Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57191 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 27305 invoked from network); 4 Jan 2012 18:55:09 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Jan 2012 18:55:09 -0000 Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.170 as permitted sender) X-PHP-List-Original-Sender: tyra3l@gmail.com X-Host-Fingerprint: 209.85.216.170 mail-qy0-f170.google.com Received: from [209.85.216.170] ([209.85.216.170:47194] helo=mail-qy0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 08/1D-50667-980A40F4 for ; Wed, 04 Jan 2012 13:55:06 -0500 Received: by qcsd16 with SMTP id d16so11001993qcs.29 for ; Wed, 04 Jan 2012 10:55:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=ucHEgQ+vADPrahXhkD+Kxga1La6BkEQlT3g+x8P8bnQ=; b=FH7kS+oZ/PCzPubPsiWohbLp15xvciBm8p6HfWvEqekXjEyJPjdKBiv9dvHEs50pqo wCc0G3Ed1uwetIKcZ9hfbPIz94YldxdoOMrEwE6Qf87QwjlZhvn9jt7hfucm3VB/JTix 7ILUohpZ9endneK/CmKzGFA6EP0vYuHQe56Rc= MIME-Version: 1.0 Received: by 10.229.76.78 with SMTP id b14mr20891337qck.138.1325703302979; Wed, 04 Jan 2012 10:55:02 -0800 (PST) Received: by 10.229.54.140 with HTTP; Wed, 4 Jan 2012 10:55:02 -0800 (PST) In-Reply-To: <4F048A03.4070408@sugarcrm.com> References: <4F048A03.4070408@sugarcrm.com> Date: Wed, 4 Jan 2012 19:55:02 +0100 Message-ID: To: Stas Malyshev Cc: Laruence , PHP Internals Content-Type: multipart/alternative; boundary=00235429e0b873a1c504b5b85adf Subject: Re: [PHP-DEV] Re: another fix for max_input_vars. From: tyra3l@gmail.com (Ferenc Kovacs) --00235429e0b873a1c504b5b85adf Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Wed, Jan 4, 2012 at 6:18 PM, Stas Malyshev wrote= : > Hi! > > > Hi: >> I have updated the patch, make it works in case of sub arrays. >> >> http://pastebin.com/yPTUZuNe >> > > I'm sorry, I'm not sure still I understand - what is this patch fixing? > I.e. what is the problem with the current PHP that needs this patch? > > the max_input_vars was introduced to fix http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2011-4885 My understanding is that the original patch was too intrusive, from the comment of Laruence, it seems that throwing an E_ERROR in that phase means that you can kill the cgi workers if you pass the malicious input, which has still some DOS potential, this seems to be backed as Dmitry changed the original patch, to only raise a warning and ignore the vars over the set limits: http://svn.php.net/viewvc?view=3Drevision&revision=3D321335 From the comments by Laruence it seems that he thinks that we only need to limit post, as get and cookie has external limits. I disagree with this, for two reasons: - we also have post_max_size to limit the length of the Post Content-Length, so by the same logic, we wouldn't need an additional ini setting for limiting the number of variables. - we also have max_input_nesting_level, so having a max_input_vars seems to be more consistent, than max_post_vars I would also like to point out, that when we added max_input_nesting_level we later polished that a little bit: http://svn.php.net/viewvc/php/php-src/trunk/main/php_variables.c?r1=3D23394= 0&r2=3D236894 http://svn.php.net/viewvc/php/php-src/trunk/main/php_variables.c?r1=3D23689= 8&r2=3D239877 And I guess at least the information disclosure part would be needed here also ( https://twitter.com/#!/i0n1c/status/152356767601393665 ) --=20 Ferenc Kov=C3=A1cs @Tyr43l - http://tyrael.hu --00235429e0b873a1c504b5b85adf--