Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:118629
Return-Path: <larry@garfieldtech.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 24096 invoked from network); 14 Sep 2022 18:38:25 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 14 Sep 2022 18:38:25 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 2A733180547
	for <internals@lists.php.net>; Wed, 14 Sep 2022 11:38:25 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS,
	SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
	version=3.4.2
X-Spam-ASN: AS29838 64.147.123.0/24
X-Spam-Virus: No
X-Envelope-From: <larry@garfieldtech.com>
Received: from wout4-smtp.messagingengine.com (wout4-smtp.messagingengine.com [64.147.123.20])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed, 14 Sep 2022 11:38:24 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41])
	by mailout.west.internal (Postfix) with ESMTP id DFF3532009DC
	for <internals@lists.php.net>; Wed, 14 Sep 2022 14:38:23 -0400 (EDT)
Received: from imap50 ([10.202.2.100])
  by compute1.internal (MEProxy); Wed, 14 Sep 2022 14:38:24 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	garfieldtech.com; h=cc:content-transfer-encoding:content-type
	:date:date:from:from:in-reply-to:in-reply-to:message-id
	:mime-version:references:reply-to:sender:subject:subject:to:to;
	 s=fm2; t=1663180703; x=1663267103; bh=e/V7A6XxbfBqIp37f56gU32Sk
	LG6CyOb73s0vH9tlfo=; b=0/ch9n2upZmqmRJB+fdEeaxKqquQXoVA5u9JeYHCv
	7Iq2dJKpUyI41m4mL+XjWSeS9MhL0SVT+BAeh4xL2tnoHSHAtDJhuEV2w8lLab9W
	5hiF5vJO6EfqlPfIr5zIcsWfB7qokhYTp9IZM9ds8QD8EiO4W4Vfa4r4yFRgFYZG
	y95dQnff0tFO5IbXCH6X+fS0dbGsR0OAqcvdS0CB74qrOhZMBoXTYOWR4UJCqUO0
	L1rWpOM4LhpCcFkC1MBpXSXbGt8MFLLDEnlFEX65qZqg8uXRShUjtGTFDZqmVJ1z
	8iq/aPpiuKRK/ef/fon3SyZ/ONFjdp2+J3TEsiAh+ZIiQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-transfer-encoding:content-type
	:date:date:feedback-id:feedback-id:from:from:in-reply-to
	:in-reply-to:message-id:mime-version:references:reply-to:sender
	:subject:subject:to:to:x-me-proxy:x-me-proxy:x-me-sender
	:x-me-sender:x-sasl-enc; s=fm2; t=1663180703; x=1663267103; bh=e
	/V7A6XxbfBqIp37f56gU32SkLG6CyOb73s0vH9tlfo=; b=LypPKNgM+KN1GlA2h
	fzBRqwVijBmcnomz/gHxH0A0SMStgUBBVBxeiFI5eb87sNTugdFDXUNy/pXeRflg
	HzXP0HMMoULJTaxfYdal6y9PEXc+lTHdietERrdW3nXd7N6xZi2/kpdpMl8PXwyi
	nrUmq1/ndk0shZ3umOWb1+3qtqiHlV0HJMd9I+JfJgOgvYfkOB2ms92+gfs9xnNw
	JsfJfsqFz6BDJgMImbuVYlwt1x/wectuez1gf1uvUt8ZExkA0vkygPgX8k1w57v8
	YLFV6PJMpVNHy5+g0wM5MA0bCwFFymDfh8Lv9A9T3fmeKw7SaGYOliI09pUp9dVx
	rpkmA==
X-ME-Sender: <xms:nx8iY75pkV82pmqFUyE33MhXbdQvWd6jArS3E24bRD0BnacJWamEIg>
    <xme:nx8iYw7WCN1VcEoLQYemtBb95FXwX7O6RtOwljO06RJJSZovZXr59LyOmM3gXRypT
    diMZWP4FRUTEA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrfeduiedgudeftdcutefuodetggdotefrod
    ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh
    necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd
    enucfjughrpefofgggkfgjfhffhffvufgtgfesthhqredtreerjeenucfhrhhomhepfdfn
    rghrrhihucfirghrfhhivghlugdfuceolhgrrhhrhiesghgrrhhfihgvlhguthgvtghhrd
    gtohhmqeenucggtffrrghtthgvrhhnpeffffffjeffudfggeevvdeitdetvdfgjefffeff
    jeelfeejteevheeghffhvdfgleenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmh
    epmhgrihhlfhhrohhmpehlrghrrhihsehgrghrfhhivghlughtvggthhdrtghomh
X-ME-Proxy: <xmx:nx8iYycQXH3bzRa2nZdFIyGd8j54brcApBWWQRhulzqdtEfcKwKnWw>
    <xmx:nx8iY8JWjRFkUazz_qdfmM4RySewjlrXueeQlaVHlzx-YNNpNVdOiA>
    <xmx:nx8iY_IAPOjFF5MWUqU_hsPMbC_OQdwvgvlHUmeCk9b-ZtThKkDx0w>
    <xmx:nx8iY6ZrGcA3xFVH-sDogUWNTttvEjtaIYALaFlscEXIZOfusf8XzQ>
Feedback-ID: i8414410d:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501)
	id 22D9F1700083; Wed, 14 Sep 2022 14:38:23 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.7.0-alpha0-935-ge4ccd4c47b-fm-20220914.001-ge4ccd4c4
Mime-Version: 1.0
Message-ID: <6aa89b49-fde5-4779-94e4-97b8b856d02e@www.fastmail.com>
In-Reply-To: <DEC09231-FDEB-4EDC-A8F3-B9F714112480@dafert.at>
References: <8479bc9a-6ed6-0cf1-c727-123e2b87a8d6@dafert.at>
 <7e250e89-c18e-9e1a-222a-60521dd2babb@nunninger.info>
 <DEC09231-FDEB-4EDC-A8F3-B9F714112480@dafert.at>
Date: Wed, 14 Sep 2022 13:37:52 -0500
To: "php internals" <internals@lists.php.net>
Content-Type: text/plain;charset=utf-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] Error behaviour for max_input_vars
From: larry@garfieldtech.com ("Larry Garfield")

On Wed, Sep 14, 2022, at 12:07 PM, Mel Dafert wrote:
> On 14 September 2022 16:44:33 CEST, Thomas Nunninger=20
> <thomas@nunninger.info> wrote:
>>Hi,
>>
>>> In summary, I believe this can only be solved inside of PHP itself, =
by allowing to configure a way for `max_input_vars` to abort the request=
 instead of truncating the input.
>>> The options I see feasible are:
>>> - A new ini setting `max_input_vars_abort` (default to 0), which, if=
 set to 1, will abort the request if there are more input variables than=
 allowed.
>>> - A method to reliably detect whether the input vars were truncated =
(eg. `function has_post_been_truncated(): bool`), so the application can=
 decide whether to abort or not.
>>> - Deciding that `max_input_vars` is not relevant anymore and should =
be handled by the likes of Apache and NGINX, thus changing the default t=
o `0` and removing the setting
>>>  =C2=A0=C2=A0=C2=A0 over a deprecation period.
>>>=20
>>> I am leaning towards the first option, but would be open to either o=
utcome.
>>
>>I'd prefer that PHP aborts such requests. Then data loss/inconsistency=
 is prevented for everybody and people can fix their applications. (So n=
o need for an ini setting that allows acting in "danger mode".)
>>
>>If you'd like to give developers more options to choose from, I'd go f=
or max_input_vars_abort (default 1) plus has_post_been_truncated(): That=
 way the behavior is safe from the start. And people who opt in for "dan=
ger mode" can reliably detect if there was some data loss and can deal w=
ith it.
>>
>>Regards
>>Thomas
>>
>
> That's a fourth option that I had overlooked: Just changing the=20
> behaviour to always abort, without the option to truncate.
> This would certainly be acceptable to me.
> Is there anyone relying on the truncating behavior? It's hard for me t=
o=20
> imagine such a situation.
> This question also determines whether this would be acceptable to go=20
> into 8.3, or if we would need to wait for 9. Is something like this=20
> considered a breaking change?
>
> This reasoning would also affect your second proposal - changing the=20
> default is similarly a breaking change if there are people relying on=20
> it, albeit a little easier to fix.
>
> If people think it would be okay, then I would strongly prefer option=20
> 4, as then there's no need for bikeshedding on ini settings or new=20
> global functions.
>
> Regards,
> Mel

I think the key question here is if there is a reasonable action the dev=
eloper could take if an over-sized request came in.  PHP itself can dump=
 that to the log, but is there anything reasonable beyond that the devel=
oper could do, if they could detect it?

And is anyone doing that now?

--Larry Garfield