Add an upper bound to the POST data SecurityComponent will consider.

'Kurita Takashi' has let us know that the previous patterns could be
abused by an evil doer. One could potentially send a very large deeply
nested POST data structure. Matching that structure could overflow the
PCRE limits causing a segmentation fault. Adding an upper bound will
solve the problem and I doubt anyone is doing POST data structures with
more than 10 levels of nesting.
This commit is contained in:
mark_story 2014-07-03 22:02:00 -04:00
parent 765be87d88
commit 1988e89e73

View file

@ -470,8 +470,8 @@ class SecurityComponent extends Component {
$multi = array();
foreach ($fieldList as $i => $key) {
if (preg_match('/(\.\d+)+$/', $key)) {
$multi[$i] = preg_replace('/(\.\d+)+$/', '', $key);
if (preg_match('/(\.\d{1,10})+$/', $key)) {
$multi[$i] = preg_replace('/(\.\d{1,10})+$/', '', $key);
unset($fieldList[$i]);
}
}