Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:118630
Return-Path: <jordan.ledoux@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 25799 invoked from network); 14 Sep 2022 18:44:35 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 14 Sep 2022 18:44:35 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 1829D1804AA
	for <internals@lists.php.net>; Wed, 14 Sep 2022 11:44:35 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <jordan.ledoux@gmail.com>
Received: from mail-vk1-f174.google.com (mail-vk1-f174.google.com [209.85.221.174])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed, 14 Sep 2022 11:44:34 -0700 (PDT)
Received: by mail-vk1-f174.google.com with SMTP id b81so7934033vkf.1
        for <internals@lists.php.net>; Wed, 14 Sep 2022 11:44:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date;
        bh=XjejvAtPBTuQa3ARRmp1iLEcAEJwp9XAhVr9+ldwn6s=;
        b=RiVLqaevA2dpmufku1FkJteKcIB+/eikSZuUg87+FAVDIbMuwWPYD9v8773UgQkdhd
         rmlWphtc7D2e52LaoLxdKZoprIgEYuyTG0ryQAjwf6Rw7cC3DEsdKQPBmJb2HmTkn3iU
         +IaLXEP4vmmktmULFVro7FYOGfk2gMt9hMgXLTPCsWdk0SwlPZqvDMjQSYiQiJxmGCfq
         XUl6Y8R46SidqFdjDphBBurCUmf2/rsjf4sks7VeigObGnOa9ILUmMGXlBZOiieTUYhk
         NqgXLzEuQS0UkHWXVZNDLF3bPxFAJrZrr9ozHfTASfX3JPQeJB02/VngTUKpU4kDfiha
         bpxQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date;
        bh=XjejvAtPBTuQa3ARRmp1iLEcAEJwp9XAhVr9+ldwn6s=;
        b=vlGhtYmSYdRK3/ddfvJjiWucoBwzjndwlhlvZghgMy6qVAHJrO3vWaOb39LpI2FaEQ
         UsdDBTrpPXXy0GMr/GJrvL4xv5+0DNvNWjSRBV+filVAeFyq4UPflGVeuS+HFu63Kckm
         RgczyL/3axPuMbfshMz9JlvjqE9HbLK3jWygPkU9jH29tC47gkCElI7qcBRvBlNYoU+4
         RF0e2wD2mBms6zvMPMUbIR4B/QQiAdXorESzmomRsdmUh8CU2wWMC8/MUgx0aUYumh6C
         qh36m/bkFLI8ZwY2iIR+/tcyKWJVZnQN12W0GL3sKwj9lKOki3kYTJ8gZWpNW/GW+5cd
         0Muw==
X-Gm-Message-State: ACgBeo0N6iGJ4GbqvgQHGXgvm0TZPmXzVtRJ0xt1oZwRNtc03BqIQV2C
	G6siPI02pOfAcJ0d+4JC5HXosAFpRqsxWhhTcck=
X-Google-Smtp-Source: AA6agR4ixn0P2wmKOHbWt+IZBYqqB4DJLdePtqRwVIV/EOpxyTs1RA8axGgO+IFzWO8rqcUn7RX68ZGstp6g5uUQBbs=
X-Received: by 2002:a1f:2ed8:0:b0:3a2:a7f:3e9e with SMTP id
 u207-20020a1f2ed8000000b003a20a7f3e9emr7759399vku.7.1663181073538; Wed, 14
 Sep 2022 11:44:33 -0700 (PDT)
MIME-Version: 1.0
References: <8479bc9a-6ed6-0cf1-c727-123e2b87a8d6@dafert.at>
 <7e250e89-c18e-9e1a-222a-60521dd2babb@nunninger.info> <DEC09231-FDEB-4EDC-A8F3-B9F714112480@dafert.at>
 <6aa89b49-fde5-4779-94e4-97b8b856d02e@www.fastmail.com>
In-Reply-To: <6aa89b49-fde5-4779-94e4-97b8b856d02e@www.fastmail.com>
Date: Wed, 14 Sep 2022 11:44:23 -0700
Message-ID: <CAMrTa2EKkDER30fkpinOgKkHMLTH-QgPEZai0u-9VfTon9c_1A@mail.gmail.com>
To: Larry Garfield <larry@garfieldtech.com>
Cc: php internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="00000000000015e3ce05e8a7856f"
Subject: Re: [PHP-DEV] Error behaviour for max_input_vars
From: jordan.ledoux@gmail.com (Jordan LeDoux)

--00000000000015e3ce05e8a7856f
Content-Type: text/plain; charset="UTF-8"

On Wed, Sep 14, 2022 at 11:38 AM Larry Garfield <larry@garfieldtech.com>
wrote:

>
> I think the key question here is if there is a reasonable action the
> developer could take if an over-sized request came in.  PHP itself can dump
> that to the log, but is there anything reasonable beyond that the developer
> could do, if they could detect it?
>
> And is anyone doing that now?
>
> --Larry Garfield
>
>
Honestly, another question I'm thinking about at the moment is whether it's
possible to construct an attack against known script behavior if you also
are able to determine the ini config at which partial form data would make
it to the script with the script thinking it has full form data. To be
clear, I haven't been able to think of one, but I also recognize that I'm
not nearly as clever at those sorts of things as some attackers are.

I suppose that would depend on both the form and the script though.

Jordan

--00000000000015e3ce05e8a7856f--