On Mon, Jan 9, 2012 at 4:41 PM, Pierre Joye <pierre....@gmail.com> wrote: > hi, > > Moving this discussion here as it makes little to non sense to discuss > that any longer on security@ > > We are now very late behind an acceptable delay to provide a fix for > the hash DoS, to say it nicely. > > I'd strongly suggest to release 5.3.9 (RC5 has been tested now) final > this week using the max_input_vars fix, with the modification from > Laruence (but with a larger limit). Laruence addition also fixes > serialize or json, which are parts that need this fix as well as it is > impossible to valid a string manually (length check only is not enough > or cannot work in all cases). By laruence addition you mean this patch: https://bugs.php.net/patch-display.php?bug_id=60655&patch=max_input_vars.patch&revision=latest ?
If so, two questions: 1. Why should all POST variables be counted into the limit, not only the ones in one nesting level? 2. How high would the limit for seriliaze() and json_decode() be approximately? I think that few applications will use more than 1000 POST vars but I could well imagine that they have large serialized arrays. Putting the limit too high on the other hand will pretty much defeat the purpose of the fix. > But 1st of all, the fix addition has to be applied and fully tested. > But if the addition is not desired yet, then we must at least release > 5.3.9 with Dmitry's fix only and we can fix json&serialize later, > ideally within 2 weeks max. I'd prefer that. Don't think that it's wise to apply a different fix shortly before the release. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php