Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:118632
Return-Path: <jordan.ledoux@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 32363 invoked from network); 14 Sep 2022 19:38:55 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 14 Sep 2022 19:38:55 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 5B281180563
	for <internals@lists.php.net>; Wed, 14 Sep 2022 12:38:54 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.7 required=5.0 tests=BAYES_05,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <jordan.ledoux@gmail.com>
Received: from mail-vs1-f41.google.com (mail-vs1-f41.google.com [209.85.217.41])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed, 14 Sep 2022 12:38:53 -0700 (PDT)
Received: by mail-vs1-f41.google.com with SMTP id 129so17008345vsi.10
        for <internals@lists.php.net>; Wed, 14 Sep 2022 12:38:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date;
        bh=oxi7lLDQgGwpNNpRdMsbFuInzFxPkue8QjavmS/UO8g=;
        b=i2a95H7HO7SRR2JuYaVAq+NL5okaOgJAtGrgq39f156NeNkV0nRplbE3N9pRC50cCj
         5UW00Qnv4+Q+PG8ocfJJz8Ua9HhecHste6vI4k7Fano9oYIfN16lNgH4Wm69k+v3Unf2
         t21H1/6InzAv3P4TZd5Gb9PRowSwVBeHZ+cU5nO5pncz0p5uwxgmqUtXnd5aBOTubE/M
         sl7fF6ZK/ZlYO/zhcBPZAEBtaQmtDl4CMdvbEENE2h9cBBGC0hCdOpbwWJOiieZD4VJ2
         YL/POPr7DShWmxSqgwakmN3xtqwSYf3Xv4bNmzX4XiQd4PuV7eDq0FdTfGlf70nr9GMe
         nxVg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date;
        bh=oxi7lLDQgGwpNNpRdMsbFuInzFxPkue8QjavmS/UO8g=;
        b=25Kzy1xArLiHSlAzFX7zwyhq4KpYtzNVnw+7WBTndy+nYaXgTyP2pjDJW0Wtm++Jyy
         A2M9wr/RMyuOXj0fdibPLMlVw5/3Ghjbqf4+bWCLG1uU9eLNeLvO2qhbTlUa1h0i4sg4
         Xo2nxxUUeC0WNiU76Vh9VA8S1ZvVaTgmW++ObmKX5Mwu/dK50mO5exe4uapaysyOn+JM
         /A2hGEpYxwqMmxw2oUTWID2H2SjGwK9ybBWY9kTPYY+Ba/4T+q82MhjaC1HdJc3CS8L0
         v/t0c7BVOuBufX74HbisClDFE4JZmyxIFLbA+mKhLB+7oX6IXJjlVyXsMiDocyOZhzTJ
         UKtA==
X-Gm-Message-State: ACgBeo3ANN1Y5VeonJjRu00hA/c1i2rIsynyJB9NFYiM0zTY9EGQ0H8p
	yW6hDjhnIquUV6eUhuJW2qjZ7PmChQrOo/vg2ewlhv6c
X-Google-Smtp-Source: AA6agR7UTdyqYJJEp5Q4OM8yulotSJJg0gVCtJEpEVEsbWFjUYAgH7SSlm2JaTq1+vS8wzGwXBG0+5ncBsaB7FMr/dE=
X-Received: by 2002:a67:f158:0:b0:398:beff:e88a with SMTP id
 t24-20020a67f158000000b00398beffe88amr1907471vsm.52.1663184333238; Wed, 14
 Sep 2022 12:38:53 -0700 (PDT)
MIME-Version: 1.0
References: <8479bc9a-6ed6-0cf1-c727-123e2b87a8d6@dafert.at>
 <7e250e89-c18e-9e1a-222a-60521dd2babb@nunninger.info> <DEC09231-FDEB-4EDC-A8F3-B9F714112480@dafert.at>
 <6aa89b49-fde5-4779-94e4-97b8b856d02e@www.fastmail.com> <CAMrTa2EKkDER30fkpinOgKkHMLTH-QgPEZai0u-9VfTon9c_1A@mail.gmail.com>
 <a82a0fce-2a37-8187-b028-52f989557a2e@bastelstu.be>
In-Reply-To: <a82a0fce-2a37-8187-b028-52f989557a2e@bastelstu.be>
Date: Wed, 14 Sep 2022 12:38:42 -0700
Message-ID: <CAMrTa2Fd7Lu59nOY_SHDkTvg19kn-kf=+ZoU51AgL8cXvD-mMQ@mail.gmail.com>
To: =?UTF-8?Q?Tim_D=C3=BCsterhus?= <tim@bastelstu.be>
Cc: Larry Garfield <larry@garfieldtech.com>, php internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="00000000000060f77a05e8a84797"
Subject: Re: [PHP-DEV] Error behaviour for max_input_vars
From: jordan.ledoux@gmail.com (Jordan LeDoux)

--00000000000060f77a05e8a84797
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Wed, Sep 14, 2022 at 12:33 PM Tim D=C3=BCsterhus <tim@bastelstu.be> wrot=
e:

> Hi
>
> On 9/14/22 20:44, Jordan LeDoux wrote:
> > Honestly, another question I'm thinking about at the moment is whether
> it's
> > possible to construct an attack against known script behavior if you al=
so
> > are able to determine the ini config at which partial form data would
> make
> > it to the script with the script thinking it has full form data. To be
> > clear, I haven't been able to think of one, but I also recognize that I=
'm
> > not nearly as clever at those sorts of things as some attackers are.
>
> Maybe I misunderstood what you are thinking about, but can't you just =E2=
=80=A6
> not send all the fields to achieve exactly the same results as an attacke=
r?
>
> Best regards
> Tim D=C3=BCsterhus
>

Yes, probably. That's why I was saying, I know I'm not as clever with that
space. I think those would be equivalent cases, but I'm not sure if there
are any edgecases there either. Maybe that thought wasn't appropriate for
the ML, since I'm not suggesting there is a problem, I'm mostly just
wondering if someone with more expertise can confirm that it isn't an issue=
.

Jordan

--00000000000060f77a05e8a84797--