Isn't this potentially a DoS attack vector anyway? I don't need a server to accept or read my obscenely long POST requests to clog the pipes with them. Would the proper way to handle this risk be to disallow POST at the webserver level, or does turning always_populate_raw_post_data off cause the connection to be automatically dropped after Connection: close?
By default php streams the STDIN to a file so your just dealing with buffer sized ~2K-4K. enabling this option makes php put the contents into memory, thus leaving open the possiblity of someone using up all your memory and bringing the machine to a standstill till, then when swap space runs out.. watch out! :)
This makes sense, thanks.
Does not make sense to me.
PHP must read the whole post stream to create $_POST and $HTTP_POST_VARS arrays, and to save file uploads into a temporary files. This happens before the script is executed.
$HTTP_RAW_POST_DATA is just another variable occupying memory, and is not needed in 99.9999% of cases. It would make it more likely to hit php memory limit. Thus the option.
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
