[Phpmyadmin-devel] false alarm for deep recursion

[Marc Delisle]

Hi,

In this bug:
http://sourceforge.net/tracker/index.php?func=detail&aid=1709463&group_id=23067&atid=377408

there are many fields involved and we get a false alarm "possible deep 
recursion attack". Do we really need to protect from 1000 recursions 
overall? I think that protecting from 1000 recursions for each 
superglobal would be correct.

Proposed patch which resets the recursive counter:

Index: common.lib.php
===================================================================
--- common.lib.php      (revision 10333)
+++ common.lib.php      (working copy)
@@ -269,9 +269,12 @@
   * @param   array   $array      array to walk
   * @param   string  $function   function to call for every array element
   */
-function PMA_arrayWalkRecursive(&$array, $function, $apply_to_keys_also 
= false)
+function PMA_arrayWalkRecursive(&$array, $function, $apply_to_keys_also 
= false, $reset_static = false)
  {
      static $recursive_counter = 0;
+    if ($reset_static) {
+        $recursive_counter = 0;
+    }
      if (++$recursive_counter > 1000) {
          die('possible deep recursion attack');
      }
@@ -2604,10 +2607,10 @@

  // remove quotes added by php
  if (get_magic_quotes_gpc()) {
-    PMA_arrayWalkRecursive($_GET, 'stripslashes', true);
-    PMA_arrayWalkRecursive($_POST, 'stripslashes', true);
-    PMA_arrayWalkRecursive($_COOKIE, 'stripslashes', true);
-    PMA_arrayWalkRecursive($_REQUEST, 'stripslashes', true);
+    PMA_arrayWalkRecursive($_GET, 'stripslashes', true, true);
+    PMA_arrayWalkRecursive($_POST, 'stripslashes', true, true);
+    PMA_arrayWalkRecursive($_COOKIE, 'stripslashes', true, true);
+    PMA_arrayWalkRecursive($_REQUEST, 'stripslashes', true, true);
  }
  /**
   * In some cases, this one is not set