144 lines
4.6 KiB
Diff
144 lines
4.6 KiB
Diff
From 3a2fdef1ae38881110006616ee1f0534b082ca45 Mon Sep 17 00:00:00 2001
|
|
From: Jakub Zelenka <bukka@php.net>
|
|
Date: Thu, 19 Jan 2023 14:11:18 +0000
|
|
Subject: [PATCH 5/7] Fix repeated warning for file uploads limit exceeding
|
|
|
|
---
|
|
main/rfc1867.c | 5 ++++-
|
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/main/rfc1867.c b/main/rfc1867.c
|
|
index edef19c16d6..4931b9aeefb 100644
|
|
--- a/main/rfc1867.c
|
|
+++ b/main/rfc1867.c
|
|
@@ -922,7 +922,10 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
|
|
skip_upload = 1;
|
|
} else if (upload_cnt <= 0) {
|
|
skip_upload = 1;
|
|
- sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded");
|
|
+ if (upload_cnt == 0) {
|
|
+ --upload_cnt;
|
|
+ sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded");
|
|
+ }
|
|
}
|
|
|
|
/* Return with an error if the posted data is garbled */
|
|
--
|
|
2.39.1
|
|
|
|
From 8ec78d28d20c82c75c4747f44c52601cfdb22516 Mon Sep 17 00:00:00 2001
|
|
From: Jakub Zelenka <bukka@php.net>
|
|
Date: Thu, 19 Jan 2023 14:31:25 +0000
|
|
Subject: [PATCH 6/7] Introduce max_multipart_body_parts INI
|
|
|
|
This fixes GHSA-54hq-v5wp-fqgv DOS vulnerabality by limitting number of
|
|
parsed multipart body parts as currently all parts were always parsed.
|
|
---
|
|
main/main.c | 1 +
|
|
main/rfc1867.c | 11 +++++++++++
|
|
2 files changed, 12 insertions(+)
|
|
|
|
diff --git a/main/main.c b/main/main.c
|
|
index 0b33b2b56c9..d8c465988cc 100644
|
|
--- a/main/main.c
|
|
+++ b/main/main.c
|
|
@@ -836,6 +836,7 @@ PHP_INI_BEGIN()
|
|
PHP_INI_ENTRY("disable_functions", "", PHP_INI_SYSTEM, NULL)
|
|
PHP_INI_ENTRY("disable_classes", "", PHP_INI_SYSTEM, NULL)
|
|
PHP_INI_ENTRY("max_file_uploads", "20", PHP_INI_SYSTEM|PHP_INI_PERDIR, NULL)
|
|
+ PHP_INI_ENTRY("max_multipart_body_parts", "-1", PHP_INI_SYSTEM|PHP_INI_PERDIR, NULL)
|
|
|
|
STD_PHP_INI_BOOLEAN("allow_url_fopen", "1", PHP_INI_SYSTEM, OnUpdateBool, allow_url_fopen, php_core_globals, core_globals)
|
|
STD_PHP_INI_BOOLEAN("allow_url_include", "0", PHP_INI_SYSTEM, OnUpdateBool, allow_url_include, php_core_globals, core_globals)
|
|
diff --git a/main/rfc1867.c b/main/rfc1867.c
|
|
index 4931b9aeefb..1b212c93325 100644
|
|
--- a/main/rfc1867.c
|
|
+++ b/main/rfc1867.c
|
|
@@ -694,6 +694,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
|
|
void *event_extra_data = NULL;
|
|
unsigned int llen = 0;
|
|
int upload_cnt = INI_INT("max_file_uploads");
|
|
+ int body_parts_cnt = INI_INT("max_multipart_body_parts");
|
|
const zend_encoding *internal_encoding = zend_multibyte_get_internal_encoding();
|
|
php_rfc1867_getword_t getword;
|
|
php_rfc1867_getword_conf_t getword_conf;
|
|
@@ -715,6 +716,11 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
|
|
return;
|
|
}
|
|
|
|
+ if (body_parts_cnt < 0) {
|
|
+ body_parts_cnt = PG(max_input_vars) + upload_cnt;
|
|
+ }
|
|
+ int body_parts_limit = body_parts_cnt;
|
|
+
|
|
/* Get the boundary */
|
|
boundary = strstr(content_type_dup, "boundary");
|
|
if (!boundary) {
|
|
@@ -799,6 +805,11 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
|
|
char *pair = NULL;
|
|
int end = 0;
|
|
|
|
+ if (--body_parts_cnt < 0) {
|
|
+ php_error_docref(NULL, E_WARNING, "Multipart body parts limit exceeded %d. To increase the limit change max_multipart_body_parts in php.ini.", body_parts_limit);
|
|
+ goto fileupload_done;
|
|
+ }
|
|
+
|
|
while (isspace(*cd)) {
|
|
++cd;
|
|
}
|
|
--
|
|
2.39.1
|
|
|
|
From 472db3ee3a00ac00d36019eee0b3b7362334481c Mon Sep 17 00:00:00 2001
|
|
From: Remi Collet <remi@remirepo.net>
|
|
Date: Tue, 14 Feb 2023 09:14:47 +0100
|
|
Subject: [PATCH 7/7] NEWS
|
|
|
|
---
|
|
NEWS | 4 ++++
|
|
1 file changed, 4 insertions(+)
|
|
|
|
diff --git a/NEWS b/NEWS
|
|
index 8157a20d4b3..c1668368818 100644
|
|
--- a/NEWS
|
|
+++ b/NEWS
|
|
@@ -9,6 +9,10 @@ Backported from 8.0.28
|
|
. Fixed bug #81746 (1-byte array overrun in common path resolve code).
|
|
(CVE-2023-0568). (Niels Dossche)
|
|
|
|
+- FPM:
|
|
+ . Fixed bug GHSA-54hq-v5wp-fqgv (DOS vulnerability when parsing multipart
|
|
+ request body). (CVE-2023-0662) (Jakub Zelenka)
|
|
+
|
|
Backported from 8.0.27
|
|
|
|
- PDO/SQLite:
|
|
--
|
|
2.39.1
|
|
|
|
From c04f310440a906fc4ca885f4ecf6e3e4cd36edc7 Mon Sep 17 00:00:00 2001
|
|
From: Remi Collet <remi@remirepo.net>
|
|
Date: Tue, 14 Feb 2023 11:47:22 +0100
|
|
Subject: [PATCH] fix NEWS, not FPM specific
|
|
|
|
---
|
|
NEWS | 2 --
|
|
1 file changed, 2 deletions(-)
|
|
|
|
diff --git a/NEWS b/NEWS
|
|
index c1668368818..3f8739eae78 100644
|
|
--- a/NEWS
|
|
+++ b/NEWS
|
|
@@ -8,8 +8,6 @@ Backported from 8.0.28
|
|
(CVE-2023-0567). (Tim Düsterhus)
|
|
. Fixed bug #81746 (1-byte array overrun in common path resolve code).
|
|
(CVE-2023-0568). (Niels Dossche)
|
|
-
|
|
-- FPM:
|
|
. Fixed bug GHSA-54hq-v5wp-fqgv (DOS vulnerability when parsing multipart
|
|
request body). (CVE-2023-0662) (Jakub Zelenka)
|
|
|
|
--
|
|
2.39.1
|
|
|