Re: Let parse_str() parse more than max_input_vars args
On 03/14/2012 01:32 PM, Pierre Joye wrote:
> hi Rasmus,
>
> As the ini_all option sounds appealing, I can imagine ISPs willing to
> do not allow their users to change this value, and that's something I
> would not allow random users either.
>
> I'd to go with the optional argument, adding a clear in the
> documentation about the confusing error message.
But Pierre, you understand that by the time you ini_set() it in the code
it can only ever affect parse_str() calls. Normal GPC parsing is done
prior to the PHP script running so there is no way for a userspace
script to ini_set() themselves to a state where they will be insecure to
a remote attack. They would have to go out of their way to specifically
write code to do that and that is something they can obviously do anyway
by simply building a big hash from some external source. So I don't
really think this is a valid concern. If this was a real concern I would
think you would have objected to the current INI_PERDIR. This is where a
user can make his scripts unsafe by disabling max_input_vars in a
.htaccess file.
-Rasmus
Thread (20 messages)