Hi On 9/14/22 21:38, Jordan LeDoux wrote:
the ML, since I'm not suggesting there is a problem, I'm mostly just wondering if someone with more expertise can confirm that it isn't an issue.
As indicated by the phrasing in my previous email, this knowledge does not enable an attacker to do anything that they wouldn't be able to do otherwise. I would also expect that at least the value of the INI setting is going to be the default value of 1000 for the vast majority of installations out there.
This is primarily an issue of user experience: A user's input data might not be correctly processed without the user or the PHP application being aware of it.
This incorrect processing might have security implications, e.g. when an application uses checkboxes to remove users from a group with elevated permissions, the admin checks more than 1000 users and the application does not remove the excess users from the group, despite the user making extra sure to double check that they checked all the users.
Thus to answer Larry's question, a reasonable action the script could take is: Show a non-technical well-styled error message to the human, instead of aborting the request with a 500 or silently causing "data corruption".
Best regards Tim Düsterhus -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
