On Thu, Jan 5, 2012 at 5:56 AM, Rasmus Lerdorf <ras...@lerdorf.com> wrote:
> On 01/04/2012 01:48 PM, Rasmus Lerdorf wrote:
>> On 01/04/2012 01:27 PM, Stas Malyshev wrote:
>>> Hi!
>>>
>>>> Right, like I said in my previous message, if this is caught by
>>>> display_start_errors, I am ok with it. We need the default/no php.ini
>>>> file case to not leak information like this.
>>>
>>> Just checked - it does not display error if display_startup_errors if
>>> off, does display if it's on.
>>
>> Right, that seems ok. The other thing is that we need to clarify that it
>> actually only limits the number of variables per nesting level. The
>> current name and the description doesn't make that clear. You can still
>> send 1M post vars in a single POST if you just nest them in a 1000x1000
>> 2d array. Of course, this is likely going to hit the post_max_size
>> limit, although many sites that do file uploads will have cranked that
>> way up.
>
> Oh, and a final issue to address.
>
> This code:
>
> for($data=[],$i=0; $i<=999; $i++) $data[$i] = range(0,1001);
> echo curl_post("http://localhost/index.php";,['a'=>$data]);
>
> will spew the warning 2000 times.
>
> & php post.php | grep Warning | wc -l
> 2000
>
could you try with this new patch:
https://bugs.php.net/patch-display.php?bug_id=60655&patch=max_input_vars.patch&revision=latest
?this patch also restrict the json / serializer , all of them must less than PG(max_input_vars). and different with the fix which was commited now, this patch count the num vars in a global scope, that means if there are 2 elements which both have 500 elements in post, the restriction will also affect, and this patch will not affect the existsing called to json or serializer, only affect the zif_json_decode and zif_serialize, after patch, the serialize will have a sencode parameter :"$max_vars". and the restriction can also be closed by set max_input_vars to 0. thanks > -Rasmus > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > -- Laruence Xinchen Hui http://www.laruence.com/ -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
