Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57238 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 60434 invoked from network); 5 Jan 2012 12:05:26 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 5 Jan 2012 12:05:26 -0000 Authentication-Results: pb1.pair.com header.from=nikita.ppv@googlemail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=nikita.ppv@googlemail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain googlemail.com designates 209.85.215.42 as permitted sender) X-PHP-List-Original-Sender: nikita.ppv@googlemail.com X-Host-Fingerprint: 209.85.215.42 mail-lpp01m010-f42.google.com Received: from [209.85.215.42] ([209.85.215.42:63035] helo=mail-lpp01m010-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id A6/DA-28877-502950F4 for ; Thu, 05 Jan 2012 07:05:26 -0500 Received: by lagj5 with SMTP id j5so137564lag.29 for ; Thu, 05 Jan 2012 04:05:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=pOJAYJ5MM2G+3FIF1Ii6BCx+jv34UYfkkaC/ezAP+nA=; b=iuux+YPJYgL25ADDggHKDJSOwOaClyJ9U6KRX/ztm7b1es1xKRRpY2bMRLXXw5HSpE XBOOnNHTDjc4iYGa1yRDRRx9FwMIENG18WN4a9RMXAk77+pVTeedN5+bYqinNrmNybQP +1aQv/hPCEp0ctL6qrRbAnFR2ZPBNTI+fWUgc= MIME-Version: 1.0 Received: by 10.112.102.129 with SMTP id fo1mr311469lbb.0.1325765122258; Thu, 05 Jan 2012 04:05:22 -0800 (PST) Received: by 10.152.108.110 with HTTP; Thu, 5 Jan 2012 04:05:22 -0800 (PST) In-Reply-To: References: Date: Thu, 5 Jan 2012 13:05:22 +0100 Message-ID: To: Laruence Cc: PHP Internals , Rasmus Lerdorf , Stas Malyshev , Pierre Joye , =?ISO-8859-1?Q?Johannes_Schl=FCter?= , Dmitry Stogov Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] Yet another fix for max_input_vars From: nikita.ppv@googlemail.com (Nikita Popov) On Thu, Jan 5, 2012 at 9:53 AM, Laruence wrote: > Hi: > =A0 =A0the origin thread is too long, so I open a new thread for this. > > =A0 =A0I have made another patch try to fix this issue. > > =A0 =A0the key point is, randomizing the table size(tableMask). > > =A0 =A0instead of double the the table size in zend_hash_do_resize, =A0I > increase the table size with a random delta ( the value now is just a > try, =A0we can change it to a more appropriate value), > =A0that is: =A0new_table_size =3D old_table_size * 2 + random_num. > > =A0 =A0then, =A0the collision can not be predicatible, which fix the > problem, =A0and also fixed the issue in json/soap/serialize etc. > > =A0 =A0here is the patch(draft now): > https://bugs.php.net/patch-display.php?bug_id=3D60655&patch=3Drand_hash_r= esize.patch&revision=3Dlatest > > =A0 =A0after this fix , may slow down the php, but compared to the > security threat I thinks the cost could be ignored. > > =A0 =A0for the test script list in > http://nikic.github.com/2011/12/28/Supercolliding-a-PHP-array.html: > > =A0 =A0*before patched: > =A0 =A0 =A0 =A0Inserting 65536 evil elements took 162.65940284729 seconds > =A0 =A0 =A0 =A0Inserting 65536 good elements took 0.075557947158813 secon= ds > > =A0 =A0*after =A0patched: > =A0 =A0 =A0 =A0Inserting 65536 evil elements took 0.074128866195679 secon= ds > =A0 =A0 =A0 =A0Inserting 65536 good elements took 0.091044902801514 secon= ds > > =A0 =A0what do you think ? At least one problem with your patch is that it uses crypto safe random numbers. The problem with that is that the very frequent random number fetches could deplete the entropy pool and thus make /dev/urandom (and probably the Windows RNG too) block. So you would again have a DOS vulnerability (just create many small arrays with 16 elements so they get resized a few times). Additionally this could also impose a security threat to other application that rely on the entropy source. Nikita