I am working on some things to harden PHP against filter chain attacks: • PHP RFC: Limit maximum number of filter chains <https://wiki.php.net/rfc/limit-maximum-number-of-filter-chains> • Dechunk incorrectly truncates string when it starts with a hex character <https://github.com/php/php-src/issues/21983> Filter chains use php://filter/ URLs with many filters, which are useful in several attacks, described in the RFC. I propose to limit the number of filters, and make the dechunk filter less useful for attacks. Please let me know what you think about this.
Regards, Sjoerd Langkemper
