Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:58942 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 10539 invoked from network); 14 Mar 2012 22:11:58 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 14 Mar 2012 22:11:58 -0000 Authentication-Results: pb1.pair.com smtp.mail=smalyshev@sugarcrm.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=smalyshev@sugarcrm.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain sugarcrm.com designates 67.192.241.153 as permitted sender) X-PHP-List-Original-Sender: smalyshev@sugarcrm.com X-Host-Fingerprint: 67.192.241.153 smtp153.dfw.emailsrvr.com Linux 2.6 Received: from [67.192.241.153] ([67.192.241.153:48966] helo=smtp153.dfw.emailsrvr.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id F7/12-32926-EA7116F4 for ; Wed, 14 Mar 2012 17:11:58 -0500 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp5.relay.dfw1a.emailsrvr.com (SMTP Server) with ESMTP id 490FC586A0; Wed, 14 Mar 2012 18:11:55 -0400 (EDT) X-Virus-Scanned: OK Received: by smtp5.relay.dfw1a.emailsrvr.com (Authenticated sender: smalyshev-AT-sugarcrm.com) with ESMTPSA id EDDC3580D5; Wed, 14 Mar 2012 18:11:54 -0400 (EDT) Message-ID: <4F6117AA.2080004@sugarcrm.com> Date: Wed, 14 Mar 2012 15:11:54 -0700 Organization: SugarCRM User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0.1) Gecko/20120208 Thunderbird/10.0.1 MIME-Version: 1.0 To: Rasmus Lerdorf CC: PHP internals References: <4F60F4B1.5010407@lerdorf.com> In-Reply-To: <4F60F4B1.5010407@lerdorf.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Let parse_str() parse more than max_input_vars args From: smalyshev@sugarcrm.com (Stas Malyshev) Hi! > The other way to solve this would be to make max_input_vars PHP_INI_ALL > and then just let people ini_set() their way around the limit. I think making it PHP_INI_ALL is OK. If you have access to a way to change INI_ALL vars, that means you can run code on that system, then DoS protection is meaningless on this stage. -- Stanislav Malyshev, Software Architect SugarCRM: http://www.sugarcrm.com/ (408)454-6900 ext. 227