[subwindow]

I think the most obvious exploit path is using thousands of query parameters, which are inserted into an "array" in PHP.

An ini setting seems like a terrible and incomplete fix to the problem.

[maratd]

> An ini setting seems like a terrible and incomplete fix to the problem.

Why? It solves the problem entirely.

[subwindow]

It only solves the exploit path, not the vulnerability.

The true issue is that their hashing algorithm sucks. Any patch that doesn't fix the hashing algorithm is a band-aid and not a true fix.

[nikic]

It is somewhat risky to fundamentally change the hashing algorithm late in the release cycle (RC4). It is bound to cause problems. The ini-Option prevents the obvious threat without doing deep changes to the core.