Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:58944
Return-Path: <rasmus@lerdorf.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 16185 invoked from network); 14 Mar 2012 23:04:37 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 14 Mar 2012 23:04:37 -0000
Authentication-Results: pb1.pair.com header.from=rasmus@lerdorf.com; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=rasmus@lerdorf.com; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain lerdorf.com from 209.85.161.170 cause and error)
X-PHP-List-Original-Sender: rasmus@lerdorf.com
X-Host-Fingerprint: 209.85.161.170 mail-gx0-f170.google.com  
Received: from [209.85.161.170] ([209.85.161.170:37356] helo=mail-gx0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 30/13-32926-404216F4 for <internals@lists.php.net>; Wed, 14 Mar 2012 18:04:36 -0500
Received: by ggmb2 with SMTP id b2so2804917ggm.29
        for <internals@lists.php.net>; Wed, 14 Mar 2012 16:04:33 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=message-id:date:from:user-agent:mime-version:to:cc:subject
         :references:in-reply-to:x-enigmail-version:content-type
         :content-transfer-encoding:x-gm-message-state;
        bh=OEQcER1D9vazNU207Qnf7AWRloxPGaBnLg9HqjJBLgc=;
        b=YS2XqTy85213egA3Te6rlHqc+xcpB4c2svEDv1T+f1F8sUjlnNPg6s1KVwiuKMJLY8
         agLXyLM93cbeZqGKvNckiLM7mLLPMxQRV1Hi9wIrh6CgPUH7zm3pu8hoiguXOnTNTyAx
         +JQLgNDiMVMxsmaUc8E1hp3UyUtpJ/cAk52IYy34+M+dLQzn9T0ff6sGQxb27QyGUNRP
         pMzBL7nWb9y9ldDNgJLQt/izaa2fgVs2iwblGZni402DtxN3Dy1+ZpUzJFZ472rzjtMZ
         rraRZ+tB6UrwfQMcOI2igMLBW1Szy8OHhRscj3WnFDVXXfpGMt17Cq1inILD2bLqY3Vt
         SYKw==
Received: by 10.229.135.196 with SMTP id o4mr1456180qct.139.1331766272875;
        Wed, 14 Mar 2012 16:04:32 -0700 (PDT)
Received: from [192.168.200.5] (c-50-131-44-225.hsd1.ca.comcast.net. [50.131.44.225])
        by mx.google.com with ESMTPS id z6sm878136qap.17.2012.03.14.16.04.30
        (version=SSLv3 cipher=OTHER);
        Wed, 14 Mar 2012 16:04:31 -0700 (PDT)
Message-ID: <4F6123FD.7020101@lerdorf.com>
Date: Wed, 14 Mar 2012 16:04:29 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
MIME-Version: 1.0
To: Stas Malyshev <smalyshev@sugarcrm.com>
CC: PHP internals <internals@lists.php.net>
References: <4F60F4B1.5010407@lerdorf.com> <4F6117AA.2080004@sugarcrm.com>
In-Reply-To: <4F6117AA.2080004@sugarcrm.com>
X-Enigmail-Version: 1.3.5
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Gm-Message-State: ALoCoQnCBCNKuo3rfQ5HEeiAZcRhOv5oSjHRciinXqwS0ZxfT36zEKwPMuVXZQAhNN6AHT2Rg8MX
Subject: Re: [PHP-DEV] Let parse_str() parse more than max_input_vars args
From: rasmus@lerdorf.com (Rasmus Lerdorf)

On 03/14/2012 03:11 PM, Stas Malyshev wrote:
> Hi!
> 
>> The other way to solve this would be to make max_input_vars PHP_INI_ALL
>> and then just let people ini_set() their way around the limit.
> 
> I think making it PHP_INI_ALL is OK. If you have access to a way to
> change INI_ALL vars, that means you can run code on that system, then
> DoS protection is meaningless on this stage.

I ran into this in some existing code that broke upgrading to 5.3.10. It
was a backend call to an API where the API result was being fed to
parse_str(). The API itself is trusted, so no risk of a HashDoS from it.
Other than replacing the call to parse_str() with a similar userspace
implementation there was no way to fix this safely. I could do a
.htaccess for just that URI, but that would open up the frontend of this
particular request to a HashDoS.

I'll make the INI_ALL change for the next release.

-Rasmus