Menu
▾
▴
#2376 (ok 2.10.0.2) CVE-2006-1549 deep recursion crash
PHP is affected by a deep recursion crash
http://www.php-security.org/MOPB/MOPB-02-2007.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1549
phpMyAdmin will try to limit recursion on arrays supplied by users, so to make it impossible use this as an attack
Logged In: YES
user_id=326580
Originator: YES
File Added: protect_against_deep_recursion_2.10.patch
Logged In: YES
user_id=326580
Originator: YES
File Added: protect_against_deep_recursion_2.9.patch
patch against trunk head
Logged In: YES
user_id=326580
Originator: YES
File Added: protect_against_deep_recursion.patch
patch against 2.10
Logged In: YES
user_id=326580
Originator: YES
File Added: protect_against_deep_recursion_2.10.patch
patch against 2.9
Logged In: YES
user_id=326580
Originator: YES
File Added: protect_against_deep_recursion_2.9.patch
PMASA-2007-3-for-2.10.0.1.patch
Logged In: YES
user_id=210714
Originator: NO
File Added: PMASA-2007-3-for-2.10.0.1.patch
Logged In: YES
user_id=663176
Originator: NO
Please note that this limits the calls to 1000 in total and not to 1000 per call.
IMHO, a better approach to this would be to use a function param $recursive_counter for PMA_arrayWalkRecursive() instead of a static var:
Patch against "stable" tag:
Index: libraries/common.lib.php
===================================================================
--- libraries/common.lib.php (Revision 10193)
+++ libraries/common.lib.php (Arbeitskopie)
@@ -274,17 +274,18 @@
*
* @param array $array array to walk
* @param string $function function to call for every array element
+ * @param boolean $apply_to_keys_also
+ * @param integer $recursive_counter Internal recursive counter
*/
-function PMA_arrayWalkRecursive(&$array, $function, $apply_to_keys_also = false)
+function PMA_arrayWalkRecursive(&$array, $function, $apply_to_keys_also = false, $recursive_counter = 0)
{
- static $recursive_counter = 0;
- if (++$recursive_counter > 1000) {
- die('possible deep recursion attack');
- }
+ if ($recursive_counter > 1000) {
+ die('Fatal error: possible deep recursion attack');
+ }
foreach ($array as $key => $value) {
if (is_array($value)) {
- PMA_arrayWalkRecursive($array[$key], $function, $apply_to_keys_also);
+ PMA_arrayWalkRecursive($array[$key], $function, $apply_to_keys_also, ++$recursive_counter);
} else {
$array[$key] = $function($value);
}
@@ -297,7 +298,6 @@
}
}
}
- $recursive_counter++;
}
/**
Logged In: YES
user_id=326580
Originator: YES
not 1000 but 500! caused by a typo, it should be written $recursive_counter--; instead of $recursive_counter++;
but this does not require a parameter - a waste of resources - with 500 recursive calls you will also have 500 variables of name $recursive_counter - but with being this one static it will always be only one!
but thanks anyway - it showed me the typo
Logged In: YES
user_id=326580
Originator: YES
fixed the typo in trunk (2.11)
no need to backport - 500 should still be enough for all external variables (COOKIE, REQUEST, GET, POST)