Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:118647
Return-Path: <craig@craigfrancis.co.uk>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 43075 invoked from network); 17 Sep 2022 11:14:59 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 17 Sep 2022 11:14:59 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 88362180210
	for <internals@lists.php.net>; Sat, 17 Sep 2022 04:14:56 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <craig@craigfrancis.co.uk>
Received: from mail-wr1-f43.google.com (mail-wr1-f43.google.com [209.85.221.43])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sat, 17 Sep 2022 04:14:56 -0700 (PDT)
Received: by mail-wr1-f43.google.com with SMTP id t7so39829361wrm.10
        for <internals@lists.php.net>; Sat, 17 Sep 2022 04:14:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=craigfrancis.co.uk; s=default;
        h=references:to:cc:in-reply-to:date:subject:mime-version:message-id
         :from:from:to:cc:subject:date;
        bh=j/oSB4opC9lvppv8m9J0JIJZsOpDSVS1UDB6DZIDxfQ=;
        b=aJJVqC+KlA9yTvUjFdBLF/iVk235fBdhG+9+6v0cCjbwP9YPrRLVaYvKaYm7+Rn6qO
         VLBhnmWU/p7wR8M6meoIIYyr4Zz1ihcnk+2Zz5J2JXgOYxCA5nOKS2oJ9OjJk62IphjG
         DfB1hWHmp2iWO0Jx+AAwm7X2/yLb4pMOA/lRE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=references:to:cc:in-reply-to:date:subject:mime-version:message-id
         :from:x-gm-message-state:from:to:cc:subject:date;
        bh=j/oSB4opC9lvppv8m9J0JIJZsOpDSVS1UDB6DZIDxfQ=;
        b=zJ4GNev1EerYkgvAcLFgY/Bsw4KBSz64DSUh14BR5t4nuRhzrn2b6GXIoQ/cPdI3zb
         9Je+dFcFX7l6/MxC5JluouOTtDey5bdny1m6Rbu8zSJIguZBcw5GSOcaAe4oARJeEuJr
         WhfUyI7EW24YjbQELJIYzeyHyxYHBuORODsAf8XFdoYNu/4XQCjKmHhvySNEeLAGMLJR
         bftEXqBpB4HJOok/d1BN46G1uk9db7VPYb/TNOj7XiEUt2SKbca3GnvSf+sijspiv4Jz
         tUosFUI8rUxJwl075a/ayqIhjJwCHhvufkyqUazpwL2m00Y+XiErw9xiFrcPKqNsJaSJ
         wlBQ==
X-Gm-Message-State: ACrzQf0OMXFK1SCjOCxTV5tfTbaG62+DRAZJy7GF+TWofoYOSYL+0esB
	GBlkZA3UWX+q5VAT9HFoJhqw82yssznu+MRO
X-Google-Smtp-Source: AMsMyM6dmDVQF+BZ/B9hH9RaIXN9erZHH+U5JiJOfGdDPN4AWTxgK9C6GzLQSutx6SMJz6CdHLF0tQ==
X-Received: by 2002:a5d:4444:0:b0:22a:2a64:a0fd with SMTP id x4-20020a5d4444000000b0022a2a64a0fdmr5517032wrr.293.1663413294714;
        Sat, 17 Sep 2022 04:14:54 -0700 (PDT)
Received: from smtpclient.apple ([92.234.79.97])
        by smtp.gmail.com with ESMTPSA id 7-20020a05600c228700b003a604a29a34sm5544442wmf.35.2022.09.17.04.14.53
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 17 Sep 2022 04:14:53 -0700 (PDT)
Message-ID: <6722BFBE-84F7-4A6F-AA9F-4C5012251FBF@craigfrancis.co.uk>
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_2F51738D-8379-42C5-9E8E-09F7898AFD4B"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Date: Sat, 17 Sep 2022 12:14:48 +0100
In-Reply-To: <a7544016-5520-2598-06ec-5715064d84ba@bastelstu.be>
Cc: php internals <internals@lists.php.net>
To: =?utf-8?Q?Tim_D=C3=BCsterhus?= <tim@bastelstu.be>
References: <8479bc9a-6ed6-0cf1-c727-123e2b87a8d6@dafert.at>
 <7e250e89-c18e-9e1a-222a-60521dd2babb@nunninger.info>
 <DEC09231-FDEB-4EDC-A8F3-B9F714112480@dafert.at>
 <6aa89b49-fde5-4779-94e4-97b8b856d02e@www.fastmail.com>
 <CAMrTa2EKkDER30fkpinOgKkHMLTH-QgPEZai0u-9VfTon9c_1A@mail.gmail.com>
 <a82a0fce-2a37-8187-b028-52f989557a2e@bastelstu.be>
 <CAMrTa2Fd7Lu59nOY_SHDkTvg19kn-kf=+ZoU51AgL8cXvD-mMQ@mail.gmail.com>
 <a7544016-5520-2598-06ec-5715064d84ba@bastelstu.be>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Subject: Re: [PHP-DEV] Error behaviour for max_input_vars
From: craig@craigfrancis.co.uk (Craig Francis)

--Apple-Mail=_2F51738D-8379-42C5-9E8E-09F7898AFD4B
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

On 14 Sep 2022, at 20:55, Tim D=C3=BCsterhus <tim@bastelstu.be> wrote:
> As indicated by the phrasing in my previous email, this knowledge does =
not enable an attacker to do anything that they wouldn't be able to do =
otherwise.


One possibility... when you say the attacker is able to "not send all =
the fields", would that be via injecting malicious JavaScript? which =
would hopefully be blocked via the websites Content Security Policy?... =
a different approach could use a simple XSS within the <form>, and =
injecting ~995 hidden <input> fields:

```
<form action=3D"/user/edit" method=3D"post">
  [...]
  <input type=3D"hidden" name=3D"xss[]" />
  <input type=3D"hidden" name=3D"xss[]" />
  <input type=3D"hidden" name=3D"xss[]" />
  [...]
  <label>
    <input type=3D"checkbox" name=3D"group_delete[]" value=3D"1" />
    Remove from Group 1
  </label>
  [...]
</form>
```

Craig=

--Apple-Mail=_2F51738D-8379-42C5-9E8E-09F7898AFD4B--