From 18853eece694abe8b5bb1cee1ac8a89e69532d6a Mon Sep 17 00:00:00 2001
From: Sebastian Mendel <cybot_tm@users.sourceforge.net>
Date: Thu, 1 Mar 2007 16:09:00 +0000
Subject: [PATCH] bug #1671813 CVE-2006-1549 deep recursion crash

---
 ChangeLog                |  5 ++++-
 libraries/common.lib.php | 25 +++++++++++++++++++++++--
 2 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 1238072d2..9283a44b6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,9 @@ phpMyAdmin - ChangeLog
 $Id$
 $HeadURL$
 
+2007-03-01 Sebastian Mendel <cybot_tm@users.sourceforge.net>
+    * libraries/common.lib.php: bug #1671813 CVE-2006-1549 deep recursion crash
+
 2007-02-28 Marc Delisle  <lem9@users.sourceforge.net>
     * libraries/config.default.php: set $cfg['Servers'][$i]['ssl'] default
       value to false, we got reports from some users having problems with the
@@ -16,7 +19,7 @@ $HeadURL$
 
 2007-02-26 Marc Delisle  <lem9@users.sourceforge.net>
     * scripts/upgrade_tables_mysql_4_1_2+.sql: bug #1668662,
-      can create the new pma_designer_coords table 
+      can create the new pma_designer_coords table
 
 2007-02-25 Marc Delisle  <lem9@users.sourceforge.net>
     * libraries/common.lib.php: bug #1667466, undefined variable when
diff --git a/libraries/common.lib.php b/libraries/common.lib.php
index 3beec329e..5f218c887 100644
--- a/libraries/common.lib.php
+++ b/libraries/common.lib.php
@@ -335,6 +335,12 @@ function PMA_array_merge_recursive()
 /**
  * calls $function vor every element in $array recursively
  *
+ * this function is protected against deep recursion attack CVE-2006-1549,
+ * 1000 seems to be more than enough
+ *
+ * @see http://www.php-security.org/MOPB/MOPB-02-2007.html
+ * @see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1549
+ *
  * @uses    PMA_arrayWalkRecursive()
  * @uses    is_array()
  * @uses    is_string()
@@ -343,6 +349,10 @@ function PMA_array_merge_recursive()
  */
 function PMA_arrayWalkRecursive(&$array, $function, $apply_to_keys_also = false)
 {
+    static $recursive_counter = 0;
+    if (++$recursive_counter > 1000) {
+        die('possible deep recursion attack');
+    }
     foreach ($array as $key => $value) {
         if (is_array($value)) {
             PMA_arrayWalkRecursive($array[$key], $function, $apply_to_keys_also);
@@ -358,6 +368,7 @@ function PMA_arrayWalkRecursive(&$array, $function, $apply_to_keys_also = false)
             }
         }
     }
+    $recursive_counter++;
 }
 
 /**
@@ -1621,7 +1632,7 @@ if (typeof(window.parent) != 'undefined'
             echo '<fieldset class="">' . "\n";
             echo '    <legend>' . $GLOBALS['strSQLQuery'] . ':</legend>';
             echo '    <div>';
-            // when uploading a 700 Kio binary file into a LONGBLOB, 
+            // when uploading a 700 Kio binary file into a LONGBLOB,
             // I get a white page, strlen($query_base) is 2 x 700 Kio
             // so put a hard limit here (let's say 1000)
             if (defined('PMA_QUERY_TOO_BIG')) {
@@ -2648,11 +2659,21 @@ if (isset($_REQUEST['GLOBALS']) || isset($_FILES['GLOBALS'])
     die('GLOBALS overwrite attempt');
 }
 
+/**
+ * protect against deep recursion attack CVE-2006-1549,
+ * 1000 seems to be more than enough
+ *
+ * @see http://www.php-security.org/MOPB/MOPB-02-2007.html
+ * @see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1549
+ */
+if (count($GLOBALS) > 1000) {
+    die('possible deep recurse attack');
+}
+
 /**
  * Check for numeric keys
  * (if register_globals is on, numeric key can be found in $GLOBALS)
  */
-
 foreach ($GLOBALS as $key => $dummy) {
     if (is_numeric($key)) {
         die('numeric key detected');