On Sat, 9 May 2026, Sjoerd Langkemper wrote: > I am working on some things to harden PHP against filter chain attacks: > • PHP RFC: Limit maximum number of filter chains > <https://wiki.php.net/rfc/limit-maximum-number-of-filter-chains> > • Dechunk incorrectly truncates string when it starts with a hex character > <https://github.com/php/php-src/issues/21983>
> Filter chains use php://filter/ URLs with many filters, which are > useful in several attacks, described in the RFC. I propose to limit > the number of filters, and make the dechunk filter less useful for > attacks. Please let me know what you think about this. I think this makes sense. I'll reiterate my reply to a private email about the questions under the "Open Issues" section: Your RFC says that most actual use is 1 or 2, with exploits requiring 100+. Setting the default limit to say 16 should allow for wacky use, but not the exploity variant. I would also likely find it better if there was no INI setting. If you *really* must use more than 16, then you can always recompile PHP. To answer your questions from your RFC: > Exact Limit: Should the default be 5, 10, or 20? (Most exploits > require 50-100+). As I said, I'm more confortable with a higher number and a really low one. > What should the INI name be? filter.max_chain_depth I prefer no new INI setting, but perhaps 'filter.max_chain_length'. It's not so much a depth, but a length. > How should this be introduced and tightened? E.g. start with high hard > limit, or low limit and give a deprecation warning instead of an > error? I wouldn't want to make this to complicated, and just have a hard limit that gives an error. > Should exceeding the limit throw a ValueError (consistent with modern > PHP 8 APIs) or a Warning (consistent with legacy stream handling)? I think this should be thrown a ValueError. cheers, Derick -- https://derickrethans.nl | https://xdebug.org | https://dram.io Author of Xdebug. Like it? Consider supporting me: https://xdebug.org/support mastodon: @[email protected] @[email protected]
