Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:118626
Return-Path: <mel@dafert.at>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 15218 invoked from network); 14 Sep 2022 17:07:21 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 14 Sep 2022 17:07:21 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id BB2731804A7
	for <internals@lists.php.net>; Wed, 14 Sep 2022 10:07:20 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW,
	SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-ASN: AS8412 83.65.0.0/16
X-Spam-Virus: No
X-Envelope-From: <mel@dafert.at>
Received: from mail02.x-net.at (mail02.x-net.at [83.65.141.138])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed, 14 Sep 2022 10:07:19 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
	by mail02.x-net.at (Postfix) with ESMTP id 37098380056
	for <internals@lists.php.net>; Wed, 14 Sep 2022 19:07:18 +0200 (CEST)
Received: from mail02.x-net.at ([127.0.0.1])
	by localhost (mail02.x-net.at [127.0.0.1]) (amavisd-new, port 10032)
	with ESMTP id fC_n7_9fySf1 for <internals@lists.php.net>;
	Wed, 14 Sep 2022 19:07:17 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by mail02.x-net.at (Postfix) with ESMTP id E2B6A3800B4
	for <internals@lists.php.net>; Wed, 14 Sep 2022 19:07:17 +0200 (CEST)
X-Virus-Scanned: amavisd-new at x-t.at
Received: from mail02.x-net.at ([127.0.0.1])
	by localhost (mail02.x-net.at [127.0.0.1]) (amavisd-new, port 10026)
	with ESMTP id QqiOUtB6vbOt for <internals@lists.php.net>;
	Wed, 14 Sep 2022 19:07:17 +0200 (CEST)
Received: from [127.0.0.1] (178.115.40.146.wireless.dyn.drei.com [178.115.40.146])
	by mail02.x-net.at (Postfix) with ESMTPSA id B0ED0380056
	for <internals@lists.php.net>; Wed, 14 Sep 2022 19:07:17 +0200 (CEST)
Date: Wed, 14 Sep 2022 19:07:17 +0200
To: internals@lists.php.net
User-Agent: K-9 Mail for Android
In-Reply-To: <7e250e89-c18e-9e1a-222a-60521dd2babb@nunninger.info>
References: <8479bc9a-6ed6-0cf1-c727-123e2b87a8d6@dafert.at> <7e250e89-c18e-9e1a-222a-60521dd2babb@nunninger.info>
Message-ID: <DEC09231-FDEB-4EDC-A8F3-B9F714112480@dafert.at>
MIME-Version: 1.0
Content-Type: text/plain;
 charset=utf-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] Error behaviour for max_input_vars
From: mel@dafert.at (Mel Dafert)

On 14 September 2022 16:44:33 CEST, Thomas Nunninger <thomas@nunninger=2Ein=
fo> wrote:
>Hi,
>
>> In summary, I believe this can only be solved inside of PHP itself, by =
allowing to configure a way for `max_input_vars` to abort the request inste=
ad of truncating the input=2E
>> The options I see feasible are:
>> - A new ini setting `max_input_vars_abort` (default to 0), which, if se=
t to 1, will abort the request if there are more input variables than allow=
ed=2E
>> - A method to reliably detect whether the input vars were truncated (eg=
=2E `function has_post_been_truncated(): bool`), so the application can dec=
ide whether to abort or not=2E
>> - Deciding that `max_input_vars` is not relevant anymore and should be =
handled by the likes of Apache and NGINX, thus changing the default to `0` =
and removing the setting
>>  =C2=A0=C2=A0=C2=A0 over a deprecation period=2E
>>=20
>> I am leaning towards the first option, but would be open to either outc=
ome=2E
>
>I'd prefer that PHP aborts such requests=2E Then data loss/inconsistency =
is prevented for everybody and people can fix their applications=2E (So no =
need for an ini setting that allows acting in "danger mode"=2E)
>
>If you'd like to give developers more options to choose from, I'd go for =
max_input_vars_abort (default 1) plus has_post_been_truncated(): That way t=
he behavior is safe from the start=2E And people who opt in for "danger mod=
e" can reliably detect if there was some data loss and can deal with it=2E
>
>Regards
>Thomas
>

That's a fourth option that I had overlooked: Just changing the behaviour =
to always abort, without the option to truncate=2E
This would certainly be acceptable to me=2E
Is there anyone relying on the truncating behavior? It's hard for me to im=
agine such a situation=2E
This question also determines whether this would be acceptable to go into =
8=2E3, or if we would need to wait for 9=2E Is something like this consider=
ed a breaking change?

This reasoning would also affect your second proposal - changing the defau=
lt is similarly a breaking change if there are people relying on it, albeit=
 a little easier to fix=2E

If people think it would be okay, then I would strongly prefer option 4, a=
s then there's no need for bikeshedding on ini settings or new global funct=
ions=2E

Regards,
Mel