QUERY_STRING is limited; but what about POST/etc.? I think giving attackers a way to turn a variable into an array is a problem at large.
On 22 Oct 2014, at 22:08, Anatol Belski <a...@php.net> wrote: > On Wed, October 22, 2014 21:18, Daniel Zulla wrote: >> What happens if you exceed uint32? >> >> >> Just curious, security-wise, because AFAIR exceeding uint32 would be >> possible through superglobals only, which a potential attacker could abuse. >> >> >> param=foo >> >> param[a]=foo¶m[b]=foo¶m[c]=foo¶m[…]=foo (reaching uin32+1) >> > Daniel, > > QUERY_STRING length has a limitation. And, unsigned will roll over once > exceeded. So without looking deeply at the code, it might just reset the > whole HashTable to the zero size, but the internal counters will be blown. > > Regards > > Anatol > > > -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php