Hey, > I think you accidentially sent this to me, not to the list ;) By the > way, I think you and Pierre are talking about different patches. We do > know that the hash size randomization will not work. Pierre is > referring to another patch that extends max_input_vars to > unserilized() and json_decode().
ah okay. I see now that there is a different patch, but it is not clear if Pierre meant this or the HashTable randomization patch, because both were advocated to fix the unserialize() and json_decode(), too. Just a quick look at it tells me that I don't like this patch either. It adds code to each POST handler. The POST handler interface is something extensions can extend. With Laurence's patch: suddenly all extensions that implement their own POST handlers must add the max_input_vars check. Of course I am biased, because suhosin is one of the affected extensions. But that said suhosin has a limit similar to max_input_vars for 7 years now. Regards, Stefan Esser -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
