Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:57239
Return-Path: <ekneuss@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 66287 invoked from network); 5 Jan 2012 13:13:03 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 5 Jan 2012 13:13:03 -0000
Authentication-Results: pb1.pair.com header.from=ekneuss@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=ekneuss@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.170 as permitted sender)
X-PHP-List-Original-Sender: ekneuss@gmail.com
X-Host-Fingerprint: 209.85.215.170 mail-ey0-f170.google.com  
Received: from [209.85.215.170] ([209.85.215.170:56689] helo=mail-ey0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 61/1D-28877-DD1A50F4 for <internals@lists.php.net>; Thu, 05 Jan 2012 08:13:02 -0500
Received: by eaa13 with SMTP id 13so334050eaa.29
        for <internals@lists.php.net>; Thu, 05 Jan 2012 05:12:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=mime-version:sender:in-reply-to:references:date
         :x-google-sender-auth:message-id:subject:from:to:cc:content-type
         :content-transfer-encoding;
        bh=vlFqiGS/vl/n7ZTIQUQQOuxwdEc+4vnPPZNjG4lsn78=;
        b=ALiSP0CiVAxembGn5JN9m8GB2UZYwecXlOWy3Yx+suqUUG+7p4uwqscih/PqhDWYqo
         TcVknZjcFSZWKr14ujPVyeB6XoHHImK/d006i0cpGvf7uKckFxHLcA0As8D7j3IVLTb2
         GoLelDRxLTUWBLkF97LNCVtOfm6OzSJ2fZaKE=
MIME-Version: 1.0
Received: by 10.204.157.154 with SMTP id b26mr708204bkx.101.1325769178913;
 Thu, 05 Jan 2012 05:12:58 -0800 (PST)
Sender: ekneuss@gmail.com
Received: by 10.204.67.70 with HTTP; Thu, 5 Jan 2012 05:12:58 -0800 (PST)
In-Reply-To: <CAF+90c-RNgGOwc8g0-DMfzN4HtzwLs3TWJAdyztFq6sZyasszQ@mail.gmail.com>
References: <CABBJUpe+BqyoUXbo=jN_V8N3RFrWt9gCA1s0LCztP0RFKD2+JA@mail.gmail.com>
	<CAF+90c-RNgGOwc8g0-DMfzN4HtzwLs3TWJAdyztFq6sZyasszQ@mail.gmail.com>
Date: Thu, 5 Jan 2012 14:12:58 +0100
X-Google-Sender-Auth: CRUgTlk6dBySYqLqo3WZKFfWzvE
Message-ID: <CACQesk6Oo23+827oOy8ExKEvt7ShdA8NVtdvrWmSX52vR-saSQ@mail.gmail.com>
To: Nikita Popov <nikita.ppv@googlemail.com>
Cc: Laruence <laruence@php.net>, PHP Internals <internals@lists.php.net>, 
	Rasmus Lerdorf <rasmus@lerdorf.com>, Stas Malyshev <smalyshev@sugarcrm.com>, 
	Pierre Joye <pierre.php@gmail.com>, =?UTF-8?Q?Johannes_Schl=C3=BCter?= <johannes@schlueters.de>, 
	Dmitry Stogov <dmitry@php.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] Yet another fix for max_input_vars
From: colder@php.net (Etienne Kneuss)

Hi,

On Thu, Jan 5, 2012 at 13:05, Nikita Popov <nikita.ppv@googlemail.com> wrot=
e:
> On Thu, Jan 5, 2012 at 9:53 AM, Laruence <laruence@php.net> wrote:
>> Hi:
>> =C2=A0 =C2=A0the origin thread is too long, so I open a new thread for t=
his.
>>
>> =C2=A0 =C2=A0I have made another patch try to fix this issue.
>>
>> =C2=A0 =C2=A0the key point is, randomizing the table size(tableMask).
>>
>> =C2=A0 =C2=A0instead of double the the table size in zend_hash_do_resize=
, =C2=A0I
>> increase the table size with a random delta ( the value now is just a
>> try, =C2=A0we can change it to a more appropriate value),
>> =C2=A0that is: =C2=A0new_table_size =3D old_table_size * 2 + random_num.
>>
>> =C2=A0 =C2=A0then, =C2=A0the collision can not be predicatible, which fi=
x the
>> problem, =C2=A0and also fixed the issue in json/soap/serialize etc.
>>
>> =C2=A0 =C2=A0here is the patch(draft now):
>> https://bugs.php.net/patch-display.php?bug_id=3D60655&patch=3Drand_hash_=
resize.patch&revision=3Dlatest
>>
>> =C2=A0 =C2=A0after this fix , may slow down the php, but compared to the
>> security threat I thinks the cost could be ignored.
>>
>> =C2=A0 =C2=A0for the test script list in
>> http://nikic.github.com/2011/12/28/Supercolliding-a-PHP-array.html:
>>
>> =C2=A0 =C2=A0*before patched:
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0Inserting 65536 evil elements took 162.659402=
84729 seconds
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0Inserting 65536 good elements took 0.07555794=
7158813 seconds
>>
>> =C2=A0 =C2=A0*after =C2=A0patched:
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0Inserting 65536 evil elements took 0.07412886=
6195679 seconds
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0Inserting 65536 good elements took 0.09104490=
2801514 seconds
>>
>> =C2=A0 =C2=A0what do you think ?
>
> At least one problem with your patch is that it uses crypto safe
> random numbers. The problem with that is that the very frequent random
> number fetches could deplete the entropy pool and thus make
> /dev/urandom (and probably the Windows RNG too) block. So you would
> again have a DOS vulnerability (just create many small arrays with 16
> elements so they get resized a few times). Additionally this could
> also impose a security threat to other application that rely on the
> entropy source.

In essence there should only be the need for one random number per
request, so it should be fine in that regard.

>
> Nikita
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>



--=20
Etienne Kneuss
http://www.colder.ch