Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:51043 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 26807 invoked from network); 16 Dec 2010 12:42:17 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 16 Dec 2010 12:42:17 -0000 Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass; domainkeys=bad Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.161.173 as permitted sender) DomainKey-Status: bad X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01 X-PHP-List-Original-Sender: tyra3l@gmail.com X-Host-Fingerprint: 209.85.161.173 mail-gx0-f173.google.com Received: from [209.85.161.173] ([209.85.161.173:43373] helo=mail-gx0-f173.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id E1/F3-04769-3290A0D4 for ; Thu, 16 Dec 2010 07:42:11 -0500 Received: by gxk24 with SMTP id 24so2021556gxk.18 for ; Thu, 16 Dec 2010 04:42:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:sender:received :in-reply-to:references:date:x-google-sender-auth:message-id:subject :from:to:cc:content-type; bh=xCdJyDBs83ji2vJnwLE8wLxhUOx2TjeGYLC41CpV/1M=; b=WT0o6L/ogCNhgM5lpZXOlkMZfdM4gsJEZSOYuGtqx12uoz7biqZlpYCjnAqeGsovNI f/oBcyzUKQqf9brIkJ8F/2CrFwghqDgG7ryVGeF6iVMydOq/ci3UomCFT5VYbHtPXO1I BbS8Csw3l2DPYwSQ42s/LZpBrZOYnMKNuVTb4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; b=rP+66AAHW4QNKHAPbawD7T1onYBcyMQaSsJos7vON0kurdwNxMaeS65i+RCnlhKuvM klsdlSPxdCBTwBWT/BiWfenGXBDJYTzpGr5uw+HORtoajL5E6/I6cyXFvjBP9vFHYanT Vz7phG5QapfPXT5Ae8QeUAshVavXwrUewfs7g= MIME-Version: 1.0 Received: by 10.90.25.13 with SMTP id 13mr679918agy.33.1292503328919; Thu, 16 Dec 2010 04:42:08 -0800 (PST) Sender: tyra3l@gmail.com Received: by 10.90.53.4 with HTTP; Thu, 16 Dec 2010 04:42:08 -0800 (PST) In-Reply-To: References: Date: Thu, 16 Dec 2010 13:42:08 +0100 X-Google-Sender-Auth: GNjxk_-MnAe80LpJ_Sc_g3US9FA Message-ID: To: Pierre Joye Cc: Gustavo Lopes , "internals@lists.php.net" Content-Type: multipart/alternative; boundary=00163630f5fbca909e049786614c Subject: Re: [PHP-DEV] [PATCH] Add option to disable POST data processing From: info@tyrael.hu (Ferenc Kovacs) --00163630f5fbca909e049786614c Content-Type: text/plain; charset=UTF-8 On Thu, Dec 16, 2010 at 1:32 PM, Pierre Joye wrote: > hi, > > The more I look at this option the more I think it is confusing. I'm > not sure the gain is worth this confusion either. However I would > prefer to bring back a proposal we had a couple of years ago, to > totally disable post data. When disabled, the POST data will be > totally ignored, no matter if php://input, raw data or whatever other > ways we may have to access it. The data given by the server/sapi will > be ignored. > > This option has the benefit to be very simple and solves one known > attack vector in a very clean way. > > Yeah, but that idea isn't solves the problem which the current one tries to address. So while I think that it would be a good security measure to alllow to disable POST altogether, but that should be discussed/voted in a different thread. So currently we didn't talk about security measures, but performance gains: If somebody wants to write a script, which handles big file uploads, but only writes it to somewhere (to file, or another stream), then currently you have to allocate the memory for the post data twice(see the first email), which is very inefficient if you don't need the $_POST at all. Tyrael --00163630f5fbca909e049786614c--