Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:51042 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 24807 invoked from network); 16 Dec 2010 12:32:20 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 16 Dec 2010 12:32:20 -0000 Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass; domainkeys=bad Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.45 as permitted sender) DomainKey-Status: bad X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01 X-PHP-List-Original-Sender: pierre.php@gmail.com X-Host-Fingerprint: 209.85.214.45 mail-bw0-f45.google.com Received: from [209.85.214.45] ([209.85.214.45:64362] helo=mail-bw0-f45.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 68/93-04769-2D60A0D4 for ; Thu, 16 Dec 2010 07:32:19 -0500 Received: by bwz16 with SMTP id 16so3759966bwz.32 for ; Thu, 16 Dec 2010 04:32:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=Gh4DNNjNAYrGx/uEuIQi1d3vP4Ue60Q7GCazaLjep2E=; b=JO5pUiNSpaeN5RZgNrun63W3yTfiuesUxWGQLo+NHYu7rgKgQzJBqtH9Uq8rm2aVtn N3Wl6bWR2PS98THay0kca0H9Ggv/4Gf0t9P5pQ9tw/Q1dOP3BUWe4ovLo/F6IQrTSNAd Gpq06/4gyHk38RvDrnfoZTXDa29mxY8HV81lI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=ZglOQB7TzmJcJx5lkyH+SUjm1qZGkhSrR5++ebsTkKFwpCS5sPJL0lUKF+/Oh1g931 8nFTanRooskvW1+Oc/aIigXiX4l1y0knRYGsaOi04gtpbOvyjfBG/kFF95abmtA+JdNb Zy54ftLXYaa9qsiCBJ50xwe8sXyDrPf6ohMq0= MIME-Version: 1.0 Received: by 10.204.61.74 with SMTP id s10mr8371372bkh.91.1292502735538; Thu, 16 Dec 2010 04:32:15 -0800 (PST) Received: by 10.204.52.129 with HTTP; Thu, 16 Dec 2010 04:32:15 -0800 (PST) In-Reply-To: References: Date: Thu, 16 Dec 2010 13:32:15 +0100 Message-ID: To: Gustavo Lopes Cc: "internals@lists.php.net" Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: [PHP-DEV] [PATCH] Add option to disable POST data processing From: pierre.php@gmail.com (Pierre Joye) hi, The more I look at this option the more I think it is confusing. I'm not sure the gain is worth this confusion either. However I would prefer to bring back a proposal we had a couple of years ago, to totally disable post data. When disabled, the POST data will be totally ignored, no matter if php://input, raw data or whatever other ways we may have to access it. The data given by the server/sapi will be ignored. This option has the benefit to be very simple and solves one known attack vector in a very clean way. Cheers, On Thu, Dec 9, 2010 at 9:37 PM, Gustavo Lopes wrote: > On Tue, 07 Dec 2010 07:08:34 -0000, Gustavo Lopes > wrote: > >> The very simple attached patch adds an option to disable POST data >> processing, which implies the data can only be read in a stream fashion >> through php://input. >> > > I've committed to trunk the patch with the name of the ini option changed > from disable_post_data_processing to enable_post_data_reading. > > -- > Gustavo Lopes > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > -- Pierre @pierrejoye | http://blog.thepimp.net | http://www.libgd.org