feat(core) Check that max_input_vars is not reached by management classes.

This is easy to check as management classes respect the size limit option. issue #6169

feat(core) Check that max_input_vars is not reached by management classes.
This is easy to check as management classes respect the size limit option. issue #6169
07e29613 · Côme Chilliet · 93d2c51c · 07e29613 · 07e29613 · 07e29613
Unverified Commit 07e29613 authored 3 years ago by Côme Chilliet
Hide whitespace changes
Inline Side-by-side

Showing

with 50 additions and 2 deletions
+50 -2
--- a/include/class_ldapSizeLimit.inc
+++ b/include/class_ldapSizeLimit.inc
@@ -71,8 +71,12 @@ class ldapSizeLimit
      switch ($_POST['action']) {
        case 'newlimit':
          if (isset($_POST['new_limit']) && tests::is_id($_POST['new_limit'])) {
-            $this->sizeLimit  = intval($_POST['new_limit']);
+            if (($error = static::checkMaxInputVars($_POST['new_limit'])) !== FALSE) {
-            $this->ignore     = FALSE;
+              $error->display();
+            } else {
+              $this->sizeLimit  = intval($_POST['new_limit']);
+              $this->ignore     = FALSE;
+            }
          }
          break;
        case 'ignore':
@@ -132,4 +136,26 @@ class ldapSizeLimit
    }
    return '';
  }
+  /**
+   * Checks if a new limit or a number of entries is too high regarding to max_input_vars.
+   *
+   * If there are more items in $_POST than max_input_vars, PHP will discard some of them and will cause a CSRF error.
+   */
+  static public function checkMaxInputVars (int $newLimit, string $messageTemplate = NULL)
+  {
+    $maxInputVars = ini_get('max_input_vars');
+    if (($maxInputVars != '') && (($newLimit + 10) >= intval($maxInputVars))) {
+      return new FusionDirectoryError(
+        htmlescape(sprintf(
+          $messageTemplate ?? _('Limit %d is greater than or too close to configured max_input_vars PHP ini setting of %d. Please change max_input_vars ini setting to a higher value if you wish to set the limit higher.'),
+          $newLimit,
+          $maxInputVars
+        ))
+      );
+    }
+    return FALSE;
+  }
 }
--- a/include/management/class_managementListing.inc
+++ b/include/management/class_managementListing.inc
@@ -227,6 +227,15 @@ class managementListing
      $smarty->assign('objectCounts', $types);
    }
+    /* If the user ignored the sizelimit warning he may get more entries than what PHP can handle */
+    $error = ldapSizeLimit::checkMaxInputVars(
+      count($this->entries),
+      _('The number of listed entries (%d) is greater than or too close to configured max_input_vars PHP ini setting (%d). Please change max_input_vars ini setting to a higher value.')
+    );
+    if ($error !== FALSE) {
+      $error->display();
+    }
    return $smarty->fetch(get_template_path('management/list.tpl'));
  }

--- a/plugins/config/class_configInLdap.inc
+++ b/plugins/config/class_configInLdap.inc
@@ -553,6 +553,19 @@ class configInLdap extends simplePlugin
        htmlescape(sprintf(_('It seems the selected language "%s" is not installed on the system. Please install it or select an other one.'), $this->fdLanguage))
      );
    }
+    if (($this->fdLdapSizeLimit !== '') && ($this->fdLdapSizeLimit > 0)) {
+      $error = ldapSizeLimit::checkMaxInputVars($this->fdLdapSizeLimit);
+      if ($error !== FALSE) {
+        $messages[] = new SimplePluginCheckError(
+          $this->attributesAccess['fdLdapSizeLimit'],
+          $error->getHtmlMessage(),
+          $error->getCode(),
+          $error
+        );
+      }
+    }
    return $messages;
  }