> > Isn't this potentially a DoS attack vector anyway? I don't need a server > > to accept or read my obscenely long POST requests to clog the pipes with > > them. Would the proper way to handle this risk be to disallow POST at the > > webserver level, or does turning always_populate_raw_post_data off cause > > the connection to be automatically dropped after Connection: close? > > By default php streams the STDIN to a file so your just dealing with > buffer sized ~2K-4K. enabling this option makes php put the contents > into memory, thus leaving open the possiblity of someone using up all > your memory and bringing the machine to a standstill till, then when > swap space runs out.. watch out! :)
This makes sense, thanks. --------------------------------------------------------------------- michal migurski- contact info and pgp key: sf/ca http://mike.teczno.com/contact.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
