Validate request_parse_body() limit option ranges

Author: OracleNep

NEWS

@@ -226,6 +226,8 @@ PHP                                                                        NEWS
     contains null bytes. (Weilin Du)
   . parse_str() now raises a ValueError when the $string argument contains
     null bytes. (Weilin Du)
+  . request_parse_body() now raises a ValueError for invalid limit option
+    ranges. (OracleNep)
   . proc_open() now raises a ValueError when the $cwd argument contains
     null bytes. (Weilin Du)
   . ini_get_all() now includes the built-in default value in the details.

UPGRADING

@@ -142,6 +142,11 @@ PHP 8.6 UPGRADE NOTES
     contains null bytes.
   . parse_str() now raises a ValueError when the $string argument contains
     null bytes.
+  . request_parse_body() now raises a ValueError when the $options argument
+    contains negative values for max_file_uploads or max_input_vars, or
+    non-positive values for post_max_size or upload_max_filesize.
+    Negative values for max_multipart_body_parts continue to derive the limit
+    from max_input_vars + max_file_uploads.
   . linkinfo() now raises a ValueError when the $path argument is empty.
   . pathinfo() now raises a ValueError when an invalid $flag
     argument value is passed.

ext/standard/http.c

@@ -247,7 +247,7 @@ PHP_FUNCTION(http_build_query)
 }
 /* }}} */
 
-static zend_result cache_request_parse_body_option(HashTable *options, zval *option, int cache_offset)
+static zend_result cache_request_parse_body_option(zval *option, int cache_offset, const char *option_name, zend_long min_value)
 {
 	if (option) {
 		zend_long result;
@@ -265,6 +265,14 @@ static zend_result cache_request_parse_body_option(HashTable *options, zval *opt
 			zend_value_error("Invalid %s value in $options argument", zend_zval_value_name(option));
 			return FAILURE;
 		}
+		if (result < min_value) {
+			if (min_value == 0) {
+				zend_value_error("\"%s\" option in $options argument must be greater than or equal to 0", option_name);
+			} else {
+				zend_value_error("\"%s\" option in $options argument must be greater than 0", option_name);
+			}
+			return FAILURE;
+		}
 		SG(request_parse_body_context).options_cache[cache_offset].set = true;
 		SG(request_parse_body_context).options_cache[cache_offset].value = result;
 	} else {
@@ -288,9 +296,9 @@ static zend_result cache_request_parse_body_options(HashTable *options)
 			return FAILURE;
 		}
 
-#define CHECK_OPTION(name) \
+#define CHECK_OPTION(name, min_value) \
 	if (zend_string_equals_literal_ci(key, #name)) { \
-		if (cache_request_parse_body_option(options, value, REQUEST_PARSE_BODY_OPTION_ ## name) == FAILURE) { \
+		if (cache_request_parse_body_option(value, REQUEST_PARSE_BODY_OPTION_ ## name, #name, min_value) == FAILURE) { \
 			return FAILURE; \
 		} \
 		continue; \
@@ -299,25 +307,25 @@ static zend_result cache_request_parse_body_options(HashTable *options)
 		switch (ZSTR_VAL(key)[0]) {
 			case 'm':
 			case 'M':
-				CHECK_OPTION(max_file_uploads);
-				CHECK_OPTION(max_input_vars);
-				CHECK_OPTION(max_multipart_body_parts);
+				CHECK_OPTION(max_file_uploads, 0);
+				CHECK_OPTION(max_input_vars, 0);
+				CHECK_OPTION(max_multipart_body_parts, ZEND_LONG_MIN);
 				break;
 			case 'p':
 			case 'P':
-				CHECK_OPTION(post_max_size);
+				CHECK_OPTION(post_max_size, 1);
 				break;
 			case 'u':
 			case 'U':
-				CHECK_OPTION(upload_max_filesize);
+				CHECK_OPTION(upload_max_filesize, 1);
 				break;
 		}
 
 		zend_value_error("Invalid key \"%s\" in $options argument", ZSTR_VAL(key));
 		return FAILURE;
 	} ZEND_HASH_FOREACH_END();
 
-#undef CACHE_OPTION
+#undef CHECK_OPTION
 
 	return SUCCESS;
 }

ext/standard/tests/http/request_parse_body/options_negative_values.phpt

@@ -0,0 +1,51 @@
+--TEST--
+request_parse_body() invalid limit option ranges
+--FILE--
+<?php
+
+$invalidOptions = [
+    ['max_file_uploads', -1],
+    ['max_input_vars', '-1M'],
+    ['max_input_vars', '-1.0'],
+    ['post_max_size', -1],
+    ['post_max_size', 0],
+    ['upload_max_filesize', '-1M'],
+    ['upload_max_filesize', 0],
+];
+
+foreach ($invalidOptions as [$name, $value]) {
+    try {
+        request_parse_body([$name => $value]);
+    } catch (Throwable $e) {
+        echo $name, ': ', get_class($e), ': ', $e->getMessage(), "\n";
+    }
+}
+
+$validOptions = [
+    ['max_file_uploads', 0],
+    ['max_input_vars', 0],
+    ['max_multipart_body_parts', -1],
+];
+
+foreach ($validOptions as [$name, $value]) {
+    try {
+        request_parse_body([$name => $value]);
+    } catch (Throwable $e) {
+        echo $name, ': ', get_class($e), ': ', $e->getMessage(), "\n";
+    }
+}
+
+?>
+--EXPECTF--
+max_file_uploads: ValueError: "max_file_uploads" option in $options argument must be greater than or equal to 0
+max_input_vars: ValueError: "max_input_vars" option in $options argument must be greater than or equal to 0
+
+Warning: Invalid quantity "-1.0": unknown multiplier "0", interpreting as "-1" for backwards compatibility in %s on line %d
+max_input_vars: ValueError: "max_input_vars" option in $options argument must be greater than or equal to 0
+post_max_size: ValueError: "post_max_size" option in $options argument must be greater than 0
+post_max_size: ValueError: "post_max_size" option in $options argument must be greater than 0
+upload_max_filesize: ValueError: "upload_max_filesize" option in $options argument must be greater than 0
+upload_max_filesize: ValueError: "upload_max_filesize" option in $options argument must be greater than 0
+max_file_uploads: RequestParseBodyException: Request does not provide a content type
+max_input_vars: RequestParseBodyException: Request does not provide a content type
+max_multipart_body_parts: RequestParseBodyException: Request does not provide a content type