unread
I am working on some things to harden PHP against filter chain attacks:
• PHP RFC: Limit maximum number of filter chains https://wiki.php.net/rfc/limit-maximum-number-of-filter-chains
• Dechunk incorrectly truncates string when it starts with a hex character https://github.com/php/php-src/issues/21983
Filter chains use php://filter/ URLs with many filters, which are useful in several attacks, described in the RFC. I propose to limit the number of filters, and make the dechunk filter less useful for attacks. Please let me know what you think about this.
Regards,
Sjoerd Langkemper