Interesting, but

• How is it going to work on 0? Untested, but after reading the code I think post_max_size and max_input_vars checks with something like if (post_max_size > 0 && ...) so only rejecting negative values is not enough, if you want to harden in this case you might need to reject all non-positive numbers, or 0 can still cause infinity in at least those two args. You may also need to check 0's behavior in other args you've changed.
• This works on zend_long, right? So just in case I'd suggest to test on some numeric-strings. That is values like '-1M', '-1.0' or so.
• Is there intentional pattern of request_parse_body(['max_input_vars' => -1])? As you've said it is unsigned int so parsing -1 will make it to a huge number, that's correct. But just in case someone want to use -1 instead of PHP_INT_MAX I think we can search the code base to see if the downstream is already writing this intentionally.
• As a BC break, you may need to write NEWS and UPGRADING files.

Thanks for the review. Updated the PR accordingly:

• Checked the 0 behavior and adjusted the range validation instead of rejecting every zero value:
  • max_file_uploads = 0 remains valid and means no uploads are allowed.
  • max_input_vars = 0 remains valid and means no input variables are allowed; it does not become unlimited in either the urlencoded or multipart paths.
  • post_max_size = 0 and upload_max_filesize = 0 are now rejected because those size checks only run for values greater than zero.
• Added numeric-string coverage for negative quantities, including -1M and the warning-producing -1.0 path.
• Searched php-src and public GitHub code search for obvious request_parse_body() option patterns using -1; I did not find hits for max_input_vars, post_max_size, upload_max_filesize, or max_file_uploads.
• Added NEWS and UPGRADING entries for the BC impact.

I moved the PR back to draft while the updated CI is running.

Thank you. This looks fine to me and I will have a closer look hours later before I request review from other people :)

Hi. Thanks for the PR. Two notes:

• Negative values in ini settings commonly signal "no limit".
• Does it make sense to have these warnings be present only for request_parse_body() but not for the regular ini settings? I'd argue no. The behavior of both should be congruent.

Thanks for introducing this concern. After a closer look of the ini behavior, I'd suggest that:

• For max_input_vars: The ini handler is OnUpdateLongGEZero, it raises warnings when dealing with negative values while in request_parse_body() it silently accepts. That is, this PR is in the correct direction to this extent by fixing the behavior of request_parse_body() to align with the ini behavior. For example, parsing -1, in ini settings it is parsed as 1000 with E_WARNING, in request_parse_body() it is silently parsed as PHP_INT_MAX due to an overflow.
• For the rest options, I'd suggest to revert the changes, this creates split between ini settings and BC breaks we don't want.

Now I believe this PR makes the behavior of request_parse_body and ini congruent.