On 03/14/2012 01:32 PM, Pierre Joye wrote: > hi Rasmus, > > As the ini_all option sounds appealing, I can imagine ISPs willing to > do not allow their users to change this value, and that's something I > would not allow random users either. > > I'd to go with the optional argument, adding a clear in the > documentation about the confusing error message.
But Pierre, you understand that by the time you ini_set() it in the code it can only ever affect parse_str() calls. Normal GPC parsing is done prior to the PHP script running so there is no way for a userspace script to ini_set() themselves to a state where they will be insecure to a remote attack. They would have to go out of their way to specifically write code to do that and that is something they can obviously do anyway by simply building a big hash from some external source. So I don't really think this is a valid concern. If this was a real concern I would think you would have objected to the current INI_PERDIR. This is where a user can make his scripts unsafe by disabling max_input_vars in a .htaccess file. -Rasmus -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
