Exceeding max nesting level doesn't delete numerical vars

Bug #61000	Exceeding max nesting level doesn't delete numerical vars
Submitted:	2012-02-07 09:45 UTC	Modified:	2012-03-02 03:18 UTC
From:	cataphract@php.net	Assigned:	laruence (profile)
Status:	Closed	Package:	Scripting Engine problem
PHP Version:	trunk-SVN-2012-02-07 (snap)	OS:	Irrelevant
Private report:	No	CVE-ID:	None

[2012-02-07 09:45 UTC] cataphract@php.net

Description:
------------
Exceeding the max nesting level doesn't delete numerical vars, while it deletes the non-numerical ones. php_register_variable_ex inappropriately uses zend_hash_del.

(Found out by Stefan Esser, who points this can be used, together with max_input_vars, to determine whether PHP is a 32-bit or 64-bit process)

Test script:
---------------
With max nesting level=2:

http://nebm.ist.utl.pt/phpinfo?1[a][]=foo&1[a][b][c]=bar



Expected result:
----------------
_GET is empty

Actual result:
--------------
_GET["1"] =
Array
(
    [a] => Array
        (
            [0] => foo
        )

)

Patches

bug61000.patch (last revision 2012-02-08 06:08 UTC by laruence@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-02-08 06:10 UTC] laruence@php.net

I am wondering that was there a disscussion about how to fix this? seems replace 
zend_hash_del with zend_symbol_del will solve this issue. 

since it is so suspicious(seems too easy), so I attached my fix.

<laruence> I was wondering is there already a discussion about how to fix it ?  
if not, I think zend_symbol_del will works
<Rasmus> I think Catahract already had a fix, didn't he?
<Rasmus> it was probably just that though

thanks

[2012-02-08 14:10 UTC] laruence@php.net

fixed in 5.3, trunk. will close this when I commit to 5.4 after 5.4 release. 
thanks