Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:110150
Return-Path: <come.chilliet@fusiondirectory.org>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 41352 invoked from network); 13 May 2020 11:11:05 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 13 May 2020 11:11:05 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id D482E1804C3
	for <internals@lists.php.net>; Wed, 13 May 2020 02:47:59 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_05,SPF_HELO_PASS,
	SPF_PASS autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS12876 195.154.0.0/16
X-Spam-Virus: No
X-Envelope-From: <come.chilliet@fusiondirectory.org>
Received: from smtp.opensides.be (smtp.fusiondirectory.org [195.154.20.141])
	by php-smtp4.php.net (Postfix) with ESMTP
	for <internals@lists.php.net>; Wed, 13 May 2020 02:47:59 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
	by smtp.opensides.be (Postfix) with ESMTP id 4E1A3154B59
	for <internals@lists.php.net>; Wed, 13 May 2020 11:47:59 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at opensides.be
Received: from smtp.opensides.be ([127.0.0.1])
	by localhost (smtp.opensides.be [127.0.0.1]) (amavisd-new, port 10024)
	with LMTP id hgDv5F2uDftl for <internals@lists.php.net>;
	Wed, 13 May 2020 11:47:56 +0200 (CEST)
Received: from mcmic-probook.opensides.be (194.129.16.109.rev.sfr.net [109.16.129.194])
	by smtp.opensides.be (Postfix) with ESMTPSA id A6B3D154B58
	for <internals@lists.php.net>; Wed, 13 May 2020 11:47:56 +0200 (CEST)
Date: Wed, 13 May 2020 11:47:55 +0200
To: PHP Internals <internals@lists.php.net>
Message-ID: <20200513114755.5f091fb4@mcmic-probook.opensides.be>
In-Reply-To: <CAHE1EduK5idMXWLhBopX4boHfDAAryGA=MGCkDA236GxfVrpwQ@mail.gmail.com>
References: <2157564.YClJE7JIHU@mcmic-probook>
	<CAHE1EduK5idMXWLhBopX4boHfDAAryGA=MGCkDA236GxfVrpwQ@mail.gmail.com>
Organization: FusionDirectory
X-Mailer: Claws Mail 3.14.1 (GTK+ 2.24.31; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] max_input_vars trigger detection
From: come.chilliet@fusiondirectory.org (=?UTF-8?B?Q8O0bWU=?= Chilliet)

Le Sun, 10 May 2020 13:34:12 +0100,
Craig Duncan <php@duncanc.co.uk> a =C3=A9crit :
> Although not particularly elegant, and it does require you to
> reject =20
> requests that hit but don't exceed the limit, I've used this approach
> before:
>=20
> $max =3D ini_get("max_input_vars") - 1;
> $check =3D count($_REQUEST);
> if ($check > $max) {
>      throw new RequestException("Request is too large, only {$max}
> input variables are permitted");
> }

This is not even correct if I=E2=80=99m not mistaken, as max_input_vars app=
lies
independently to GET, POST and COOKIE as I understand it. Here with
max_input_vars/2 in GET and POST your exception would throw while the
limit was not hit.

I know this is a corner case, but it=E2=80=99s just to illustrate it=E2=80=
=99s hard to
detect whether this limit was hit and it would be better in my opinion
to have a clean way in core.