Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:118634
Return-Path: <tim@bastelstu.be>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 35679 invoked from network); 14 Sep 2022 19:55:22 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 14 Sep 2022 19:55:22 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 1E1941804FF
	for <internals@lists.php.net>; Wed, 14 Sep 2022 12:55:22 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS24940 176.9.0.0/16
X-Spam-Virus: No
X-Envelope-From: <tim@bastelstu.be>
Received: from chrono.xqk7.com (chrono.xqk7.com [176.9.45.72])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed, 14 Sep 2022 12:55:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bastelstu.be;
	s=mail20171119; t=1663185320;
	bh=LVTRfDpxRo8A93d+zersswMVl0kLZ8XUGGIj5NK55jU=;
	h=Date:Subject:To:Cc:References:From:In-Reply-To:From;
	b=B2c4Z0Mpzpo0wwXOdc/fau8IQiQYNrl0eqZjjeQy1rHMUbQZ7YLq0+aOZR2xXdtRw
	 htZnbwcpUJOLyR0WIza2rbeWNvfPyWakI97LvCXpocDYqL0lhRhPgenvo7ezzi7v/f
	 xLSk07PfBaitRIyiauqEM0L5uv4XjpXLoXzAgYmFzQwTizEItSO52fNMZoYMBFpBDn
	 xO3U5RSbycyVe5dw8/itiBhASl0uiiplgpPLaXO8WZi3bQ+unsPTuK3ZvyAWLqtvHa
	 Y8JQm5VkkA8kQVV5SvRskXpUbA+2wT5GPSN4c0hGLqQI1HSbglFT2fPqwJ9tTdZJzP
	 2P+W/0LYyfS5Q==
Message-ID: <a7544016-5520-2598-06ec-5715064d84ba@bastelstu.be>
Date: Wed, 14 Sep 2022 21:55:19 +0200
MIME-Version: 1.0
Content-Language: en-US
To: Jordan LeDoux <jordan.ledoux@gmail.com>
Cc: Larry Garfield <larry@garfieldtech.com>,
 php internals <internals@lists.php.net>
References: <8479bc9a-6ed6-0cf1-c727-123e2b87a8d6@dafert.at>
 <7e250e89-c18e-9e1a-222a-60521dd2babb@nunninger.info>
 <DEC09231-FDEB-4EDC-A8F3-B9F714112480@dafert.at>
 <6aa89b49-fde5-4779-94e4-97b8b856d02e@www.fastmail.com>
 <CAMrTa2EKkDER30fkpinOgKkHMLTH-QgPEZai0u-9VfTon9c_1A@mail.gmail.com>
 <a82a0fce-2a37-8187-b028-52f989557a2e@bastelstu.be>
 <CAMrTa2Fd7Lu59nOY_SHDkTvg19kn-kf=+ZoU51AgL8cXvD-mMQ@mail.gmail.com>
In-Reply-To: <CAMrTa2Fd7Lu59nOY_SHDkTvg19kn-kf=+ZoU51AgL8cXvD-mMQ@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Subject: Re: [PHP-DEV] Error behaviour for max_input_vars
From: tim@bastelstu.be (=?UTF-8?Q?Tim_D=c3=bcsterhus?=)

Hi

On 9/14/22 21:38, Jordan LeDoux wrote:
> the ML, since I'm not suggesting there is a problem, I'm mostly just
> wondering if someone with more expertise can confirm that it isn't an issue.
> 

As indicated by the phrasing in my previous email, this knowledge does 
not enable an attacker to do anything that they wouldn't be able to do 
otherwise. I would also expect that at least the value of the INI 
setting is going to be the default value of 1000 for the vast majority 
of installations out there.

This is primarily an issue of user experience: A user's input data might 
not be correctly processed without the user or the PHP application being 
aware of it.

This incorrect processing might have security implications, e.g. when an 
application uses checkboxes to remove users from a group with elevated 
permissions, the admin checks more than 1000 users and the application 
does not remove the excess users from the group, despite the user making 
extra sure to double check that they checked all the users.

Thus to answer Larry's question, a reasonable action the script could 
take is: Show a non-technical well-styled error message to the human, 
instead of aborting the request with a 500 or silently causing "data 
corruption".

Best regards
Tim Düsterhus