Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:58938 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 3828 invoked from network); 14 Mar 2012 21:38:09 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 14 Mar 2012 21:38:09 -0000 Authentication-Results: pb1.pair.com smtp.mail=rasmus@lerdorf.com; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=rasmus@lerdorf.com; sender-id=unknown Received-SPF: error (pb1.pair.com: domain lerdorf.com from 209.85.161.170 cause and error) X-PHP-List-Original-Sender: rasmus@lerdorf.com X-Host-Fingerprint: 209.85.161.170 mail-gx0-f170.google.com Received: from [209.85.161.170] ([209.85.161.170:63584] helo=mail-gx0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 7B/C0-32926-0CF016F4 for ; Wed, 14 Mar 2012 16:38:09 -0500 Received: by ggmb2 with SMTP id b2so2709131ggm.29 for ; Wed, 14 Mar 2012 14:38:05 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:content-type :content-transfer-encoding:x-gm-message-state; bh=1uKwvLWlH2B7GegoZKMUNmb7bKogH7M0mV7FYkQK5T4=; b=J8MHl9rnEs6viiIEqIeHokqBwIHcd924rbaMdyRR3IsIBCHOcmJJ+8MheGyLGZOTTu XWu4BQQIBA+15OLWsW/4UUcMPYV1gHfmzh+sN6l/YA/3ZESCcjRQMkmSl5u/SCVbiR9e 8jrAzEBQEvSR5ZzBIW0rgO1U9VbiJZYLDjsaGoH8nHECNJfUs77v85h1/o7KkkljBhYg PmlxSPwYwdYSNvC8RB0idR90b6ouV5MGSQNmcbJ/u6micvQKkUx7wbgwzfzBrLeShfMl uqmHp/FEtyFDC/woQJH+APB6V4b2QMdR7cLRTMEH3RvLqAQ1hkXyp+L8g138ZiGLlHb3 6VMQ== Received: by 10.224.9.138 with SMTP id l10mr5076410qal.33.1331761084969; Wed, 14 Mar 2012 14:38:04 -0700 (PDT) Received: from [192.168.200.5] (c-50-131-44-225.hsd1.ca.comcast.net. [50.131.44.225]) by mx.google.com with ESMTPS id h11sm541018qae.3.2012.03.14.14.38.03 (version=SSLv3 cipher=OTHER); Wed, 14 Mar 2012 14:38:04 -0700 (PDT) Message-ID: <4F610FB9.1060309@lerdorf.com> Date: Wed, 14 Mar 2012 14:38:01 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 MIME-Version: 1.0 To: Pierre Joye CC: PHP internals References: <4F60F4B1.5010407@lerdorf.com> In-Reply-To: X-Enigmail-Version: 1.3.5 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Gm-Message-State: ALoCoQlmv3sGIcCG0MggmlL4laK73bVmqV/ULYa54CoL2wGncpYXbjCKQVsEhxx16gD9FtOQl/QT Subject: Re: [PHP-DEV] Let parse_str() parse more than max_input_vars args From: rasmus@lerdorf.com (Rasmus Lerdorf) On 03/14/2012 01:32 PM, Pierre Joye wrote: > hi Rasmus, > > As the ini_all option sounds appealing, I can imagine ISPs willing to > do not allow their users to change this value, and that's something I > would not allow random users either. > > I'd to go with the optional argument, adding a clear in the > documentation about the confusing error message. But Pierre, you understand that by the time you ini_set() it in the code it can only ever affect parse_str() calls. Normal GPC parsing is done prior to the PHP script running so there is no way for a userspace script to ini_set() themselves to a state where they will be insecure to a remote attack. They would have to go out of their way to specifically write code to do that and that is something they can obviously do anyway by simply building a big hash from some external source. So I don't really think this is a valid concern. If this was a real concern I would think you would have objected to the current INI_PERDIR. This is where a user can make his scripts unsafe by disabling max_input_vars in a .htaccess file. -Rasmus