php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #61000 Exceeding max nesting level doesn't delete numerical vars
Submitted: 2012-02-07 09:45 UTC Modified: 2012-03-02 03:18 UTC
From: cataphract@php.net Assigned: laruence
Status: Closed Package: Scripting Engine problem
PHP Version: trunk-SVN-2012-02-07 (snap) OS: Irrelevant
Private report: No CVE-ID:
 [2012-02-07 09:45 UTC] cataphract@php.net
Description:
------------
Exceeding the max nesting level doesn't delete numerical vars, while it deletes the non-numerical ones. php_register_variable_ex inappropriately uses zend_hash_del.

(Found out by Stefan Esser, who points this can be used, together with max_input_vars, to determine whether PHP is a 32-bit or 64-bit process)

Test script:
---------------
With max nesting level=2:

http://nebm.ist.utl.pt/phpinfo?1[a][]=foo&1[a][b][c]=bar



Expected result:
----------------
_GET is empty

Actual result:
--------------
_GET["1"] =
Array
(
    [a] => Array
        (
            [0] => foo
        )

)

Patches

bug61000.patch (last revision 2012-02-08 06:08 UTC) by laruence@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-02-08 06:08 UTC] laruence@php.net
The following patch has been added/updated:

Patch Name: bug61000.patch
Revision:   1328681292
URL:        https://bugs.php.net/patch-display.php?bug=61000&patch=bug61000.patch&revision=1328681292
 [2012-02-08 06:10 UTC] laruence@php.net
I am wondering that was there a disscussion about how to fix this? seems replace 
zend_hash_del with zend_symbol_del will solve this issue. 

since it is so suspicious(seems too easy), so I attached my fix.

<laruence> I was wondering is there already a discussion about how to fix it ?  
if not, I think zend_symbol_del will works
<Rasmus> I think Catahract already had a fix, didn't he?
<Rasmus> it was probably just that though

thanks
 [2012-02-08 14:07 UTC] laruence@php.net
Automatic comment from SVN on behalf of laruence
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=323123
Log: Fixed bug #61000 (Exceeding max nesting level doesn't delete numerical vars).
 [2012-02-08 14:10 UTC] laruence@php.net
-Assigned To: +Assigned To: laruence
 [2012-02-08 14:10 UTC] laruence@php.net
fixed in 5.3, trunk. will close this when I commit to 5.4 after 5.4 release. 
thanks
 [2012-03-02 03:17 UTC] laruence@php.net
Automatic comment from SVN on behalf of laruence
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=323769
Log: MFH: Fixed bug #61000 (Exceeding max nesting level doesn't delete numerical vars)
 [2012-03-02 03:18 UTC] laruence@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2012-03-02 03:18 UTC] laruence@php.net
-Status: Assigned +Status: Closed
 [2012-04-18 09:45 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=59cbf74b7454188c356495a8446fc9e100a03144
Log: MFH: Fixed bug #61000 (Exceeding max nesting level doesn't delete numerical vars)
 [2012-04-18 09:46 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6672171672044c6967492a2c2c094b648f8690e1
Log: Fixed bug #61000 (Exceeding max nesting level doesn't delete numerical vars).
 [2012-07-24 23:37 UTC] rasmus@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=59cbf74b7454188c356495a8446fc9e100a03144
Log: MFH: Fixed bug #61000 (Exceeding max nesting level doesn't delete numerical vars)
 [2012-07-24 23:37 UTC] rasmus@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6672171672044c6967492a2c2c094b648f8690e1
Log: Fixed bug #61000 (Exceeding max nesting level doesn't delete numerical vars).
 [2013-11-17 09:33 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=59cbf74b7454188c356495a8446fc9e100a03144
Log: MFH: Fixed bug #61000 (Exceeding max nesting level doesn't delete numerical vars)
 [2013-11-17 09:33 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6672171672044c6967492a2c2c094b648f8690e1
Log: Fixed bug #61000 (Exceeding max nesting level doesn't delete numerical vars).
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sun Apr 20 01:02:05 2014 UTC