Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:63216
Return-Path: <tyra3l@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 79140 invoked from network); 21 Sep 2012 11:44:05 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 21 Sep 2012 11:44:05 -0000
Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.42 as permitted sender)
X-PHP-List-Original-Sender: tyra3l@gmail.com
X-Host-Fingerprint: 209.85.160.42 mail-pb0-f42.google.com  
Received: from [209.85.160.42] ([209.85.160.42:42348] helo=mail-pb0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id E8/72-62301-5035C505 for <internals@lists.php.net>; Fri, 21 Sep 2012 07:44:05 -0400
Received: by pbbrp8 with SMTP id rp8so7320657pbb.29
        for <internals@lists.php.net>; Fri, 21 Sep 2012 04:44:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=PSPJQGFJ8Asx4oUIB//0CD09slEu/zx2DDqiHSGaE+c=;
        b=VzK9rD5+gpkd+RRmeZjtuxbe3xuRcmh9quXLT/gF3uQaMMHvX6a5cBhB5SxE4VA7fm
         LEWqhB+fyX12M/habfPFtYzeSV9GoJKTX3SwoZL4ntwDzfcXJA5xcPeVW9RV03uoY4Rd
         P/VGysBXmshzKQaeJ3f1hxW1k5hk1l2GZVNVLgIBgpX5hqcrJx+wR2cjrhUs/2J3uKrV
         8iOtupFOhsPAYnfw4fsICkA2m7fgyjgYMitB+r4NOBUWIHpVmHXbYCiOB8e7MlE8ZEyp
         UgJRgxkT9LsVu3RQJg6mTsJckayJ5T8KIwQsWRuMisWDb4fFZRKHrMhyvrcIZpJ1IXgy
         uvjA==
MIME-Version: 1.0
Received: by 10.68.194.165 with SMTP id hx5mr15198196pbc.40.1348227842434;
 Fri, 21 Sep 2012 04:44:02 -0700 (PDT)
Received: by 10.68.54.68 with HTTP; Fri, 21 Sep 2012 04:44:02 -0700 (PDT)
In-Reply-To: <505C4A06.6040304@hoa-project.net>
References: <505C4A06.6040304@hoa-project.net>
Date: Fri, 21 Sep 2012 13:44:02 +0200
Message-ID: <CAH-PCH5BAb8v_OWhO1pv7bBUsxvun3=0u-YjO27ktWfU4ssJZQ@mail.gmail.com>
To: ivan.enderlin@hoa-project.net
Cc: internals@lists.php.net
Content-Type: multipart/alternative; boundary=047d7b10caf39fe7a704ca34c17b
Subject: Re: [PHP-DEV] POST, content-type: application/json and json_decode
From: tyra3l@gmail.com (Ferenc Kovacs)

--047d7b10caf39fe7a704ca34c17b
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Fri, Sep 21, 2012 at 1:05 PM, Ivan Enderlin @ Hoa <
ivan.enderlin@hoa-project.net> wrote:

> Hello,
>
> If PHP receives a HTTP request with the method POST and with the header
> Content-Type: application/x-www-form-**encoded, then, it automatically
> parses the request body to populate an array in $_POST. If the Content-Ty=
pe
> is different (e.g. text/plain or application/json), the request body is
> reachable by reading php://input. Well, it is ok.
>
> But is there any plans to consider application/json by parsing the reques=
t
> body and populate the result in $_POST (with the help of json_decode()
> maybe)?
>
> If so, I would like to propose a patch but I don't find in the source cod=
e
> where request body is caugth and parsed (for POST). Any ideas?
> Maybe a RFC would also be welcome to complete my suggestion?
>
> Thanks.
>
>
please watch out to not reintroduce CVE-2011-4885, afair we discussed about
that json_decode also vulnerable to the hash collision, but I don't
remember seeing any fix committed to json_decode.
depending on how would you extract the json encoded variables, this would
make possible to bypass the protection of max_input_vars limits.

--=20
Ferenc Kov=C3=A1cs
@Tyr43l - http://tyrael.hu

--047d7b10caf39fe7a704ca34c17b--