Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:118623
Return-Path: <thomas@nunninger.info>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 92536 invoked from network); 14 Sep 2022 14:44:36 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 14 Sep 2022 14:44:36 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 821C6180384
	for <internals@lists.php.net>; Wed, 14 Sep 2022 07:44:36 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,NICE_REPLY_A,
	RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS8560 212.227.0.0/16
X-Spam-Virus: No
X-Envelope-From: <thomas@nunninger.info>
Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.17.13])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed, 14 Sep 2022 07:44:35 -0700 (PDT)
Received: from [192.168.178.22] ([85.212.30.248]) by mrelayeu.kundenserver.de
 (mreue108 [213.165.67.113]) with ESMTPSA (Nemesis) id
 1N7iGi-1pLCZE0BW6-014maP for <internals@lists.php.net>; Wed, 14 Sep 2022
 16:44:34 +0200
Message-ID: <7e250e89-c18e-9e1a-222a-60521dd2babb@nunninger.info>
Date: Wed, 14 Sep 2022 16:44:33 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.13.0
Content-Language: en-US
To: internals@lists.php.net
References: <8479bc9a-6ed6-0cf1-c727-123e2b87a8d6@dafert.at>
In-Reply-To: <8479bc9a-6ed6-0cf1-c727-123e2b87a8d6@dafert.at>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Provags-ID: V03:K1:IQKv7kXYVzKkv3DteA1oF8ZS2Ry8rjWcN9WKcpo684xBrTbkrvt
 bNdlYmO6yL5IhlUFDAquH+kr37sDJuX1Ehf6xcsPsVXtkbt1wttpyVl92mGD+cR2MN36dbt
 VR7u8n4GLJ1xJjkbBxbn5kMm2JeRypkCX9L+l+c9CH5aJWsnGt2eb0XvWUxo2BZvx6B70Cc
 NnpihvwzEV3r3RJfCLPZw==
X-UI-Out-Filterresults: notjunk:1;V03:K0:465W2IQmQYA=:ORp6EJmc9unhE2tS+D8m/2
 gVA7LgasasZNmOrhBLUdUjiP7ojFXe0G2wH/iAZ1NBBr3Mzs6Ds4IEvqlhtXzlkHG5kvQ7AYK
 D7qRN/TrY3wki1B4xu3b12MqBKdoqwh8BWyAyFfSk6cJXKFxnag/0HvgByRFhwuo5eWc7W3KR
 YwiHhBu9jESdRoS9smukhVR+WUvKHM0Ffw6LCjK8K7vIyI7+jTPScAG+ROJcQH70EL2e70uhR
 wDhuQjG8SmtTXpwKHa4Tn5dCoP+sswDUso1ZY/2w7EJ2K+c9DVioT73k6Xx6PycHzUCmie5o5
 6hRfoFsvJWvVl+nS6KI5Tllgi4lmrbfbr+8lZg3tvNrjvCuFMDt33XymF9dvp7fokBRX2BVB1
 L8VwbWZoTd53Rc8cmbZcU4UGLRRNLv08DWwDi9EF49BQOUYBNj0FUadyuyVcu3z+CJhwyIC9i
 WcULV/TP9wlhih/eIa6n8TDaS36G5j/7j7LJBLoWj+kXLRrs6bdGE9GyCIuqZhz7HQw86FjPN
 E4JwiL5jGBw5iSbF7cWUdwMpCpVSYbkzUySvP08tMChlh1mKp2A367LMQimZTqmDMkKP8/T+C
 s0CwF5DS4kbe9Dmt/NMFIsMBvKNFqMaeT8/tDd9gRJMigIA/Gd9tpekx2wO0UjgTS1hd3MWcs
 bwxUGwhcqFGtOg3GlCE4B4uJPdGTj3rkj5lVfGC3S8zaqrNjrLJpMTgL0o/As+TzbxlLLndfV
 EFTNBPtGNbNSW7e6Qe66wwj0+TS8TS3/8CUciDZa0NvuhQLQeSKCEt2bkueP+krzK+DZbh9ZF
 F+H4TMMI3R2tw9RcfSW8KYsnNZU+Q==
Subject: Re: [PHP-DEV] Error behaviour for max_input_vars
From: thomas@nunninger.info (Thomas Nunninger)

Hi,

> In summary, I believe this can only be solved inside of PHP itself, by 
> allowing to configure a way for `max_input_vars` to abort the request 
> instead of truncating the input.
> The options I see feasible are:
> - A new ini setting `max_input_vars_abort` (default to 0), which, if set 
> to 1, will abort the request if there are more input variables than 
> allowed.
> - A method to reliably detect whether the input vars were truncated (eg. 
> `function has_post_been_truncated(): bool`), so the application can 
> decide whether to abort or not.
> - Deciding that `max_input_vars` is not relevant anymore and should be 
> handled by the likes of Apache and NGINX, thus changing the default to 
> `0` and removing the setting
>      over a deprecation period.
> 
> I am leaning towards the first option, but would be open to either outcome.

I'd prefer that PHP aborts such requests. Then data loss/inconsistency 
is prevented for everybody and people can fix their applications. (So no 
need for an ini setting that allows acting in "danger mode".)

If you'd like to give developers more options to choose from, I'd go for 
max_input_vars_abort (default 1) plus has_post_been_truncated(): That 
way the behavior is safe from the start. And people who opt in for 
"danger mode" can reliably detect if there was some data loss and can 
deal with it.

Regards
Thomas