[wp-trac] [WordPress Trac] #37957: WordPress Maximum Post Submit Fields
WordPress Trac
noreply at wordpress.org
Wed Sep 7 09:09:03 UTC 2016
#37957: WordPress Maximum Post Submit Fields
-------------------------------+------------------------------
Reporter: nathanmemoria | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Posts, Post Types | Version:
Severity: normal | Resolution:
Keywords: | Focuses: administration
-------------------------------+------------------------------
Comment (by stephenharris):
Unfortunately the proposed solution simply exposes the vulnerability
again.
The limit is there to prevent a DOS attack which uses a large number of
POST fields with a high collision rate (in the underlying hash table) to
make populating the $_POST array expensive. (The idea is that the fields
each have a different key, but they map to the same key in the hash
table.)
If you're bundling data into one field, presumably at some point you're
going to wait to extract it out into an array. So effectively you're going
to build an arbitrary sized array which could be very large and contain a
high number of collisions.
Nor do I think this is a core issue - plug-in developers should
'namespace' their field names (the limit applies to each nesting level of
a sub array).
--
Ticket URL: <https://core.trac.wordpress.org/ticket/37957#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list