On Thu, 7 Nov 2024, jvoisin wrote:
> The easiest way to kill this vector is to simply limit the number of
> filters that can be chained, as attacks require a at least a couple of
> them, while legitimate use usually use one or two tops, as highlighted
> by arnaud-lb's analysis:
> https://github.com/php/php-src/pull/16699#issuecomment-2462281938
>
> I sent a pull-request to implement this:
> https://github.com/php/php-src/pull/16699
>
> What do y'all think about this?
I am not a fan of hardcoding arbitrary limits, or having an ini setting
for such a limit. I especially think that the suggested limit of 5, or
even 3, is not a good idea.
The example that the issue links to to fix a vulnaribility in is:
include $_GET['page'];
Which is... yeah.
cheers,
Derick
--
https://derickrethans.nl | https://xdebug.org | https://dram.io
Author of Xdebug. Like it? Consider supporting me: https://xdebug.org/support
mastodon: @derickr@phpc.social @xdebug@phpc.social
