> > Anyone have any clue why this is the case? Is there a performance > > reason that raw post data must be explicitly enabled, or is it more of > > a protective measure for overly permissive beginner scripts? > > If it was always enabled, it sure would make a DoS attack easy. I'd just > send lots of huge POST requests to any PHP script on your server. Hope > you have "migs and megs of memories," as Strong Bad would say. :-)
Isn't this potentially a DoS attack vector anyway? I don't need a server to accept or read my obscenely long POST requests to clog the pipes with them. Would the proper way to handle this risk be to disallow POST at the webserver level, or does turning always_populate_raw_post_data off cause the connection to be automatically dropped after Connection: close? -mike. --------------------------------------------------------------------- michal migurski- contact info and pgp key: sf/ca http://mike.teczno.com/contact.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
