Issue
PHP Error Log contains errors similar to:
PHP Warning: Unknown: Input variables exceeded 1000. To increase the limit change max_input_vars in php.ini. in Unknown on line 0
And/or the website has some of the following symptoms:
- Users cannot use drag and drop or the weights feature on certain menu lists.
- The Permissions page cannot be edited or updated.
Resolution
For sites on Acquia Cloud Professional, go to "Prod >> Configure" and increase the setting for Prod environment. See https://docs.acquia.com/acquia-cloud/manage/php/
For sites on Acquia Cloud Enterprise, Acquia Cloud Site Factory, or if needing a setting higher than 2500, please file a support ticket.
Cause
If your website is exceeding the max_input_variables default setting of 1000, one or more forms could be the cause. We recommend reducing form complexity by breaking forms down into smaller components, for example, it can help avoid the requirement for increasing max_input_vars.
The configuration should generally not be set to over 5000 since this introduces security vulnerabilities.
Improvements in PHP's internals in PHP7 may have significantly reduced the impact of hash collision attacks. Avoid setting max_input_vars higher than necessary in order to minimise the exposure to such attacks. In theory setting the max_input_vars high makes you more vulnerable to DoS attacks as there are potential security implications in the sense that this limit has been set to prevent needlessly large amounts of input data to be POSTed.
The reason PHP introduced the max_input_vars limit was to prevent (or at least mitigate) quite a specific attack which relates to the internals of the processing of arrays (which includes the superglobals such as $_POST). The general vulnerability was not specific to PHP. As it applies to PHP, it was classified as CVE-2011-4885.
The problem can be described as "hash table collision" and it's a Denial of Service vector. The idea is that it's possible to craft particular payloads you can send to a server which will make the CPU work disproportionately hard to process the input. Therefore an attacker can send relatively few small requests to the server and have enough of an impact on the resource usage as to cause a Denial of Service.