bug #1671813 CVE-2006-1549 deep recursion crash

2007-03-02 14:19:13 +00:00
parent ab0e7704fa
commit 30e9b896b6
2 changed files with 19 additions and 0 deletions
--- a/3
+++ b/3
@@ -5,6 +5,9 @@ phpMyAdmin - ChangeLog
 $Id$
 $Source$

+2007-03-01 Sebastian Mendel <cybot_tm@users.sourceforge.net>
+    * libraries/common.lib.php: bug #1671813 CVE-2006-1549 deep recursion crash
+
 2007-01-16 Marc Delisle  <lem9@users.sourceforge.net>
    ### 2.9.2 released from QA_2_9

--- a/libraries/common.lib.php
+++ b/libraries/common.lib.php
@@ -510,6 +510,10 @@ function PMA_array_merge_recursive()
 */
 function PMA_arrayWalkRecursive(&$array, $function, $apply_to_keys_also = false)
 {
+    static $recursive_counter = 0;
+    if (++$recursive_counter > 1000) {
+        die('possible deep recursion attack');
+    }
    foreach ($array as $key => $value) {
        if (is_array($value)) {
            PMA_arrayWalkRecursive($array[$key], $function, $apply_to_keys_also);
@@ -525,6 +529,7 @@ function PMA_arrayWalkRecursive(&$array, $function, $apply_to_keys_also = false)
            }
        }
    }
+    $recursive_counter++;
 }

 /**
@@ -2698,6 +2703,17 @@ if (isset($_REQUEST['GLOBALS']) || isset($_FILES['GLOBALS'])
    die('GLOBALS overwrite attempt');
 }

+/**
+ * protect against deep recursion attack CVE-2006-1549,
+ * 1000 seems to be more than enough
+ *
+ * @see http://www.php-security.org/MOPB/MOPB-02-2007.html
+ * @see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1549
+ */
+if (count($GLOBALS) > 1000) {
+    die('possible deep recurse attack');
+}
+
 /**
 * Check for numeric keys
 * (if register_globals is on, numeric key can be found in $GLOBALS)