Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:110062
Return-Path: <come.chilliet@fusiondirectory.org>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 79417 invoked from network); 7 May 2020 10:19:45 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 7 May 2020 10:19:45 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id ACE501804C4
	for <internals@lists.php.net>; Thu,  7 May 2020 01:55:08 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_40,SPF_HELO_PASS,
	SPF_PASS autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS12876 195.154.0.0/16
X-Spam-Virus: No
X-Envelope-From: <come.chilliet@fusiondirectory.org>
Received: from smtp.opensides.be (smtp.fusiondirectory.org [195.154.20.141])
	by php-smtp4.php.net (Postfix) with ESMTP
	for <internals@lists.php.net>; Thu,  7 May 2020 01:55:07 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
	by smtp.opensides.be (Postfix) with ESMTP id 3796D4C6DFD
	for <internals@lists.php.net>; Thu,  7 May 2020 10:55:06 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at opensides.be
Received: from smtp.opensides.be ([127.0.0.1])
	by localhost (smtp.opensides.be [127.0.0.1]) (amavisd-new, port 10024)
	with LMTP id SPk4gtGF8JD1 for <internals@lists.php.net>;
	Thu,  7 May 2020 10:55:03 +0200 (CEST)
Received: from mcmic-probook.opensides.be (194.129.16.109.rev.sfr.net [109.16.129.194])
	by smtp.opensides.be (Postfix) with ESMTPSA id 249574C6C6F
	for <internals@lists.php.net>; Thu,  7 May 2020 10:55:03 +0200 (CEST)
To: PHP Internals <internals@lists.php.net>
Date: Thu, 07 May 2020 10:55:00 +0200
Message-ID: <2157564.YClJE7JIHU@mcmic-probook>
Organization: FusionDirectory
User-Agent: KMail/5.2.3 (Linux/4.9.0-12-amd64; KDE/5.28.0; x86_64; ; )
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"
Subject: max_input_vars trigger detection
From: come.chilliet@fusiondirectory.org (=?ISO-8859-1?Q?C=F4me?= Chilliet)

Hello,

We=E2=80=99ve hit the max_input_vars limit some time ago, and at first I tr=
ied to detect this case, but I failed as there is no handy way to detect th=
is situation.
In our case the application was complaining about CSRF token missing since =
the token was truncated, and you had to go see the logs to actually see the=
 max_input_vars error.

=46or those not familiar with this ini setting, it defines a maximum number=
 of input vars in either $_GET, $_POST or $_COOKIE. Additional variables ar=
e discarded. This is a good idea to avoid attacks sending lots of data, but=
 the program has no way of knowing it=E2=80=99s working with a truncated $_=
POST, $_GET or $_COOKIE.=20

Source: https://www.php.net/manual/en/info.configuration.php#ini.max-input-=
vars

In the end we reworked the application to prevent it from creating a form w=
ith more than 1000 inputs as it makes no sense and is not usable.

But still, it bugs me that there is no way to programmatically know that th=
is limit was triggered.
With recent work into error handling a lot of what was warnings or fatal er=
rors before is now easy to catch and treat properly. It would make sense to=
 me that this also becomes something the program can react to.

So, would it be possible either to change the warning into some kind of cat=
chable error (but I=E2=80=99m not sure which operation would trigger it? Ma=
ybe first access to $_POST (in case it=E2=80=99s POST which triggers the li=
mit)?),
 or to add a flag, or a function to test whether this limit was triggered.
Like was_max_input_vars_reached($_POST) ? (or was_max_input_vars_reached(PO=
ST) with an enum)

=2D-=20
C=C3=B4me Chilliet
=46usionDirectory - https://www.fusiondirectory.org