Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:118631
Return-Path: <tim@bastelstu.be>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 30897 invoked from network); 14 Sep 2022 19:33:56 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 14 Sep 2022 19:33:56 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id BFFDA180544
	for <internals@lists.php.net>; Wed, 14 Sep 2022 12:33:55 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS24940 176.9.0.0/16
X-Spam-Virus: No
X-Envelope-From: <tim@bastelstu.be>
Received: from chrono.xqk7.com (chrono.xqk7.com [176.9.45.72])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed, 14 Sep 2022 12:33:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bastelstu.be;
	s=mail20171119; t=1663184031;
	bh=MF2R97bza/SKuJnuDt2grIGHEpnJFMdvH+h02n3e9qg=;
	h=Date:Subject:To:Cc:References:From:In-Reply-To:From;
	b=gU8Gr6/0CdarwsQBAm+6hAv9TzPkJl0/lPzbRC8t6NAZcC/S82kc2kFm1bygQh10n
	 /9EQTL+heML46DGyhTVfKuYXDUYVqdDUBfWzX8zs2e+1aepYZkhr0YnN67t0bgv2dk
	 FyOzs4h8HZkCsfKmkUzhXX2UDoKoiveUBNTx+Olf/a66PtwfwveTgSSwaG2AaqMvOl
	 W3QimwPiCI91oB2kBfwbLIil56GxPZDbUXDD0qGe5v64xGzGOceSFIa6QNW8kYHDyw
	 nqB6aaZsPPQJ03JB8d/sckhynrzC2pgxO6CzJ0VbKJJ/M1lKgucKZskdDWGWzrl9AU
	 I2yWye6dxVWlw==
Message-ID: <a82a0fce-2a37-8187-b028-52f989557a2e@bastelstu.be>
Date: Wed, 14 Sep 2022 21:33:49 +0200
MIME-Version: 1.0
Content-Language: en-US
To: Jordan LeDoux <jordan.ledoux@gmail.com>,
 Larry Garfield <larry@garfieldtech.com>
Cc: php internals <internals@lists.php.net>
References: <8479bc9a-6ed6-0cf1-c727-123e2b87a8d6@dafert.at>
 <7e250e89-c18e-9e1a-222a-60521dd2babb@nunninger.info>
 <DEC09231-FDEB-4EDC-A8F3-B9F714112480@dafert.at>
 <6aa89b49-fde5-4779-94e4-97b8b856d02e@www.fastmail.com>
 <CAMrTa2EKkDER30fkpinOgKkHMLTH-QgPEZai0u-9VfTon9c_1A@mail.gmail.com>
In-Reply-To: <CAMrTa2EKkDER30fkpinOgKkHMLTH-QgPEZai0u-9VfTon9c_1A@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Subject: Re: [PHP-DEV] Error behaviour for max_input_vars
From: tim@bastelstu.be (=?UTF-8?Q?Tim_D=c3=bcsterhus?=)

Hi

On 9/14/22 20:44, Jordan LeDoux wrote:
> Honestly, another question I'm thinking about at the moment is whether it's
> possible to construct an attack against known script behavior if you also
> are able to determine the ini config at which partial form data would make
> it to the script with the script thinking it has full form data. To be
> clear, I haven't been able to think of one, but I also recognize that I'm
> not nearly as clever at those sorts of things as some attackers are.

Maybe I misunderstood what you are thinking about, but can't you just … 
not send all the fields to achieve exactly the same results as an attacker?

Best regards
Tim Düsterhus