Added max_input_vars directive to prevent attacks based on hash collisions

2025-08-15 21:48:51 +02:00 · 2011-12-15 10:31:02 +00:00 · 2011-12-15 10:31:02 +00:00 · e467a791d3
commit e467a791d3
parent 4dfd69e84b
3 changed files with 10 additions and 0 deletions
--- a/4
+++ b/4
@ -75,6 +75,10 @@ UPGRADE NOTES - PHP 5.4
  - safe_mode_protected_env_vars
  - zend.ze1_compatibility_mode

+- the following new directives were added
+
+  - max_input_vars - specifies how many GET/POST/COOKIE input variables may be
+    accepted. default value 1000. 

 =============================
 2. Reserved words and classes
--- a/php.ini-development
+++ b/php.ini-development
@ -397,6 +397,9 @@ max_input_time = 60
 ; http://php.net/max-input-nesting-level
 ;max_input_nesting_level = 64

+; How many GET/POST/COOKIE input variables may be accepted
+; max_input_vars = 1000
+
 ; Maximum amount of memory a script may consume (128MB)
 ; http://php.net/memory-limit
 memory_limit = 128M
--- a/php.ini-production
+++ b/php.ini-production
@ -397,6 +397,9 @@ max_input_time = 60
 ; http://php.net/max-input-nesting-level
 ;max_input_nesting_level = 64

+; How many GET/POST/COOKIE input variables may be accepted
+; max_input_vars = 1000
+
 ; Maximum amount of memory a script may consume (128MB)
 ; http://php.net/memory-limit
 memory_limit = 128M