* Thus wrote Michal Migurski ([EMAIL PROTECTED]): > > > Anyone have any clue why this is the case? Is there a performance > > > reason that raw post data must be explicitly enabled, or is it more of > > > a protective measure for overly permissive beginner scripts? > > > > If it was always enabled, it sure would make a DoS attack easy. I'd just > > send lots of huge POST requests to any PHP script on your server. Hope > > you have "migs and megs of memories," as Strong Bad would say. :-) > > Isn't this potentially a DoS attack vector anyway? I don't need a server > to accept or read my obscenely long POST requests to clog the pipes with > them. Would the proper way to handle this risk be to disallow POST at the > webserver level, or does turning always_populate_raw_post_data off cause > the connection to be automatically dropped after Connection: close?
The POST data basically sits in STDIN for the webserver, it will just sit there unless somebody like php reads that data and does something with it. By default php streams the STDIN to a file so your just dealing with buffer sized ~2K-4K. enabling this option makes php put the contents into memory, thus leaving open the possiblity of someone using up all your memory and bringing the machine to a standstill till, then when swap space runs out.. watch out! :) Curt -- "I used to think I was indecisive, but now I'm not so sure." -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
