Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:125925 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id 4851F1A00BD for ; Thu, 7 Nov 2024 16:40:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1730997787; bh=cXo6tOpmkl5G2oQwOlJUiywIFPLGIvZ/ZHWq6JWqMME=; h=Date:From:To:cc:Subject:In-Reply-To:References:From; b=KTeWQKdXbdCsfTY8coE5i79WPdSP6WAD5vgwubDemwCl+FSM0MHV5O6AbJD2vCUJZ 4FmRVB5ZaHCeLJ2w4P/MSCt25pguffxcApTLyXPnkdP5ife2uDKJwr9vrV9HU/fj8w bomuRvEjumunbbilF4DySNS2APEuzemEhYif6VLbEIxG2OVdR11LMztyWwJyAXiX1a Ol0xMDhxQApH6fVqFkNiuEn504lqwk+1E3CIVrPcjUaLxbzip4XEeCF0yU/iJofidJ 3V4t/ICUUbyFD3d+aD8FsDg2nH3XUlk6SnxyZTdQqXlL+8ztKUB2E8MrZKsWXp5DV9 DsF1UsERzKxNQ== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id B1DB0180061 for ; Thu, 7 Nov 2024 16:43:06 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: *** X-Spam-Status: No, score=3.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,SPF_HELO_PASS, SPF_SOFTFAIL autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from xdebug.org (xdebug.org [82.113.146.227]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Thu, 7 Nov 2024 16:43:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1730997632; bh=cXo6tOpmkl5G2oQwOlJUiywIFPLGIvZ/ZHWq6JWqMME=; h=Date:From:To:cc:Subject:In-Reply-To:References:From; b=ebSZ+QjbHoTItT+fQMeD5YmF/DU1U75H7IdCEUs/osR6hNBxfaVDFkdecZ3YofJ// x8H7YERV7rgSFLToO2IglEKZpecosr4/NXPjw234yW0MfsvorlKCmzjohszbUHTIG8 Kvxcg6ofYviG3bCD+ViQLk8WSr10j0C6fN2yEY+3HGkQrb1lazU3Mgygo7Wfz1Jf/p y3SZ27U6X/DIZY6KQnVd1bx/SECgcfywVQo7kLn9LzLZ0AgBLbQKarSVZsA+mgE16r 3SRgxlyvIJcbBhG0cM1Mt2332FtKv23MRibo+91lJQbrKVUEFCOE0+q8NxBbhHgGqv rtlZfrk4+9Xhw== Received: from localhost (localhost [IPv6:::1]) by xdebug.org (Postfix) with ESMTPS id 836A010C03E; Thu, 07 Nov 2024 16:40:32 +0000 (GMT) Date: Thu, 7 Nov 2024 16:40:32 +0000 (GMT) To: jvoisin cc: internals@lists.php.net Subject: Re: [PHP-DEV] Proposal: restrict the number of filters In-Reply-To: <20aff36d-83de-482d-8d78-496a959c2a3e@dustri.org> Message-ID: <8829f92a-e19a-8109-f402-556ee7dc73c4@php.net> References: <20aff36d-83de-482d-8d78-496a959c2a3e@dustri.org> Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net x-ms-reactions: disallow MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII From: derick@php.net (Derick Rethans) On Thu, 7 Nov 2024, jvoisin wrote: > The easiest way to kill this vector is to simply limit the number of > filters that can be chained, as attacks require a at least a couple of > them, while legitimate use usually use one or two tops, as highlighted > by arnaud-lb's analysis: > https://github.com/php/php-src/pull/16699#issuecomment-2462281938 > > I sent a pull-request to implement this: > https://github.com/php/php-src/pull/16699 > > What do y'all think about this? I am not a fan of hardcoding arbitrary limits, or having an ini setting for such a limit. I especially think that the suggested limit of 5, or even 3, is not a good idea. The example that the issue links to to fix a vulnaribility in is: include $_GET['page']; Which is... yeah. cheers, Derick -- https://derickrethans.nl | https://xdebug.org | https://dram.io Author of Xdebug. Like it? Consider supporting me: https://xdebug.org/support mastodon: @derickr@phpc.social @xdebug@phpc.social