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler)
zend_llist header;
void *event_extra_data = NULL;
int llen = 0;
+ char *max_uploads = INI_STR("max_file_uploads");
+ int upload_cnt = 0;
+
+ if (max_uploads && *max_uploads) {
+ upload_cnt = atoi(max_uploads);
+ }
if (SG(request_info).content_length > SG(post_max_size)) {
sapi_module.sapi_error(E_WARNING, "POST Content-Length of %ld bytes exceeds the limit of %ld bytes", SG(request_info).content_length, SG(post_max_size));
@@ -973,6 +979,9 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler)
/* If file_uploads=off, skip the file part */
if (!PG(file_uploads)) {
skip_upload = 1;
+ } else if (upload_cnt <= 0) {
+ skip_upload = 1;
+ sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded");
}
/* Return with an error if the posted data is garbled */
@@ -1017,6 +1026,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler)
if (!skip_upload) {
/* Handle file */
fd = php_open_temporary_fd_ex(PG(upload_tmp_dir), "php", &temp_filename, 1 TSRMLS_CC);
+ upload_cnt--;
if (fd==-1) {
sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file");
cancel_upload = UPLOAD_ERROR_E;
diff --git a/php.ini-development b/php.ini-development
index cb994bd..a45b670 100644
--- a/php.ini-development
+++ b/php.ini-development
@@ -878,6 +878,9 @@ file_uploads = On
; http://php.net/upload-max-filesize
upload_max_filesize = 2M
+; Maximum number of files that can be uploaded via a single request
+max_file_uploads = 100
+
;;;;;;;;;;;;;;;;;;
; Fopen wrappers ;
;;;;;;;;;;;;;;;;;;
diff --git a/php.ini-production b/php.ini-production
index 3ef0957..9104155 100644
--- a/php.ini-production
+++ b/php.ini-production
@@ -878,6 +878,9 @@ file_uploads = On
; http://php.net/upload-max-filesize
upload_max_filesize = 2M
+; Maximum number of files that can be uploaded via a single request
+max_file_uploads = 100
+
;;;;;;;;;;;;;;;;;;
; Fopen wrappers ;
;;;;;;;;;;;;;;;;;;