Limit maximum number of filter chains#22110
Open
Sjord wants to merge 4 commits into
Open
Conversation
Chaining filters is becoming an increasingly popular primitive to exploit PHP applications. Limiting the usage of only a few of them at the time should, if not close entirely, make it significantly less attractive. This should close php#10453
Limit number of filters that can be chained in a php://filter URL. Count number of filters already on the stream, instead of counting iterations on the loop. When filters are separated by slash instead of pipe, php_stream_apply_filter_list is called muliple times, so counting iterations won't work. Instead, count numbers of filters already on the chain. Add more elaborate test that tests: - file read - file include - no warning on stream_filter_append Related to: php#10453 php#16699
added 2 commits
May 22, 2026 11:46
Read the maximum number of filters from context stream. If it is set, it doesn't make sense to raise a deprecation warning, because this stream context option didn't exist earlier. We raise an error consistent with current stream handling, as long as rfc/stream_errors has not landed. If it is not set, we give a deprecation warning when the 17th filter is added. This is unfortunately done in another place; to prevent showing warnings multiple times, the counting is done within the loop and not at the end.
We get a zend_long from the stream context, so it makes sense to consistently use it for all counts of filters.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an implementation suggestion for the RFC to limit the maximum number of filters in a
php://filterURL.