Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:118618
Return-Path: <dev.juan.morales@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 33030 invoked from network); 13 Sep 2022 18:36:28 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 13 Sep 2022 18:36:28 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id F38F8180210
	for <internals@lists.php.net>; Tue, 13 Sep 2022 11:36:26 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <dev.juan.morales@gmail.com>
Received: from mail-vs1-f45.google.com (mail-vs1-f45.google.com [209.85.217.45])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Tue, 13 Sep 2022 11:36:26 -0700 (PDT)
Received: by mail-vs1-f45.google.com with SMTP id m65so13405579vsc.1
        for <internals@lists.php.net>; Tue, 13 Sep 2022 11:36:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date;
        bh=Kep75UzBYXsjgLnI2Ddp8nCJIQvmwFMqPXgjveZlxsE=;
        b=h4XSKJsxANgP6wmtqN7uUDTLFNJ2eCaqB5gYtnxPPFlLba2T/5E0TEZzzImaBHuQmO
         OhOzHMWmMEx4P6YNtdKbYyGpbtZj098tcUPyJFXwEv4kmpYFK64InIaWd2Uki/GeTMg3
         jhq88B3W373+6wfaJhhCPce8PLodoxIU5WT6GyzoOenbWWNCIG2//WO846JysuoZjYsM
         rKLJHK/1hFcppgRRuOGUhctY62HYUQkzpMDDhEgh4RjaImAflnnHjMiOrWeI6XOF7QBm
         8z1TdvZz46Y8kJGMKMb0VC/mR2iww4EajjfY1d8S0lNie5GHhqdK+mDwGjcpBCrGtm2E
         4Yog==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date;
        bh=Kep75UzBYXsjgLnI2Ddp8nCJIQvmwFMqPXgjveZlxsE=;
        b=IaQHP1zc/l3Fc/l8d8gfz7jqU+ghljc4aDHo+tEAK5jhpg1BIkbJktYqy66LslHW7w
         AadiOYAAlPZZBFAz1dRr9c0RYGQBnXA2AiE0nt1HmgjlAXrP9pgqg4oYBQQUtOiFlMPU
         DB+3tW5xsadOEIEHYd/mJd4aNP+j2zZ4z+/LBMBp5JcQqyLpf+qzuWn0WyQoHF5JuxSf
         o1blM2LXZ1uCJGE8lE80fYxux2RBNM1WuBKfpeO+DS4zVqho2wjFSp7hDw7ZyEnNWWzA
         cRq30WTsweJgFGBMfaYm02atxOBmgML7ZFUeE/SngD8ssAb08XhZsu0FvXRNkVrk40Wn
         3hVQ==
X-Gm-Message-State: ACgBeo37is8GL8ndwgOJR80Xn06o8zIasbriI5nnn5DUv2FbE/JJ/F3M
	6J7sG5E4jQDNDsh7HuTm1Fp0imQL++63DbxorR29jbpx
X-Google-Smtp-Source: AA6agR4nritqaAbKtu3u9LmelTvJ87dQJXa09QJIamvVoXogqZdNaHOyTRGyaavu0eSjWxL8nUMQZalZsqqKula79lE=
X-Received: by 2002:a05:6102:3f55:b0:390:c753:3565 with SMTP id
 l21-20020a0561023f5500b00390c7533565mr11272870vsv.13.1663094185818; Tue, 13
 Sep 2022 11:36:25 -0700 (PDT)
MIME-Version: 1.0
References: <8479bc9a-6ed6-0cf1-c727-123e2b87a8d6@dafert.at> <CANMwmbPWUipG=upLw-3rdO9UovEPDVKSKM+OXfoS4swZCsht=g@mail.gmail.com>
In-Reply-To: <CANMwmbPWUipG=upLw-3rdO9UovEPDVKSKM+OXfoS4swZCsht=g@mail.gmail.com>
Date: Tue, 13 Sep 2022 15:36:15 -0300
Message-ID: <CANMwmbO2hJagwVYB3qFuE1RXezcP0Pkv1RrNmw7r79XPMY-=YA@mail.gmail.com>
To: Mel Dafert <mel@dafert.at>
Cc: PHP Internals List <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="0000000000002c7dd905e8934aa5"
Subject: Re: [PHP-DEV] Error behaviour for max_input_vars
From: dev.juan.morales@gmail.com (juan carlos morales)

--0000000000002c7dd905e8934aa5
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

El mar., 13 de septiembre de 2022 15:33, juan carlos morales <
dev.juan.morales@gmail.com> escribi=C3=B3:

>
>
> El mar., 13 de septiembre de 2022 14:58, Mel Dafert <mel@dafert.at>
> escribi=C3=B3:
>
>>
>> In summary, I believe this can only be solved inside of PHP itself, by
>> allowing to configure a way for `max_input_vars` to abort the request
>> instead of truncating the input.
>> The options I see feasible are:
>> - A new ini setting `max_input_vars_abort` (default to 0), which, if set
>> to 1, will abort the request if there are more input variables than
>> allowed.
>> - A method to reliably detect whether the input vars were truncated (eg.
>> `function has_post_been_truncated(): bool`), so the application can
>> decide whether to abort or not.
>> - Deciding that `max_input_vars` is not relevant anymore and should be
>> handled by the likes of Apache and NGINX, thus changing the default to
>> `0` and removing the setting
>>      over a deprecation period.
>>
>> I am leaning towards the first option, but would be open to either
>> outcome.
>>
>
>
> We should not delete the ini setting "max_input_vars"... Is a breaking
> change very hard.
>
> I Am in favour of adding More flexibility about how to handle this
> situation... And I also think that options 1 and 2 can coexist smoothly.
>
> I suggest you write and RFC for this and continue the discussion on this
> e-mail list but with the RFC already created.
>


Check this out

https://wiki.php.net/rfc/howto

--0000000000002c7dd905e8934aa5--