diff options
| author | Ilia Alshanetsky <iliaa@php.net> | 2009-10-27 16:13:48 +0000 |
|---|---|---|
| committer | Ilia Alshanetsky <iliaa@php.net> | 2009-10-27 16:13:48 +0000 |
| commit | 0e5f61656c6b867abb04f16106d0928faa1dece3 (patch) | |
| tree | 4817c0681f9a42a14adf6444da707b94824a53a1 | |
| parent | e21c46aec20b0775fdd6c85faf70f36a618b1c2b (diff) | |
| download | php-git-0e5f61656c6b867abb04f16106d0928faa1dece3.tar.gz | |
Introduced a max_file_uploads INI setting, which is set to limit the
number of file uploads per-request to 100 by default, to prevent possible
DOS via temporary file exhaustion.
| -rw-r--r-- | main/main.c | 1 | ||||
| -rw-r--r-- | main/rfc1867.c | 10 | ||||
| -rw-r--r-- | php.ini-development | 3 | ||||
| -rw-r--r-- | php.ini-production | 3 |
4 files changed, 17 insertions, 0 deletions
diff --git a/main/main.c b/main/main.c index 14c6559cb7..ac5a502a19 100644 --- a/main/main.c +++ b/main/main.c @@ -602,6 +602,7 @@ PHP_INI_BEGIN() PHP_INI_ENTRY("mail.force_extra_parameters",NULL, PHP_INI_SYSTEM|PHP_INI_PERDIR, OnChangeMailForceExtra) PHP_INI_ENTRY("disable_functions", "", PHP_INI_SYSTEM, NULL) PHP_INI_ENTRY("disable_classes", "", PHP_INI_SYSTEM, NULL) + PHP_INI_ENTRY("max_file_uploads", "100", PHP_INI_SYSTEM, NULL) STD_PHP_INI_BOOLEAN("allow_url_fopen", "1", PHP_INI_ALL, OnUpdateAllowUrl, allow_url_fopen_list, php_core_globals, core_globals) STD_PHP_INI_BOOLEAN("allow_url_include", "0", PHP_INI_ALL, OnUpdateAllowUrl, allow_url_include_list, php_core_globals, core_globals) diff --git a/main/rfc1867.c b/main/rfc1867.c index 242125a066..fbc3a2e818 100644 --- a/main/rfc1867.c +++ b/main/rfc1867.c @@ -594,6 +594,12 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) zend_llist header; void *event_extra_data = NULL; int llen = 0; + char *max_uploads = INI_STR("max_file_uploads"); + int upload_cnt = 0; + + if (max_uploads && *max_uploads) { + upload_cnt = atoi(max_uploads); + } if (SG(request_info).content_length > SG(post_max_size)) { sapi_module.sapi_error(E_WARNING, "POST Content-Length of %ld bytes exceeds the limit of %ld bytes", SG(request_info).content_length, SG(post_max_size)); @@ -740,6 +746,9 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* If file_uploads=off, skip the file part */ if (!PG(file_uploads)) { skip_upload = 1; + } else if (upload_cnt <= 0) { + skip_upload = 1; + sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded"); } /* Return with an error if the posted data is garbled */ @@ -784,6 +793,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) if (!skip_upload) { /* Handle file */ fd = php_open_temporary_fd(PG(upload_tmp_dir), "php", &temp_filename TSRMLS_CC); + upload_cnt--; if (fd==-1) { sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file"); cancel_upload = UPLOAD_ERROR_E; diff --git a/php.ini-development b/php.ini-development index cb994bdf11..a45b67042d 100644 --- a/php.ini-development +++ b/php.ini-development @@ -878,6 +878,9 @@ file_uploads = On ; http://php.net/upload-max-filesize upload_max_filesize = 2M +; Maximum number of files that can be uploaded via a single request +max_file_uploads = 100 + ;;;;;;;;;;;;;;;;;; ; Fopen wrappers ; ;;;;;;;;;;;;;;;;;; diff --git a/php.ini-production b/php.ini-production index 3ef0957d75..9104155c88 100644 --- a/php.ini-production +++ b/php.ini-production @@ -878,6 +878,9 @@ file_uploads = On ; http://php.net/upload-max-filesize upload_max_filesize = 2M +; Maximum number of files that can be uploaded via a single request +max_file_uploads = 100 + ;;;;;;;;;;;;;;;;;; ; Fopen wrappers ; ;;;;;;;;;;;;;;;;;; |