Reject negative request_parse_body() limit options

OracleNep · OracleNep · commit bcad8b6c4b35 · 2026-06-04T12:42:09.000+08:00
diff --git a/ext/standard/http.c b/ext/standard/http.c
@@ -247,7 +247,7 @@ PHP_FUNCTION(http_build_query)
 }
 /* }}} */
 
-static zend_result cache_request_parse_body_option(HashTable *options, zval *option, int cache_offset)
+static zend_result cache_request_parse_body_option(zval *option, int cache_offset, const char *option_name, bool allow_negative)
 {
 	if (option) {
 		zend_long result;
@@ -265,6 +265,10 @@ static zend_result cache_request_parse_body_option(HashTable *options, zval *opt
 			zend_value_error("Invalid %s value in $options argument", zend_zval_value_name(option));
 			return FAILURE;
 		}
+		if (!allow_negative && result < 0) {
+			zend_value_error("Invalid negative value for \"%s\" option in $options argument", option_name);
+			return FAILURE;
+		}
 		SG(request_parse_body_context).options_cache[cache_offset].set = true;
 		SG(request_parse_body_context).options_cache[cache_offset].value = result;
 	} else {
@@ -288,9 +292,9 @@ static zend_result cache_request_parse_body_options(HashTable *options)
 			return FAILURE;
 		}
 
-#define CHECK_OPTION(name) \
+#define CHECK_OPTION(name, allow_negative) \
 	if (zend_string_equals_literal_ci(key, #name)) { \
-		if (cache_request_parse_body_option(options, value, REQUEST_PARSE_BODY_OPTION_ ## name) == FAILURE) { \
+		if (cache_request_parse_body_option(value, REQUEST_PARSE_BODY_OPTION_ ## name, #name, allow_negative) == FAILURE) { \
 			return FAILURE; \
 		} \
 		continue; \
@@ -299,25 +303,25 @@ static zend_result cache_request_parse_body_options(HashTable *options)
 		switch (ZSTR_VAL(key)[0]) {
 			case 'm':
 			case 'M':
-				CHECK_OPTION(max_file_uploads);
-				CHECK_OPTION(max_input_vars);
-				CHECK_OPTION(max_multipart_body_parts);
+				CHECK_OPTION(max_file_uploads, false);
+				CHECK_OPTION(max_input_vars, false);
+				CHECK_OPTION(max_multipart_body_parts, true);
 				break;
 			case 'p':
 			case 'P':
-				CHECK_OPTION(post_max_size);
+				CHECK_OPTION(post_max_size, false);
 				break;
 			case 'u':
 			case 'U':
-				CHECK_OPTION(upload_max_filesize);
+				CHECK_OPTION(upload_max_filesize, false);
 				break;
 		}
 
 		zend_value_error("Invalid key \"%s\" in $options argument", ZSTR_VAL(key));
 		return FAILURE;
 	} ZEND_HASH_FOREACH_END();
 
-#undef CACHE_OPTION
+#undef CHECK_OPTION
 
 	return SUCCESS;
 }
diff --git a/ext/standard/tests/http/request_parse_body/options_negative_values.phpt b/ext/standard/tests/http/request_parse_body/options_negative_values.phpt
@@ -0,0 +1,33 @@
+--TEST--
+request_parse_body() negative limit options
+--FILE--
+<?php
+
+$invalidOptions = [
+    'max_file_uploads' => -1,
+    'max_input_vars' => -1,
+    'post_max_size' => -1,
+    'upload_max_filesize' => -1,
+];
+
+foreach ($invalidOptions as $name => $value) {
+    try {
+        request_parse_body([$name => $value]);
+    } catch (Throwable $e) {
+        echo $name, ': ', get_class($e), ': ', $e->getMessage(), "\n";
+    }
+}
+
+try {
+    request_parse_body(['max_multipart_body_parts' => -1]);
+} catch (Throwable $e) {
+    echo 'max_multipart_body_parts: ', get_class($e), ': ', $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+max_file_uploads: ValueError: Invalid negative value for "max_file_uploads" option in $options argument
+max_input_vars: ValueError: Invalid negative value for "max_input_vars" option in $options argument
+post_max_size: ValueError: Invalid negative value for "post_max_size" option in $options argument
+upload_max_filesize: ValueError: Invalid negative value for "upload_max_filesize" option in $options argument
+max_multipart_body_parts: RequestParseBodyException: Request does not provide a content type
