On Fri, Jun 26, 2026, at 14:42, Arnaud Le Blanc wrote: > Can we deprecate the filter only in php://filter URLs, and not in the > function-based filter API?
Yes. this would be a practical solution that prevents misuse of dechunk in attacks, while still providing it for legitimate use. It is technically possible, but it won't be a pretty implementation. It would basically be `if (name==dechunk) raise_error()` in the code that parses the filter URL. It would break the consistency of the filter API. Perhaps it would be useful to first deprecate and remove dechunk in php://filter URLs and later deprecate and remove it altogether, but doing only the first without doing the latter would be a real hack. An alternative could be to offer http_dechunk() as a function, instead of as a filter, to provide an easier upgrade path. A more rigorous approach could be to deprecate the whole of php://filter URLs. Regards, Sjoerd Langkemper
