On Fri, Sep 21, 2012 at 1:05 PM, Ivan Enderlin @ Hoa < ivan.ender...@hoa-project.net> wrote:
> Hello, > > If PHP receives a HTTP request with the method POST and with the header > Content-Type: application/x-www-form-**encoded, then, it automatically > parses the request body to populate an array in $_POST. If the Content-Type > is different (e.g. text/plain or application/json), the request body is > reachable by reading php://input. Well, it is ok. > > But is there any plans to consider application/json by parsing the request > body and populate the result in $_POST (with the help of json_decode() > maybe)? > > If so, I would like to propose a patch but I don't find in the source code > where request body is caugth and parsed (for POST). Any ideas? > Maybe a RFC would also be welcome to complete my suggestion? > > Thanks. > > please watch out to not reintroduce CVE-2011-4885, afair we discussed about that json_decode also vulnerable to the hash collision, but I don't remember seeing any fix committed to json_decode. depending on how would you extract the json encoded variables, this would make possible to bypass the protection of max_input_vars limits. -- Ferenc Kovács @Tyr43l - http://tyrael.hu
