Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:118622 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 68636 invoked from network); 14 Sep 2022 12:05:43 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 14 Sep 2022 12:05:43 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 1E449180384 for ; Wed, 14 Sep 2022 05:05:43 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS29169 217.70.176.0/20 X-Spam-Virus: No X-Envelope-From: Received: from relay9-d.mail.gandi.net (relay9-d.mail.gandi.net [217.70.183.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Wed, 14 Sep 2022 05:05:42 -0700 (PDT) Received: (Authenticated sender: come@chilliet.eu) by mail.gandi.net (Postfix) with ESMTPSA id DAFF0FF804 for ; Wed, 14 Sep 2022 12:05:39 +0000 (UTC) To: internals@lists.php.net Date: Wed, 14 Sep 2022 14:05:32 +0200 Message-ID: <12057621.O9o76ZdvQC@come-prox15amd> In-Reply-To: <8479bc9a-6ed6-0cf1-c727-123e2b87a8d6@dafert.at> References: <8479bc9a-6ed6-0cf1-c727-123e2b87a8d6@dafert.at> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart5605613.DvuYhMxLoT"; micalg="pgp-sha512"; protocol="application/pgp-signature" Subject: Re: [PHP-DEV] Error behaviour for max_input_vars From: come@chilliet.eu (=?ISO-8859-1?Q?C=F4me?= Chilliet) --nextPart5605613.DvuYhMxLoT Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="iso-8859-1"; protected-headers="v1" From: =?ISO-8859-1?Q?C=F4me?= Chilliet To: internals@lists.php.net Subject: Re: [PHP-DEV] Error behaviour for max_input_vars Date: Wed, 14 Sep 2022 14:05:32 +0200 Message-ID: <12057621.O9o76ZdvQC@come-prox15amd> In-Reply-To: <8479bc9a-6ed6-0cf1-c727-123e2b87a8d6@dafert.at> References: <8479bc9a-6ed6-0cf1-c727-123e2b87a8d6@dafert.at> MIME-Version: 1.0 Hello, Le mardi 13 septembre 2022, 19:58:42 CEST Mel Dafert a =E9crit : > Hi internals, >=20 > I recently ran into issues with the ini setting `max_input_vars`. > By default, it will truncate input variables in `$_POST` etc. to the > first 1000, and issue a E_WARNING. I also ran into this a few years ago and it is really annoying. I agree we= =20 need a reliable way of catching this error. > In summary, I believe this can only be solved inside of PHP itself, by > allowing to configure a way for `max_input_vars` to abort the request > instead of truncating the input. > The options I see feasible are: > - A new ini setting `max_input_vars_abort` (default to 0), which, if set > to 1, will abort the request if there are more input variables than allow= ed. > - A method to reliably detect whether the input vars were truncated (eg. > `function has_post_been_truncated(): bool`), so the application can decide > whether to abort or not. > - Deciding that `max_input_vars` is not relevant anymore and should be > handled by the likes of Apache and NGINX, thus changing the default to > `0` and removing the setting > over a deprecation period. All 3 solutions seems a nice improvement from current situation. C=F4me --nextPart5605613.DvuYhMxLoT Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- iQEzBAABCgAdFiEE8x20ac73tsA2u7cuwRZWc8b9+7kFAmMhw4wACgkQwRZWc8b9 +7mlsgf+LKRecfA4ZfRve04F3fergqYJJqB+EY3IeBqlbaOw8RS6W98RYG1aQx6l 5ytEsFv/7ME4HgMthKftbzRLANfbesAdTlauyFSHg9AdHTgz7OqTbyLZT6QDdr9W GvVRb+2gWQEngHqVgBc+7L5GkI7uHEUbSj62bO+3Y2Otx3kmomcF+QyB4h274ZET fYHcpJH966dOWCUaznATugfA87JT/IRixdLT+883iZEiVSpwaqXjelduXezxkCrP gVs+tREUlMqhIWeXqflPrQjrnPMPirfJdR0wmtS1v0VBYJpPFmTRmgOdiCyCdTJM RCFvLgO/4DY2i0N4OVAOG6wiR6tjXw== =NnZL -----END PGP SIGNATURE----- --nextPart5605613.DvuYhMxLoT--