Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:130813 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by lists.php.net (Postfix) with ESMTPS id 85DEF1A00BC for ; Sat, 9 May 2026 13:19:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1778332781; bh=GvEOFaRrzt5ztJszbzHDexipvumGNcDdOyTgXiXSW7c=; h=Date:From:To:Subject:From; b=RCWAcO+3vXyloZQiUy7/u+Ecn5G+DYJidS9dNn0DKn/mRKD+0IuAUq1LWd2+eSpzo OyfvQMHqyXS1QqSV/GronNq6iIopfY1tuWGC7oWsrCdABa8P3embcaYuAYzg32yPtF 4hrICj7F/XGmc+du6PCN3DeSJKgCvIY8gbmJj/mzJvi94D3F3IjvJ2R5j6K3SiHx17 24i/TLIskhrp3PWFYPFj/lKPfi9hO3lndszzfDOTeBNptbICU+SDezw1QNfDjk9RvT UM+AnRiebw7z1XBxBtqaXNt8xSw/YTqoTMIgK6uocp5xn2NpOWl/2MGB3EQLnHVJHz w1rn6cmo7jKnA== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id E006A180339 for ; Sat, 9 May 2026 13:19:38 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,HTML_MESSAGE, RCVD_IN_DNSWL_LOW,SPF_HELO_PASS,SPF_PASS autolearn=no autolearn_force=no version=4.0.1 X-Spam-Virus: No X-Envelope-From: Received: from fout-b6-smtp.messagingengine.com (fout-b6-smtp.messagingengine.com [202.12.124.149]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sat, 9 May 2026 13:19:35 +0000 (UTC) Received: from phl-compute-04.internal (phl-compute-04.internal [10.202.2.44]) by mailfout.stl.internal (Postfix) with ESMTP id DFCDB1D0007C for ; Sat, 9 May 2026 09:19:29 -0400 (EDT) Received: from phl-imap-12 ([10.202.2.86]) by phl-compute-04.internal (MEProxy); Sat, 09 May 2026 09:19:29 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxonly.nl; h= cc:content-type:content-type:date:date:from:from:in-reply-to :message-id:mime-version:reply-to:subject:subject:to:to; s=fm1; t=1778332769; x=1778419169; bh=GvEOFaRrzt5ztJszbzHDexipvumGNcDd OyTgXiXSW7c=; b=sKCkBRINx9tucH1ra5Bi40+YCBODc6vLzqzuNfOtfjhKUwM+ +cBMymW6+FywKLQDQ7KcoxNm4IGZcFNjdxSvoGUAmAg3x/PC7Q/kUJVkF1E519aP WCYZj1MJMT7ll7DqsY1uqgWNBo4ufGbBHmQgxizc67tCJ+I1C1ytDtJpJ7uJWYU6 AfWfZR8hpex1i3MJKp8SsVHwWjGM9jYIgimP2WmZU9qYmV8l5ktL5CIc7g4E1N16 sPmzwamuoLG2nGto4ejGbfhZRNGWSfaK4Oiwmwk8nDNgFhTtR/zlz9e4pmWG5JhZ hzjCHOHyahQd544zTanf7btvr0l7oh/rTlfbzA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:message-id :mime-version:reply-to:subject:subject:to:to:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1778332769; x= 1778419169; bh=GvEOFaRrzt5ztJszbzHDexipvumGNcDdOyTgXiXSW7c=; b=U 5+My0cTX8O25qZe4eVFi6TXrmP+82xPHsABBvxJoHCvOeD1xuJSHOlSrqgNg/orY q1RNeQc31f75KdAhywBeUmeLfQ2HFgXk15/hlU3u+ibhQXKrRr9MUx5f21x6cegl ojorKNAVkjRsV5BLZH1hqXCCREST0XzP/yrW7EDzdLIJD+xG9Z7x0mWUdHCqxS5V WJkfo7/bxskFBtmxxWnmALnfyqMhCFVUMENQ8B0uqfYAwEMddsb2a2nSnWmt0f3y xABWBpbWioQ3iJQdrhydpLgJXIEctFxTU/hWrL/5olUuSHw29SuqURp7lb7sGGds eSPCBzk1+TBuNMC3crvnQ== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefhedrtddtgdduudeffeefucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu rghilhhouhhtmecufedttdenucenucfjughrpefoggffhffvkffutgesrgdtreerredttd enucfhrhhomhepfdfujhhovghrugcunfgrnhhgkhgvmhhpvghrfdcuoehsjhhovghrugdq phhhpheslhhinhhugihonhhlhidrnhhlqeenucggtffrrghtthgvrhhnpeevhedtkefgie ffheffffelgfegjeejjeeivdevffejgfeileelheekuedtteejtdenucffohhmrghinhep phhhphdrnhgvthdpghhithhhuhgsrdgtohhmnecuvehluhhsthgvrhfuihiivgeptdenuc frrghrrghmpehmrghilhhfrhhomhepshhjohgvrhguqdhphhhpsehlihhnuhigohhnlhih rdhnlhdpnhgspghrtghpthhtohepuddpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtoh epihhnthgvrhhnrghlsheslhhishhtshdrphhhphdrnhgvth X-ME-Proxy: Feedback-ID: ia08e4881:Fastmail Received: by mailuser.phl.internal (Postfix, from userid 501) id F2B381060065; Sat, 9 May 2026 09:19:28 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface Precedence: list list-help: list-unsubscribe: list-post: List-Id: x-ms-reactions: disallow MIME-Version: 1.0 X-ThreadId: ADY6zXVibVWJ Date: Sat, 09 May 2026 15:16:57 +0200 To: internals@lists.php.net Message-ID: Subject: [PHP-DEV] Hardening PHP against filter chain attacks Content-Type: multipart/alternative; boundary=bedda0eb84a4675498ec5bd02a0e6a76f50bfdfd From: sjoerd-php@linuxonly.nl ("Sjoerd Langkemper") --bedda0eb84a4675498ec5bd02a0e6a76f50bfdfd Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable I am working on some things to harden PHP against filter chain attacks: =E2=80=A2 PHP RFC: Limit maximum number of filter chains =E2=80=A2 Dechunk incorrectly truncates string when it starts with a he= x character Filter chains use php://filter/ URLs with many filters, which are useful= in several attacks, described in the RFC. I propose to limit the number= of filters, and make the dechunk filter less useful for attacks. Please= let me know what you think about this.=20 Regards, Sjoerd Langkemper --bedda0eb84a4675498ec5bd02a0e6a76f50bfdfd Content-Type: text/html Content-Transfer-Encoding: 7bit
I am working on some things to harden PHP against filter chain attacks:
Filter chains use php://filter/ URLs with many filters, which are useful in several attacks, described in the RFC. I propose to limit the number of filters, and make the dechunk filter less useful for attacks. Please let me know what you think about this. 

Regards,

Sjoerd Langkemper
--bedda0eb84a4675498ec5bd02a0e6a76f50bfdfd--