From 1548e88ea16f68d15a71040c7fb6bff3874c5e32 Mon Sep 17 00:00:00 2001
From: Jakub Zelenka <bukka@php.net>
Date: Thu, 19 Jan 2023 14:11:18 +0000
Subject: [PATCH 5/8] Fix repeated warning for file uploads limit exceeding

(cherry picked from commit 3a2fdef1ae38881110006616ee1f0534b082ca45)
---
 main/rfc1867.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/main/rfc1867.c b/main/rfc1867.c
index 27718e72a4..3f7a0c76f9 100644
--- a/main/rfc1867.c
+++ b/main/rfc1867.c
@@ -932,7 +932,10 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
 				skip_upload = 1;
 			} else if (upload_cnt <= 0) {
 				skip_upload = 1;
-				sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded");
+				if (upload_cnt == 0) {
+					--upload_cnt;
+					sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded");
+				}
 			}
 
 			/* Return with an error if the posted data is garbled */
-- 
2.39.1

From 7d196fe1295491e624edf263525148c8c3bfd902 Mon Sep 17 00:00:00 2001
From: Jakub Zelenka <bukka@php.net>
Date: Thu, 19 Jan 2023 14:31:25 +0000
Subject: [PATCH 6/8] Introduce max_multipart_body_parts INI

This fixes GHSA-54hq-v5wp-fqgv DOS vulnerabality by limitting number of
parsed multipart body parts as currently all parts were always parsed.

(cherry picked from commit 8ec78d28d20c82c75c4747f44c52601cfdb22516)
---
 main/main.c    |  1 +
 main/rfc1867.c | 11 +++++++++++
 2 files changed, 12 insertions(+)

diff --git a/main/main.c b/main/main.c
index a3fc980b17..0cfdb91368 100644
--- a/main/main.c
+++ b/main/main.c
@@ -621,6 +621,7 @@ PHP_INI_BEGIN()
 	PHP_INI_ENTRY("disable_functions",			"",			PHP_INI_SYSTEM,		NULL)
 	PHP_INI_ENTRY("disable_classes",			"",			PHP_INI_SYSTEM,		NULL)
 	PHP_INI_ENTRY("max_file_uploads",			"20",			PHP_INI_SYSTEM|PHP_INI_PERDIR,		NULL)
+	PHP_INI_ENTRY("max_multipart_body_parts",	"-1",			PHP_INI_SYSTEM|PHP_INI_PERDIR,		NULL)
 
 	STD_PHP_INI_BOOLEAN("allow_url_fopen",		"1",		PHP_INI_SYSTEM,		OnUpdateBool,		allow_url_fopen,		php_core_globals,		core_globals)
 	STD_PHP_INI_BOOLEAN("allow_url_include",	"0",		PHP_INI_SYSTEM,		OnUpdateBool,		allow_url_include,		php_core_globals,		core_globals)
diff --git a/main/rfc1867.c b/main/rfc1867.c
index 3f7a0c76f9..14813a300c 100644
--- a/main/rfc1867.c
+++ b/main/rfc1867.c
@@ -704,6 +704,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
 	void *event_extra_data = NULL;
 	unsigned int llen = 0;
 	int upload_cnt = INI_INT("max_file_uploads");
+	int body_parts_cnt = INI_INT("max_multipart_body_parts");
 	const zend_encoding *internal_encoding = zend_multibyte_get_internal_encoding();
 	php_rfc1867_getword_t getword;
 	php_rfc1867_getword_conf_t getword_conf;
@@ -725,6 +726,11 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
 		return;
 	}
 
+	if (body_parts_cnt < 0) {
+		body_parts_cnt = PG(max_input_vars) + upload_cnt;
+	}
+	int body_parts_limit = body_parts_cnt;
+
 	/* Get the boundary */
 	boundary = strstr(content_type_dup, "boundary");
 	if (!boundary) {
@@ -809,6 +815,11 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
 			char *pair = NULL;
 			int end = 0;
 
+			if (--body_parts_cnt < 0) {
+				php_error_docref(NULL, E_WARNING, "Multipart body parts limit exceeded %d. To increase the limit change max_multipart_body_parts in php.ini.", body_parts_limit);
+				goto fileupload_done;
+			}
+
 			while (isspace(*cd)) {
 				++cd;
 			}
-- 
2.39.1

From 7900df2bfa37eaf0217fd2d62f3418b0be096cba Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Tue, 14 Feb 2023 09:14:47 +0100
Subject: [PATCH 7/8] NEWS

(cherry picked from commit 472db3ee3a00ac00d36019eee0b3b7362334481c)
---
 NEWS | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/NEWS b/NEWS
index ad57c5ccd5..e59c43300a 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,10 @@ Backported from 8.0.28
   . Fixed bug #81746 (1-byte array overrun in common path resolve code).
     (CVE-2023-0568). (Niels Dossche)
 
+- FPM:
+  . Fixed bug GHSA-54hq-v5wp-fqgv (DOS vulnerability when parsing multipart
+    request body). (CVE-2023-0662) (Jakub Zelenka)
+
 Backported from 8.0.27
 
 - PDO/SQLite:
-- 
2.39.1

From 27d1f29635717f619267b5e2ebf87ec43faa18f0 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Tue, 14 Feb 2023 11:47:22 +0100
Subject: [PATCH 8/8] fix NEWS, not FPM specific

(cherry picked from commit c04f310440a906fc4ca885f4ecf6e3e4cd36edc7)
---
 NEWS | 2 --
 1 file changed, 2 deletions(-)

diff --git a/NEWS b/NEWS
index e59c43300a..47e9f89a64 100644
--- a/NEWS
+++ b/NEWS
@@ -8,8 +8,6 @@ Backported from 8.0.28
     (CVE-2023-0567). (Tim Düsterhus)
   . Fixed bug #81746 (1-byte array overrun in common path resolve code).
     (CVE-2023-0568). (Niels Dossche)
-
-- FPM:
   . Fixed bug GHSA-54hq-v5wp-fqgv (DOS vulnerability when parsing multipart
     request body). (CVE-2023-0662) (Jakub Zelenka)
 
-- 
2.39.1