Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57192 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 28675 invoked from network); 4 Jan 2012 18:59:03 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Jan 2012 18:59:03 -0000 Authentication-Results: pb1.pair.com header.from=smalyshev@sugarcrm.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=smalyshev@sugarcrm.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain sugarcrm.com designates 67.192.241.173 as permitted sender) X-PHP-List-Original-Sender: smalyshev@sugarcrm.com X-Host-Fingerprint: 67.192.241.173 smtp173.dfw.emailsrvr.com Linux 2.6 Received: from [67.192.241.173] ([67.192.241.173:48440] helo=smtp173.dfw.emailsrvr.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 84/6D-50667-671A40F4 for ; Wed, 04 Jan 2012 13:59:03 -0500 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp7.relay.dfw1a.emailsrvr.com (SMTP Server) with ESMTP id 682CF25809A; Wed, 4 Jan 2012 13:58:59 -0500 (EST) X-Virus-Scanned: OK Received: by smtp7.relay.dfw1a.emailsrvr.com (Authenticated sender: smalyshev-AT-sugarcrm.com) with ESMTPSA id 1694B2582B6; Wed, 4 Jan 2012 13:58:59 -0500 (EST) Message-ID: <4F04A172.7080509@sugarcrm.com> Date: Wed, 04 Jan 2012 10:58:58 -0800 Organization: SugarCRM User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: Ferenc Kovacs CC: Laruence , PHP Internals References: <4F048A03.4070408@sugarcrm.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Re: another fix for max_input_vars. From: smalyshev@sugarcrm.com (Stas Malyshev) Hi! > From the comments by Laruence it seems that he thinks that we only need > to limit post, as get and cookie has external limits. I don't think it's a big problem if we limit all of them. It's not like anybody needs a million cookies in their http request. > And I guess at least the information disclosure part would be needed > here also ( https://twitter.com/#!/i0n1c/status/152356767601393665 ) Could you please elaborate on that part - where is the disclosure and what exactly is being disclosed? -- Stanislav Malyshev, Software Architect SugarCRM: http://www.sugarcrm.com/ (408)454-6900 ext. 227