Add security fix for http://www.ocert.org/advisories/ocert-2011-003.html

from r321038 from PHP's repository.

Bump PKGREVISION.

3 files changed, 58 insertions, 0 deletions

diff --git a/lang/php53/patches/patch-main_main.c b/lang/php53/patches/patch-main_main.c
new file mode 100644
index 00000000000..75ed38ee3c2
--- /dev/null
+++ b/lang/php53/patches/patch-main_main.c
@@ -0,0 +1,15 @@
+$NetBSD: patch-main_main.c,v 1.1 2012/01/03 16:23:14 taca Exp $
+
+* Fix for http://www.ocert.org/advisories/ocert-2011-003.html
+  from r321038 from PHP's repository.
+
+--- main/main.c.orig	2012-01-03 02:28:53.000000000 +0000
++++ main/main.c
+@@ -504,6 +504,7 @@ PHP_INI_BEGIN()
+ 	STD_PHP_INI_ENTRY("post_max_size",			"8M",		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateLong,			post_max_size,			sapi_globals_struct,sapi_globals)
+ 	STD_PHP_INI_ENTRY("upload_tmp_dir",			NULL,		PHP_INI_SYSTEM,		OnUpdateStringUnempty,	upload_tmp_dir,			php_core_globals,	core_globals)
+ 	STD_PHP_INI_ENTRY("max_input_nesting_level", "64",		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateLongGEZero,	max_input_nesting_level,			php_core_globals,	core_globals)
++	STD_PHP_INI_ENTRY("max_input_vars",			"1000",		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateLongGEZero,	max_input_vars,						php_core_globals,	core_globals)
+ 
+ 	STD_PHP_INI_ENTRY("user_dir",				NULL,		PHP_INI_SYSTEM,		OnUpdateString,			user_dir,				php_core_globals,	core_globals)
+ 	STD_PHP_INI_ENTRY("variables_order",		"EGPCS",	PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateStringUnempty,	variables_order,		php_core_globals,	core_globals)
diff --git a/lang/php53/patches/patch-main_php__globals.h b/lang/php53/patches/patch-main_php__globals.h
new file mode 100644
index 00000000000..9950417c1ef
--- /dev/null
+++ b/lang/php53/patches/patch-main_php__globals.h
@@ -0,0 +1,16 @@
+$NetBSD: patch-main_php__globals.h,v 1.1 2012/01/03 16:23:14 taca Exp $
+
+* Fix for http://www.ocert.org/advisories/ocert-2011-003.html
+  from r321038 from PHP's repository.
+
+--- main/php_globals.h.orig	2011-01-01 02:19:59.000000000 +0000
++++ main/php_globals.h
+@@ -170,6 +170,8 @@ struct _php_core_globals {
+ 	char *mail_log;
+ 
+ 	zend_bool in_error_log;
++
++	long max_input_vars;
+ };
+ 
+ 
diff --git a/lang/php53/patches/patch-main_php__variables.c b/lang/php53/patches/patch-main_php__variables.c
new file mode 100644
index 00000000000..d970b8a202d
--- /dev/null
+++ b/lang/php53/patches/patch-main_php__variables.c
@@ -0,0 +1,27 @@
+$NetBSD: patch-main_php__variables.c,v 1.1 2012/01/03 16:23:14 taca Exp $
+
+* Fix for http://www.ocert.org/advisories/ocert-2011-003.html
+  from r321038 from PHP's repository.
+
+--- main/php_variables.c.orig	2011-01-01 02:19:59.000000000 +0000
++++ main/php_variables.c
+@@ -191,6 +191,9 @@ PHPAPI void php_register_variable_ex(cha
+ 				}
+ 				if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE
+ 					|| Z_TYPE_PP(gpc_element_p) != IS_ARRAY) {
++					if (zend_hash_num_elements(symtable1) >= PG(max_input_vars)) {
++						php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
++					}
+ 					MAKE_STD_ZVAL(gpc_element);
+ 					array_init(gpc_element);
+ 					zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
+@@ -236,6 +239,9 @@ plain_var:
+ 				zend_symtable_exists(symtable1, escaped_index, index_len + 1)) {
+ 				zval_ptr_dtor(&gpc_element);
+ 			} else {
++				if (zend_hash_num_elements(symtable1) >= PG(max_input_vars)) {
++					php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
++				}
+ 				zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
+ 			}
+ 			if (escaped_index != index) {