diff options
| author | Aleksander Machniak <alec@alec.pl> | 2012-09-24 10:03:34 +0200 |
|---|---|---|
| committer | Aleksander Machniak <alec@alec.pl> | 2012-09-24 10:03:34 +0200 |
| commit | 30f10bfe1685c18fa43f64603e1989355dc9b665 (patch) | |
| tree | 8af7ab73959b5fb84cf9039f87896a950baa66d5 /plugins/managesieve/managesieve.php | |
| parent | bbbb2b1ce5b1dd71b5d2b9189f8e25dd596560b7 (diff) | |
Added request size limits detection and script corruption prevention (#1488648)
Diffstat (limited to 'plugins/managesieve/managesieve.php')
| -rw-r--r-- | plugins/managesieve/managesieve.php | 32 |
1 files changed, 30 insertions, 2 deletions
diff --git a/plugins/managesieve/managesieve.php b/plugins/managesieve/managesieve.php index 0ddeba542..7282ff2e0 100644 --- a/plugins/managesieve/managesieve.php +++ b/plugins/managesieve/managesieve.php @@ -530,9 +530,37 @@ class managesieve extends rcube_plugin // Init plugin and handle managesieve connection $error = $this->managesieve_start(); - // filters set add action - if (!empty($_POST['_newset'])) { + // get request size limits (#1488648) + $max_post = max(array( + ini_get('max_input_vars'), + ini_get('suhosin.request.max_vars'), + ini_get('suhosin.post.max_vars'), + )); + $max_depth = max(array( + ini_get('suhosin.request.max_array_depth'), + ini_get('suhosin.post.max_array_depth'), + )); + // check request size limit + if ($max_post && count($_POST, COUNT_RECURSIVE) >= $max_post) { + rcube::raise_error(array( + 'code' => 500, 'type' => 'php', + 'file' => __FILE__, 'line' => __LINE__, + 'message' => "Request size limit exceeded (one of max_input_vars/suhosin.request.max_vars/suhosin.post.max_vars)" + ), true, false); + $this->rc->output->show_message('managesieve.filtersaveerror', 'error'); + } + // check request depth limits + else if ($max_depth && count($_POST['_header']) > $max_depth) { + rcube::raise_error(array( + 'code' => 500, 'type' => 'php', + 'file' => __FILE__, 'line' => __LINE__, + 'message' => "Request size limit exceeded (one of suhosin.request.max_array_depth/suhosin.post.max_array_depth)" + ), true, false); + $this->rc->output->show_message('managesieve.filtersaveerror', 'error'); + } + // filters set add action + else if (!empty($_POST['_newset'])) { $name = get_input_value('_name', RCUBE_INPUT_POST, true); $copy = get_input_value('_copy', RCUBE_INPUT_POST, true); $from = get_input_value('_from', RCUBE_INPUT_POST); |