Handle excessive data structures for multipart/form-data

Author: clue

src/Io/MultipartParser.php

@@ -27,6 +27,28 @@ final class MultipartParser
      */
     protected $maxFileSize;
 
+    /**
+     * ini setting "max_input_vars"
+     *
+     * Does not exist in PHP < 5.3.9 or HHVM, so assume PHP's default 1000 here.
+     *
+     * @var int
+     * @link http://php.net/manual/en/info.configuration.php#ini.max-input-vars
+     */
+    private $maxInputVars = 1000;
+
+    /**
+     * ini setting "max_input_nesting_level"
+     *
+     * Does not exist in HHVM, but assumes hard coded to 64 (PHP's default).
+     *
+     * @var int
+     * @link http://php.net/manual/en/info.configuration.php#ini.max-input-nesting-level
+     */
+    private $maxInputNestingLevel = 64;
+
+    private $postCount = 0;
+
     public static function parseRequest(ServerRequestInterface $request)
     {
         $parser = new self($request);
@@ -36,6 +58,15 @@ public static function parseRequest(ServerRequestInterface $request)
     private function __construct(ServerRequestInterface $request)
     {
         $this->request = $request;
+
+        $var = ini_get('max_input_vars');
+        if ($var !== false) {
+            $this->maxInputVars = (int)$var;
+        }
+        $var = ini_get('max_input_nesting_level');
+        if ($var !== false) {
+            $this->maxInputNestingLevel = (int)$var;
+        }
     }
 
     private function parse()
@@ -150,6 +181,11 @@ private function parseUploadedFile($filename, $contentType, $contents)
 
     private function parsePost($name, $value)
     {
+        // ignore excessive number of post fields
+        if (++$this->postCount > $this->maxInputVars) {
+            return;
+        }
+
         $this->request = $this->request->withParsedBody($this->extractPost(
             $this->request->getParsedBody(),
             $name,
@@ -203,6 +239,11 @@ private function extractPost($postFields, $key, $value)
             return $postFields;
         }
 
+        // ignore this key if maximum nesting level is exceeded
+        if (isset($chunks[$this->maxInputNestingLevel])) {
+            return $postFields;
+        }
+
         $chunkKey = rtrim($chunks[0], ']');
         $parent = &$postFields;
         for ($i = 1; isset($chunks[$i]); $i++) {

tests/Middleware/RequestBodyParserMiddlewareTest.php

@@ -215,8 +215,7 @@ public function testMultipartFormDataParsing()
         $data .= "Content-Disposition: form-data; name=\"users[two]\"\r\n";
         $data .= "\r\n";
         $data .= "second\r\n";
-        $data .= "--$boundary\r\n";
-
+        $data .= "--$boundary--\r\n";
 
         $request = new ServerRequest('POST', 'http://example.com/', array(
             'Content-Type' => 'multipart/form-data; boundary=' . $boundary,
@@ -241,4 +240,80 @@ function (ServerRequestInterface $request) {
         );
         $this->assertSame($data, (string)$parsedRequest->getBody());
     }
+
+    public function testMultipartFormDataIgnoresFieldWithExcessiveNesting()
+    {
+        // supported in all Zend PHP versions and HHVM
+        // ini setting does exist everywhere but HHVM: https://3v4l.org/hXLiK
+        // HHVM limits to 64 and otherwise returns an empty array structure
+        $allowed = (int)ini_get('max_input_nesting_level');
+        if ($allowed === 0) {
+            $allowed = 64;
+        }
+
+        $middleware = new RequestBodyParserMiddleware();
+
+        $boundary = "---------------------------12758086162038677464950549563";
+
+        $data  = "--$boundary\r\n";
+        $data .= "Content-Disposition: form-data; name=\"hello" . str_repeat("[]", $allowed + 1) . "\"\r\n";
+        $data .= "\r\n";
+        $data .= "world\r\n";
+        $data .= "--$boundary--\r\n";
+
+        $request = new ServerRequest('POST', 'http://example.com/', array(
+            'Content-Type' => 'multipart/form-data; boundary=' . $boundary,
+        ), $data, 1.1);
+
+        /** @var ServerRequestInterface $parsedRequest */
+        $parsedRequest = $middleware(
+            $request,
+            function (ServerRequestInterface $request) {
+                return $request;
+            }
+        );
+
+        $this->assertEmpty($parsedRequest->getParsedBody());
+    }
+
+    public function testMultipartFormDataTruncatesBodyWithExcessiveLength()
+    {
+        // ini setting exists in PHP 5.3.9, not in HHVM: https://3v4l.org/VF6oV
+        // otherwise default to 1000 as implemented within
+        $allowed = (int)ini_get('max_input_vars');
+        if ($allowed === 0) {
+            $allowed = 1000;
+        }
+
+        $middleware = new RequestBodyParserMiddleware();
+
+        $boundary = "---------------------------12758086162038677464950549563";
+
+        $data  = "";
+        for ($i = 0; $i < $allowed + 1; ++$i) {
+            $data .= "--$boundary\r\n";
+            $data .= "Content-Disposition: form-data; name=\"a[]\"\r\n";
+            $data .= "\r\n";
+            $data .= "b\r\n";
+        }
+        $data .= "--$boundary--\r\n";
+
+        $request = new ServerRequest('POST', 'http://example.com/', array(
+            'Content-Type' => 'multipart/form-data; boundary=' . $boundary,
+        ), $data, 1.1);
+
+        /** @var ServerRequestInterface $parsedRequest */
+        $parsedRequest = $middleware(
+            $request,
+            function (ServerRequestInterface $request) {
+                return $request;
+            }
+        );
+
+        $body = $parsedRequest->getParsedBody();
+
+        $this->assertCount(1, $body);
+        $this->assertTrue(isset($body['a']));
+        $this->assertCount($allowed, $body['a']);
+    }
 }