On 01/04/2012 01:48 PM, Rasmus Lerdorf wrote:
> On 01/04/2012 01:27 PM, Stas Malyshev wrote:
>> Hi!
>>
>>> Right, like I said in my previous message, if this is caught by
>>> display_start_errors, I am ok with it. We need the default/no php.ini
>>> file case to not leak information like this.
>>
>> Just checked - it does not display error if display_startup_errors if
>> off, does display if it's on.
>
> Right, that seems ok. The other thing is that we need to clarify that it
> actually only limits the number of variables per nesting level. The
> current name and the description doesn't make that clear. You can still
> send 1M post vars in a single POST if you just nest them in a 1000x1000
> 2d array. Of course, this is likely going to hit the post_max_size
> limit, although many sites that do file uploads will have cranked that
> way up.
Oh, and a final issue to address.
This code:
for($data=[],$i=0; $i<=999; $i++) $data[$i] = range(0,1001);
echo curl_post("http://localhost/index.php";,['a'=>$data]);
will spew the warning 2000 times.
& php post.php | grep Warning | wc -l
2000
-Rasmus
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
