Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:69462 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 55061 invoked from network); 2 Oct 2013 18:02:55 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 2 Oct 2013 18:02:55 -0000 Authentication-Results: pb1.pair.com header.from=mike.php.net@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=mike.php.net@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.182 as permitted sender) X-PHP-List-Original-Sender: mike.php.net@gmail.com X-Host-Fingerprint: 209.85.217.182 mail-lb0-f182.google.com Received: from [209.85.217.182] ([209.85.217.182:57822] helo=mail-lb0-f182.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 65/4D-23255-DCF5C425 for ; Wed, 02 Oct 2013 14:02:54 -0400 Received: by mail-lb0-f182.google.com with SMTP id c11so1064724lbj.41 for ; Wed, 02 Oct 2013 11:02:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=neA7KGYirQfsDcK/HtakiE6/TNgBS+0h1F/l54QpdVE=; b=G8JY3Nj5jT7sW00kCvUac6+8jNssZDCJxFrwhTVGTeoxhcb8QlZJy4ieM2NZfVFQF8 YiD5bGUTqsmVarruRu2sHEZCjkoFSD3IHLSw4fX2iIwUOCvnyUGJp8uhH0G5rHsq9Ih9 8skLa0NQtzqLaCxiXQQsOQ+D3m75WZiqsQ506AtLwfsHssDGOQaRHKfhLK9vntxEIweR UGWRDVqeeiTKA2sdj24e3PaagSVg/1AXjzZTH3FF8wa0VwjVbVJGRLj8Bymo2gfVWTcV QyATIzH4+39ZUjlmXGx1TzOwBzzic8uRm9zaKDteRZx0HmrSlYV3NLis4+SRF0Ktl+Lj ZLCQ== MIME-Version: 1.0 X-Received: by 10.112.146.33 with SMTP id sz1mr3179950lbb.14.1380736971213; Wed, 02 Oct 2013 11:02:51 -0700 (PDT) Sender: mike.php.net@gmail.com Received: by 10.114.184.19 with HTTP; Wed, 2 Oct 2013 11:02:51 -0700 (PDT) In-Reply-To: References: Date: Wed, 2 Oct 2013 20:02:51 +0200 X-Google-Sender-Auth: GjsiLyRmOH8o_w0Sz8NbGF5vKSA Message-ID: To: Nikita Popov Cc: PHP Internals Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] HTTP supergloblas and request body/query (was: Parsing PUT data) From: mike@php.net (Michael Wallner) On 2 October 2013 17:15, Nikita Popov wrote: > On Wed, Oct 2, 2013 at 8:59 AM, Michael Wallner wrote: >> >> Since ever people are confused by _GET and _POST superglobals, >> because, despite their name, they do not (really) depend on the >> request method. Therefor I propose to phase out $_GET and name it >> $_QUERY and I propose to phase out $_POST and name it $_FORM (I'm not >> 100% confident with the latter yet, though). > > > I don't think this kind of change is worth it if you just rename two very > heavily used variables. If something in this direction is changed the change > should be more thorough (including getting away from superglobals and > representing the request state by an immutable object). Well, what I want and what is in core may diverge. May I suggest you take a look at pecl_http-v2, I'd greatly appreciate any feedback. > >> >> There are already parsers for application/x-www-form-urlencoded and >> multipart/form-data in the core. One could think of providing an API >> to add content type handlers from extensions, ext/json may be an >> example, like it is hacked into pecl_http-v2. > > > I would *strongly* recommend against adding additional body parsers that are > automatically invoked based on the content type. Adding additional parsers > creates a high security risk. E.g. exposing ext/json as it is now would open > you to a denial of service attack (if I'm not mistaken). There has been a > long history of security vulnerabilities (both DOS and RCE) related to > unnecessary or incorrect exposure of request body parsers. A prominent > recent example are the RCE vulnerabilities in Rails caused by the exposure > of YAML and JSON parsers. Pointers, references, evidences? -- Regards, Mike