Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:63217 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 81281 invoked from network); 21 Sep 2012 11:57:30 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 Sep 2012 11:57:30 -0000 Authentication-Results: pb1.pair.com smtp.mail=ivan.enderlin@hoa-project.net; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=ivan.enderlin@hoa-project.net; sender-id=unknown Received-SPF: error (pb1.pair.com: domain hoa-project.net from 95.130.12.24 cause and error) X-PHP-List-Original-Sender: ivan.enderlin@hoa-project.net X-Host-Fingerprint: 95.130.12.24 host1.trois-doubles.net Linux 2.6 Received: from [95.130.12.24] ([95.130.12.24:51915] helo=host1.trois-doubles.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 81/F2-62301-8265C505 for ; Fri, 21 Sep 2012 07:57:29 -0400 Received: from Hwhost2.local (239.70.63.81.cust.bluewin.ch [81.63.70.239]) by host1.trois-doubles.net (Postfix) with ESMTPA id 87786209735; Fri, 21 Sep 2012 13:57:25 +0200 (CEST) Message-ID: <505C5625.7090700@hoa-project.net> Date: Fri, 21 Sep 2012 13:57:25 +0200 Reply-To: ivan.enderlin@hoa-project.net User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/17.0 Thunderbird/17.0a2 MIME-Version: 1.0 To: internals@lists.php.net, laruence@php.net, tyra3l@gmail.com References: <505C4A06.6040304@hoa-project.net> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] POST, content-type: application/json and json_decode From: ivan.enderlin@hoa-project.net ("Ivan Enderlin @ Hoa") On 21/09/12 13:44, Ferenc Kovacs wrote: > On Fri, Sep 21, 2012 at 1:05 PM, Ivan Enderlin @ Hoa < > ivan.enderlin@hoa-project.net> wrote: > >> Hello, >> >> If PHP receives a HTTP request with the method POST and with the header >> Content-Type: application/x-www-form-encoded, then, it automatically >> parses the request body to populate an array in $_POST. If the Content-Type >> is different (e.g. text/plain or application/json), the request body is >> reachable by reading php://input. Well, it is ok. >> >> But is there any plans to consider application/json by parsing the request >> body and populate the result in $_POST (with the help of json_decode() >> maybe)? >> >> If so, I would like to propose a patch but I don't find in the source code >> where request body is caugth and parsed (for POST). Any ideas? >> Maybe a RFC would also be welcome to complete my suggestion? >> >> Thanks. >> >> > please watch out to not reintroduce CVE-2011-4885, afair we discussed about > that json_decode also vulnerable to the hash collision, but I don't > remember seeing any fix committed to json_decode. > depending on how would you extract the json encoded variables, this would > make possible to bypass the protection of max_input_vars limits. Laruence has opened a bug with some patches: https://bugs.php.net/bug.php?id=60655. What is the state of this bug? I don't understand very well the hash collision problem. Any links? -- Ivan Enderlin Developer of Hoa http://hoa.42/ or http://hoa-project.net/ PhD. student at DISC/Femto-ST (Vesontio) and INRIA (Cassis) http://disc.univ-fcomte.fr/ and http://www.inria.fr/ Member of HTML and WebApps Working Group of W3C http://w3.org/