hi, The more I look at this option the more I think it is confusing. I'm not sure the gain is worth this confusion either. However I would prefer to bring back a proposal we had a couple of years ago, to totally disable post data. When disabled, the POST data will be totally ignored, no matter if php://input, raw data or whatever other ways we may have to access it. The data given by the server/sapi will be ignored.
This option has the benefit to be very simple and solves one known attack vector in a very clean way. Cheers, On Thu, Dec 9, 2010 at 9:37 PM, Gustavo Lopes <glo...@nebm.ist.utl.pt> wrote: > On Tue, 07 Dec 2010 07:08:34 -0000, Gustavo Lopes <glo...@nebm.ist.utl.pt> > wrote: > >> The very simple attached patch adds an option to disable POST data >> processing, which implies the data can only be read in a stream fashion >> through php://input. >> > > I've committed to trunk the patch with the name of the ini option changed > from disable_post_data_processing to enable_post_data_reading. > > -- > Gustavo Lopes > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > -- Pierre @pierrejoye | http://blog.thepimp.net | http://www.libgd.org -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
