Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:118636
Return-Path: <tim@bastelstu.be>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 39332 invoked from network); 14 Sep 2022 20:17:02 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 14 Sep 2022 20:17:02 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id AE51318050B
	for <internals@lists.php.net>; Wed, 14 Sep 2022 13:17:01 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS24940 176.9.0.0/16
X-Spam-Virus: No
X-Envelope-From: <tim@bastelstu.be>
Received: from chrono.xqk7.com (chrono.xqk7.com [176.9.45.72])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed, 14 Sep 2022 13:17:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bastelstu.be;
	s=mail20171119; t=1663186619;
	bh=M6BNXqE1VktokFnCdTFfCeN/wPQSAc1dC7iEMC4q+OI=;
	h=Date:Subject:To:References:From:In-Reply-To:From;
	b=UZ1jWBq1WydFw8Xt8DVrh7RRmvRuskGjRLKZqGeuRv819XhwKz9ytmtFH8T5m3lE+
	 EQZLzi5foF9M97v6Wc9DRra+SO2/L5IQZNWNP/O3eIlM+zVKuPGoR5/kNDHDNnsRxB
	 q9CsgeqzfC/uvb6Ws2YxS2x6lKTn1CWR7iDpTBO/u+QtxEaLy9zs9/m7ylF9PI7lI5
	 tbiwpHXDjGJEayFw/I3OYYE4XJXmqY9lKqhPQVu2M2gevjHUipWLlxPjf5kJzGHGRq
	 9J2Plzn2J6cG9yXe6KM4MK2moD89/1nVNY689CzQiIsj8PYWnCCGF0ln+qi+xjAWsH
	 BwpvOm81KuvyQ==
Message-ID: <43203091-7b29-fdcf-9811-2206b22ff867@bastelstu.be>
Date: Wed, 14 Sep 2022 22:16:58 +0200
MIME-Version: 1.0
Content-Language: en-US
To: Mel Dafert <mel@dafert.at>, internals@lists.php.net
References: <8479bc9a-6ed6-0cf1-c727-123e2b87a8d6@dafert.at>
 <9e222608-b142-0b54-5efe-812daeb8780c@bastelstu.be>
 <7B9B123B-47D9-4D7E-B6EF-FD297D3A71CB@dafert.at>
In-Reply-To: <7B9B123B-47D9-4D7E-B6EF-FD297D3A71CB@dafert.at>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Subject: Re: [PHP-DEV] Error behaviour for max_input_vars
From: tim@bastelstu.be (=?UTF-8?Q?Tim_D=c3=bcsterhus?=)

Hi

On 9/14/22 21:58, Mel Dafert wrote:
> Thank you, this makes a lot of sense to me.
> I assume that this rules out that option, at least for now, unless someone makes the relevant changes to the hashing.

You are assuming correctly. That limit was specifically introduced to 
protect against this attack and is specifically documented as such in 
https://www.php.net/manual/en/info.configuration.php#ini.max-input-vars:

 > Use of this directive mitigates the possibility of denial of service 
attacks which use hash collisions.

It *might* be feasible to raise the default value nowadays, because of 
increased processing power moving the point where it "gets bad" further 
upwards.

-----

> But this also means that aborting the request would be just as effective at protecting such an attack as truncating.

Yes. It might or might not be worse with regard to user experience, 
though (not that the truncating behavior is any good either). See also 
my reply to Jordan's email.

> Would aborting instead of truncating introduce any new attack surface?

I don't see how that would add to the attack surface if implemented 
correctly.

> The only thing I could think of would be a DoS vector, but I believe there are a lot of ways you can get a server to instantly abort your request...

If you are only able to abort processing of your own request, then it's 
not even a DoS vector, as you don't affect other users and processing a 
regular request certainly is going to be more expensive on the server 
(database connections and similar) compared to aborting before your 
script starts executing.

Best regards
Tim Düsterhus