nettika/phpmyadmin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

bug #1671813 CVE-2006-1549 deep recursion crash

Browse Source
This commit is contained in:
Sebastian Mendel
2007-03-01 16:09:00 +00:00
parent 4df1b95996
commit 18853eece6
2 changed files with 27 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
ChangeLog
View File

@@ -5,6 +5,9 @@ phpMyAdmin - ChangeLog
$Id$ $Id$
$HeadURL$ $HeadURL$
2007-03-01 Sebastian Mendel <cybot_tm@users.sourceforge.net>
* libraries/common.lib.php: bug #1671813 CVE-2006-1549 deep recursion crash
2007-02-28 Marc Delisle <lem9@users.sourceforge.net> 2007-02-28 Marc Delisle <lem9@users.sourceforge.net>
* libraries/config.default.php: set $cfg['Servers'][$i]['ssl'] default * libraries/config.default.php: set $cfg['Servers'][$i]['ssl'] default
value to false, we got reports from some users having problems with the value to false, we got reports from some users having problems with the

23
libraries/common.lib.php
View File

@@ -335,6 +335,12 @@ function PMA_array_merge_recursive()
/** /**
* calls $function vor every element in $array recursively * calls $function vor every element in $array recursively
* *
* this function is protected against deep recursion attack CVE-2006-1549,
* 1000 seems to be more than enough
*
* @see http://www.php-security.org/MOPB/MOPB-02-2007.html
* @see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1549
*
* @uses PMA_arrayWalkRecursive() * @uses PMA_arrayWalkRecursive()
* @uses is_array() * @uses is_array()
* @uses is_string() * @uses is_string()
@@ -343,6 +349,10 @@ function PMA_array_merge_recursive()
*/ */
function PMA_arrayWalkRecursive(&$array, $function, $apply_to_keys_also = false) function PMA_arrayWalkRecursive(&$array, $function, $apply_to_keys_also = false)
{ {
static $recursive_counter = 0;
if (++$recursive_counter > 1000) {
die('possible deep recursion attack');
}
foreach ($array as $key => $value) { foreach ($array as $key => $value) {
if (is_array($value)) { if (is_array($value)) {
PMA_arrayWalkRecursive($array[$key], $function, $apply_to_keys_also); PMA_arrayWalkRecursive($array[$key], $function, $apply_to_keys_also);
@@ -358,6 +368,7 @@ function PMA_arrayWalkRecursive(&$array, $function, $apply_to_keys_also = false)
} }
} }
} }
$recursive_counter++;
} }
/** /**
@@ -2648,11 +2659,21 @@ if (isset($_REQUEST['GLOBALS']) || isset($_FILES['GLOBALS'])
die('GLOBALS overwrite attempt'); die('GLOBALS overwrite attempt');
} }
/**
* protect against deep recursion attack CVE-2006-1549,
* 1000 seems to be more than enough
*
* @see http://www.php-security.org/MOPB/MOPB-02-2007.html
* @see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1549
*/
if (count($GLOBALS) > 1000) {
die('possible deep recurse attack');
}
/** /**
* Check for numeric keys * Check for numeric keys
* (if register_globals is on, numeric key can be found in $GLOBALS) * (if register_globals is on, numeric key can be found in $GLOBALS)
*/ */
foreach ($GLOBALS as $key => $dummy) { foreach ($GLOBALS as $key => $dummy) {
if (is_numeric($key)) { if (is_numeric($key)) {
die('numeric key detected'); die('numeric key detected');