{"id":2324,"date":"2012-04-04T19:02:08","date_gmt":"2012-04-04T18:02:08","guid":{"rendered":"http:\/\/www.nivas.hr\/blog\/?p=2324"},"modified":"2012-04-04T19:02:08","modified_gmt":"2012-04-04T18:02:08","slug":"beware-of-max_input_vars-php-ini-configuration-option","status":"publish","type":"post","link":"https:\/\/www.nivas.hr\/blog\/2012\/04\/04\/beware-of-max_input_vars-php-ini-configuration-option\/","title":{"rendered":"Beware of max_input_vars php ini configuration option"},"content":{"rendered":"<p>If you are updating PHP on your production server, beware of relatively new <a href=\"http:\/\/www.php.net\/manual\/en\/info.configuration.php#ini.max-input-vars\">max_input_vars<\/a> php.ini directive which is now 1000 by default. That means if you have 1001 form field &#8211; only 1000 form fields will be submitted. Use of this directive mitigates the possibility of denial of service attacks which use hash collisions in connection with <a href=\"http:\/\/web.nvd.nist.gov\/view\/vuln\/detail?vulnId=CVE-2011-4885\">CVE-2011-4885<\/a>. <\/p>\n<p>From php changelog:<br \/>\n<code><br \/>\n2012-01-03 : security \/ trunk - Added php-5.2-max-input-vars patch max_input_vars directive to prevent attacks based on hash collisions - CVE-2011-4885<br \/>\n<\/code><\/p>\n<p>Why we have so much form fields is a subject for different post. The main problem is that even php site says this update is available from PHP version 5.3.9. The fact is we have 5.3.2-1ubuntu4.14 and the update is there. <\/p>\n<p>So&#8230; you know&#8230; beware. :)<\/p>\n<p><a href=\"http:\/\/www.nivas.hr\/blog\/wp-content\/uploads\/2012\/04\/max_input_vars.png\"><img loading=\"lazy\" src=\"http:\/\/www.nivas.hr\/blog\/wp-content\/uploads\/2012\/04\/max_input_vars-450x89.png\" alt=\"\" title=\"max_input_vars\" width=\"450\" height=\"89\" class=\"alignnone size-medium wp-image-2325\" srcset=\"https:\/\/www.nivas.hr\/blog\/wp-content\/uploads\/2012\/04\/max_input_vars-450x89.png 450w, https:\/\/www.nivas.hr\/blog\/wp-content\/uploads\/2012\/04\/max_input_vars.png 979w\" sizes=\"(max-width: 450px) 100vw, 450px\" \/><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>If you are updating PHP on your production server, beware of relatively new max_input_vars php.ini directive which is now 1000 by default. That means if you have 1001 form field &#8211; only 1000 form fields will be submitted. Use of this directive mitigates the possibility of denial of service attacks which use hash collisions in&#8230;<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1,19],"tags":[],"_links":{"self":[{"href":"https:\/\/www.nivas.hr\/blog\/wp-json\/wp\/v2\/posts\/2324"}],"collection":[{"href":"https:\/\/www.nivas.hr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nivas.hr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nivas.hr\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nivas.hr\/blog\/wp-json\/wp\/v2\/comments?post=2324"}],"version-history":[{"count":4,"href":"https:\/\/www.nivas.hr\/blog\/wp-json\/wp\/v2\/posts\/2324\/revisions"}],"predecessor-version":[{"id":2329,"href":"https:\/\/www.nivas.hr\/blog\/wp-json\/wp\/v2\/posts\/2324\/revisions\/2329"}],"wp:attachment":[{"href":"https:\/\/www.nivas.hr\/blog\/wp-json\/wp\/v2\/media?parent=2324"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nivas.hr\/blog\/wp-json\/wp\/v2\/categories?post=2324"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nivas.hr\/blog\/wp-json\/wp\/v2\/tags?post=2324"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}