Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:118635 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 37090 invoked from network); 14 Sep 2022 19:58:59 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 14 Sep 2022 19:58:59 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 3DD7B1804C4 for ; Wed, 14 Sep 2022 12:58:58 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_05,RCVD_IN_DNSWL_LOW, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS8412 83.65.0.0/16 X-Spam-Virus: No X-Envelope-From: Received: from mail02.x-net.at (mail02.x-net.at [83.65.141.138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Wed, 14 Sep 2022 12:58:57 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail02.x-net.at (Postfix) with ESMTP id 8407D380405 for ; Wed, 14 Sep 2022 21:58:55 +0200 (CEST) Received: from mail02.x-net.at ([127.0.0.1]) by localhost (mail02.x-net.at [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id 1aJhLxYgkhYN for ; Wed, 14 Sep 2022 21:58:55 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by mail02.x-net.at (Postfix) with ESMTP id 183F2380477 for ; Wed, 14 Sep 2022 21:58:55 +0200 (CEST) X-Virus-Scanned: amavisd-new at x-t.at Received: from mail02.x-net.at ([127.0.0.1]) by localhost (mail02.x-net.at [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id o9IemRl5IFZr for ; Wed, 14 Sep 2022 21:58:55 +0200 (CEST) Received: from [127.0.0.1] (178.115.40.146.wireless.dyn.drei.com [178.115.40.146]) by mail02.x-net.at (Postfix) with ESMTPSA id D2B55380405 for ; Wed, 14 Sep 2022 21:58:54 +0200 (CEST) Date: Wed, 14 Sep 2022 21:58:54 +0200 To: internals@lists.php.net User-Agent: K-9 Mail for Android In-Reply-To: <9e222608-b142-0b54-5efe-812daeb8780c@bastelstu.be> References: <8479bc9a-6ed6-0cf1-c727-123e2b87a8d6@dafert.at> <9e222608-b142-0b54-5efe-812daeb8780c@bastelstu.be> Message-ID: <7B9B123B-47D9-4D7E-B6EF-FD297D3A71CB@dafert.at> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] Error behaviour for max_input_vars From: mel@dafert.at (Mel Dafert) On 14 September 2022 21:39:36 CEST, "Tim D=C3=BCsterhus" wrote: >Hi > >On 9/13/22 19:58, Mel Dafert wrote: >> - Deciding that `max_input_vars` is not relevant anymore and should be >> handled by the likes of Apache and NGINX, thus changing the default to >> `0` and removing the setting >> =C2=A0=C2=A0=C2=A0 over a deprecation period=2E > >This would be my preferred option, but my understanding is that the limit= still is relevant to protect against attacks on the hash table implementat= ion=2E The web server can't really protect against this type of attack, bec= ause the payload required to execute the attack is fairly small=2E Protecti= ng against the attack without some arbitrary cut-off limit would require ma= king the hash algorithm used for the superglobals dependent on a randomly g= enerated per-request seed value=2E I can't comment on how easy or hard that= would be to change, but I believe that this should be the ultimate goal he= re=2E It's also what other programming languages do=2E > >Best regards >Tim D=C3=BCsterhus Thank you, this makes a lot of sense to me=2E I assume that this rules out that option, at least for now, unless someone= makes the relevant changes to the hashing=2E But this also means that aborting the request would be just as effective a= t protecting such an attack as truncating=2E Would aborting instead of truncating introduce any new attack surface? The only thing I could think of would be a DoS vector, but I believe there= are a lot of ways you can get a server to instantly abort your request=2E= =2E=2E Regards, Mel