1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
|
From 951b823876274823f4f6d78004d0e4664fd24504 Mon Sep 17 00:00:00 2001
From: Jakub Zelenka <bukka@php.net>
Date: Thu, 19 Jan 2023 14:11:18 +0000
Subject: [PATCH 5/8] Fix repeated warning for file uploads limit exceeding
(cherry picked from commit 3a2fdef1ae38881110006616ee1f0534b082ca45)
---
main/rfc1867.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/main/rfc1867.c b/main/rfc1867.c
index fb3035072a..323370fc58 100644
--- a/main/rfc1867.c
+++ b/main/rfc1867.c
@@ -925,7 +925,10 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
skip_upload = 1;
} else if (upload_cnt <= 0) {
skip_upload = 1;
- sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded");
+ if (upload_cnt == 0) {
+ --upload_cnt;
+ sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded");
+ }
}
/* Return with an error if the posted data is garbled */
--
2.31.1
From 21a325252a52d663533715900f091b0f025a77ab Mon Sep 17 00:00:00 2001
From: Jakub Zelenka <bukka@php.net>
Date: Thu, 19 Jan 2023 14:31:25 +0000
Subject: [PATCH 6/8] Introduce max_multipart_body_parts INI
This fixes GHSA-54hq-v5wp-fqgv DOS vulnerabality by limitting number of
parsed multipart body parts as currently all parts were always parsed.
(cherry picked from commit 8ec78d28d20c82c75c4747f44c52601cfdb22516)
---
main/main.c | 1 +
main/rfc1867.c | 11 +++++++++++
2 files changed, 12 insertions(+)
diff --git a/main/main.c b/main/main.c
index ab55b5b831..66da1881d4 100644
--- a/main/main.c
+++ b/main/main.c
@@ -628,6 +628,7 @@ PHP_INI_BEGIN()
PHP_INI_ENTRY("disable_functions", "", PHP_INI_SYSTEM, NULL)
PHP_INI_ENTRY("disable_classes", "", PHP_INI_SYSTEM, NULL)
PHP_INI_ENTRY("max_file_uploads", "20", PHP_INI_SYSTEM|PHP_INI_PERDIR, NULL)
+ PHP_INI_ENTRY("max_multipart_body_parts", "-1", PHP_INI_SYSTEM|PHP_INI_PERDIR, NULL)
STD_PHP_INI_BOOLEAN("allow_url_fopen", "1", PHP_INI_SYSTEM, OnUpdateBool, allow_url_fopen, php_core_globals, core_globals)
STD_PHP_INI_BOOLEAN("allow_url_include", "0", PHP_INI_SYSTEM, OnUpdateBool, allow_url_include, php_core_globals, core_globals)
diff --git a/main/rfc1867.c b/main/rfc1867.c
index 323370fc58..ce8f557f23 100644
--- a/main/rfc1867.c
+++ b/main/rfc1867.c
@@ -697,6 +697,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
void *event_extra_data = NULL;
unsigned int llen = 0;
int upload_cnt = INI_INT("max_file_uploads");
+ int body_parts_cnt = INI_INT("max_multipart_body_parts");
const zend_encoding *internal_encoding = zend_multibyte_get_internal_encoding(TSRMLS_C);
php_rfc1867_getword_t getword;
php_rfc1867_getword_conf_t getword_conf;
@@ -718,6 +719,11 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
return;
}
+ if (body_parts_cnt < 0) {
+ body_parts_cnt = PG(max_input_vars) + upload_cnt;
+ }
+ int body_parts_limit = body_parts_cnt;
+
/* Get the boundary */
boundary = strstr(content_type_dup, "boundary");
if (!boundary) {
@@ -802,6 +808,11 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
char *pair = NULL;
int end = 0;
+ if (--body_parts_cnt < 0) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Multipart body parts limit exceeded %d. To increase the limit change max_multipart_body_parts in php.ini.", body_parts_limit);
+ goto fileupload_done;
+ }
+
while (isspace(*cd)) {
++cd;
}
--
2.31.1
From 734b43c5938037a03b6af7212a95813c1c9e729c Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Tue, 14 Feb 2023 09:14:47 +0100
Subject: [PATCH 7/8] NEWS
(cherry picked from commit 472db3ee3a00ac00d36019eee0b3b7362334481c)
---
NEWS | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/NEWS b/NEWS
index 5e74b7547a..bcb62b8325 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,10 @@ Backported from 8.0.28
. Fixed bug #81746 (1-byte array overrun in common path resolve code).
(CVE-2023-0568). (Niels Dossche)
+- FPM:
+ . Fixed bug GHSA-54hq-v5wp-fqgv (DOS vulnerability when parsing multipart
+ request body). (CVE-2023-0662) (Jakub Zelenka)
+
Backported from 8.0.27
- PDO/SQLite:
--
2.31.1
From 72c4e7e7d9039d5b68fb52794acccf740167602a Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Tue, 14 Feb 2023 11:47:22 +0100
Subject: [PATCH 8/8] fix NEWS, not FPM specific
(cherry picked from commit c04f310440a906fc4ca885f4ecf6e3e4cd36edc7)
---
NEWS | 2 --
1 file changed, 2 deletions(-)
diff --git a/NEWS b/NEWS
index bcb62b8325..c9e6f7d328 100644
--- a/NEWS
+++ b/NEWS
@@ -8,8 +8,6 @@ Backported from 8.0.28
(CVE-2023-0567). (Tim Düsterhus)
. Fixed bug #81746 (1-byte array overrun in common path resolve code).
(CVE-2023-0568). (Niels Dossche)
-
-- FPM:
. Fixed bug GHSA-54hq-v5wp-fqgv (DOS vulnerability when parsing multipart
request body). (CVE-2023-0662) (Jakub Zelenka)
--
2.31.1
|