adulau/cakephp2-php8
1
0
Fork 0
mirror of https://github.com/kamilwylegala/cakephp2-php8.git synced 2025-03-15 05:59:50 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add an upper bound to the POST data SecurityComponent will consider.

Browse source 
'Kurita Takashi' has let us know that the previous patterns could be
abused by an evil doer. One could potentially send a very large deeply
nested POST data structure. Matching that structure could overflow the
PCRE limits causing a segmentation fault. Adding an upper bound will
solve the problem and I doubt anyone is doing POST data structures with
more than 10 levels of nesting.
This commit is contained in:
mark_story 2014-07-03 22:02:00 -04:00
parent 765be87d88
commit 1988e89e73
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
lib/Cake/Controller/Component/SecurityComponent.php
View file

@ -470,8 +470,8 @@ class SecurityComponent extends Component {
$multi = array();
foreach ($fieldList as $i => $key) {
if (preg_match('/(\.\d+)+$/', $key)) {
$multi[$i] = preg_replace('/(\.\d+)+$/', '', $key);
if (preg_match('/(\.\d{1,10})+$/', $key)) {
$multi[$i] = preg_replace('/(\.\d{1,10})+$/', '', $key);
unset($fieldList[$i]);
}
}