Skip to content

Limit maximum number of filter chains#22110

Open
Sjord wants to merge 2 commits into
php:masterfrom
Sjord:limit_filters
Open

Limit maximum number of filter chains#22110
Sjord wants to merge 2 commits into
php:masterfrom
Sjord:limit_filters

Conversation

@Sjord
Copy link
Copy Markdown

@Sjord Sjord commented May 21, 2026

jvoisin and others added 2 commits May 13, 2026 15:21
@jvoisin
Limit the number of filters
7731252 
Chaining filters is becoming an increasingly popular primitive to exploit PHP
applications. Limiting the usage of only a few of them at the time should,
if not close entirely, make it significantly less attractive.

This should close php#10453
Count number of filters, raise deprecation warning
a315900 
Limit number of filters that can be chained in a php://filter URL.

Count number of filters already on the stream, instead of counting iterations on the loop. When filters are separated by slash instead of pipe, php_stream_apply_filter_list is called muliple times, so counting iterations won't work. Instead, count numbers of filters already on the chain.
Add more elaborate test that tests:
- file read
- file include
- no warning on stream_filter_append

Related to:
php#10453
php#16699
@Sjord Sjord requested a review from bukka as a code owner May 21, 2026 13:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bukka bukka Awaiting requested review from bukka bukka is a code owner

Assignees

No one assigned

Labels

ABI break Extension: standard

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Sjord @jvoisin