Cool project
0 views
Skip to first unread message
Gareth
Jan 21, 2008, 6:10:35 PM1/21/08
to inspekt
I've had experience writing a PHP filter for wordpress and found this
project. It will be cool to integrate it with PHPIDS etc :)
Here's one problem I've found in the code:-
function _walkArray($input, $method) {
// DOS attack possible by supplying large arrays
// Multidimensional arrays should be truncated to a maximum
amount of dimensions
foreach($input as $key=>$val) {
if (is_array($val)) {
$input[$key]=Inspekt::_walkArray($val, $method);
} else {
$val = Inspekt::$method($val);
$input[$key]=$val;
}
}
project. It will be cool to integrate it with PHPIDS etc :)
Here's one problem I've found in the code:-
function _walkArray($input, $method) {
// DOS attack possible by supplying large arrays
// Multidimensional arrays should be truncated to a maximum
amount of dimensions
foreach($input as $key=>$val) {
if (is_array($val)) {
$input[$key]=Inspekt::_walkArray($val, $method);
} else {
$val = Inspekt::$method($val);
$input[$key]=$val;
}
}
Gareth
Jan 21, 2008, 6:10:35 PM1/21/08
to inspekt
Ed Finkler
Jan 21, 2008, 6:43:51 PM1/21/08
to ins...@googlegroups.com
That's a good idea. Thoughts on what is a practical limit? For the
sake of form processing it wouldn't need to be very high (5 max)? If
someone were storing a large-ish hash, it could be larger, but I
expect the number of people doing that and using Inspekt to clean
access it is pretty small.
sake of form processing it wouldn't need to be very high (5 max)? If
someone were storing a large-ish hash, it could be larger, but I
expect the number of people doing that and using Inspekt to clean
access it is pretty small.
--
--
Ed Finkler
http://funkatron.com
AIM: funka7ron
ICQ: 3922133
Skype: funka7ron
Gareth
Jan 21, 2008, 7:44:46 PM1/21/08
to inspekt
Yep by default it could be a low number and anyone with large amount
could set it with a function call or configuration setting.
Sorry about the double post btw but Google groups doesn't seem to like
me :)
On Jan 21, 11:43 pm, "Ed Finkler" <funkat...@gmail.com> wrote:
> That's a good idea. Thoughts on what is a practical limit? For the
> sake of form processing it wouldn't need to be very high (5 max)? If
> someone were storing a large-ish hash, it could be larger, but I
> expect the number of people doing that and using Inspekt to clean
> access it is pretty small.
>
could set it with a function call or configuration setting.
Sorry about the double post btw but Google groups doesn't seem to like
me :)
On Jan 21, 11:43 pm, "Ed Finkler" <funkat...@gmail.com> wrote:
> That's a good idea. Thoughts on what is a practical limit? For the
> sake of form processing it wouldn't need to be very high (5 max)? If
> someone were storing a large-ish hash, it could be larger, but I
> expect the number of people doing that and using Inspekt to clean
> access it is pretty small.
>
> On Jan 21, 2008 6:10 PM, Gareth <gazhe...@gmail.com> wrote:
>
>
>
>
>
>
>
>
>
> > I've had experience writing a PHP filter for wordpress and found this
> > project. It will be cool to integrate it with PHPIDS etc :)
>
> > Here's one problem I've found in the code:-
> > function _walkArray($input, $method) {
> > // DOS attack possible by supplying large arrays
> > // Multidimensional arrays should be truncated to a maximum
> > amount of dimensions
> > foreach($input as $key=>$val) {
> > if (is_array($val)) {
> > $input[$key]=Inspekt::_walkArray($val, $method);
> > } else {
> > $val = Inspekt::$method($val);
> > $input[$key]=$val;
> > }
> > }
>
> --
> --
> Ed Finklerhttp://funkatron.com
>
>
>
>
>
>
>
>
>
> > I've had experience writing a PHP filter for wordpress and found this
> > project. It will be cool to integrate it with PHPIDS etc :)
>
> > Here's one problem I've found in the code:-
> > function _walkArray($input, $method) {
> > // DOS attack possible by supplying large arrays
> > // Multidimensional arrays should be truncated to a maximum
> > amount of dimensions
> > foreach($input as $key=>$val) {
> > if (is_array($val)) {
> > $input[$key]=Inspekt::_walkArray($val, $method);
> > } else {
> > $val = Inspekt::$method($val);
> > $input[$key]=$val;
> > }
> > }
>
> --
> --
Ed Finkler
Jan 22, 2008, 3:02:32 PM1/22/08
to ins...@googlegroups.com
On Jan 21, 2008 7:44 PM, Gareth <gazh...@gmail.com> wrote:
>
> Yep by default it could be a low number and anyone with large amount
> could set it with a function call or configuration setting.
>
> Yep by default it could be a low number and anyone with large amount
> could set it with a function call or configuration setting.
Right. I implemented a hard-coded limit in the SVN repo last night of
10; it was quick and dirty, though, and more experienced eyes on it
would be appreciated.
> Sorry about the double post btw but Google groups doesn't seem to like
> me :)
Bastards!
--
--
Ed Finkler
Reply all
Reply to author
Forward
0 new messages