Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:69454 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 35778 invoked from network); 2 Oct 2013 15:15:22 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 2 Oct 2013 15:15:22 -0000 Authentication-Results: pb1.pair.com header.from=nikita.ppv@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=nikita.ppv@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.128.175 as permitted sender) X-PHP-List-Original-Sender: nikita.ppv@gmail.com X-Host-Fingerprint: 209.85.128.175 mail-ve0-f175.google.com Received: from [209.85.128.175] ([209.85.128.175:61525] helo=mail-ve0-f175.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id FF/69-23255-9883C425 for ; Wed, 02 Oct 2013 11:15:21 -0400 Received: by mail-ve0-f175.google.com with SMTP id jy13so634104veb.34 for ; Wed, 02 Oct 2013 08:15:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=VOMzb7mezRS23g8S8XjJLwZqjB1GX3u1p3MFsiAjvWs=; b=eQOdZyOH/vOfDByr+3LdzR0EUzefd4i6a2d6xpEWmvjm68Qmie4fiLUKc6TtpaxtKh OgnCfi46KfguB5QJNaAkkl4GT3I9tYfOG6IYwSm+QK3s8tnpc7HmtbaE4iJTtE6v0CNv AyK+wDD0D/OHt8FSv9G2pZc9Uhsp8kre4GlkVBU9UrzRL2XePDiIdBmCHxLUtaKPGG2t Yo6Y4j8Yb9h+BC9mfTJQXdebBz+6rsx4RzovpS2uxU/3a6VXHqlF1F1y4W4+jpk4s0o/ rTgK74dSKQSTtlkESWQA2F2b39rAEq7yV7UCrnQmXLfbbFKGL9APqghYcSvBl85mRQTX se0Q== MIME-Version: 1.0 X-Received: by 10.52.164.102 with SMTP id yp6mr2165259vdb.14.1380726918993; Wed, 02 Oct 2013 08:15:18 -0700 (PDT) Received: by 10.220.59.1 with HTTP; Wed, 2 Oct 2013 08:15:18 -0700 (PDT) In-Reply-To: References: Date: Wed, 2 Oct 2013 17:15:18 +0200 Message-ID: To: Michael Wallner Cc: PHP Internals Content-Type: multipart/alternative; boundary=001a11c2c1ea89ded104e7c3891e Subject: Re: [PHP-DEV] HTTP supergloblas and request body/query (was: Parsing PUT data) From: nikita.ppv@gmail.com (Nikita Popov) --001a11c2c1ea89ded104e7c3891e Content-Type: text/plain; charset=ISO-8859-1 On Wed, Oct 2, 2013 at 8:59 AM, Michael Wallner wrote: > Since ever people are confused by _GET and _POST superglobals, > because, despite their name, they do not (really) depend on the > request method. Therefor I propose to phase out $_GET and name it > $_QUERY and I propose to phase out $_POST and name it $_FORM (I'm not > 100% confident with the latter yet, though). > I don't think this kind of change is worth it if you just rename two very heavily used variables. If something in this direction is changed the change should be more thorough (including getting away from superglobals and representing the request state by an immutable object). > There are already parsers for application/x-www-form-urlencoded and > multipart/form-data in the core. One could think of providing an API > to add content type handlers from extensions, ext/json may be an > example, like it is hacked into pecl_http-v2. > I would *strongly* recommend against adding additional body parsers that are automatically invoked based on the content type. Adding additional parsers creates a high security risk. E.g. exposing ext/json as it is now would open you to a denial of service attack (if I'm not mistaken). There has been a long history of security vulnerabilities (both DOS and RCE) related to unnecessary or incorrect exposure of request body parsers. A prominent recent example are the RCE vulnerabilities in Rails caused by the exposure of YAML and JSON parsers. Nikita --001a11c2c1ea89ded104e7c3891e--