Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57241 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 75630 invoked from network); 5 Jan 2012 14:22:01 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 5 Jan 2012 14:22:01 -0000 Authentication-Results: pb1.pair.com smtp.mail=laruence@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=laruence@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.170 as permitted sender) X-PHP-List-Original-Sender: laruence@gmail.com X-Host-Fingerprint: 209.85.220.170 mail-vx0-f170.google.com Received: from [209.85.220.170] ([209.85.220.170:49343] helo=mail-vx0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id BE/8E-28877-602B50F4 for ; Thu, 05 Jan 2012 09:21:59 -0500 Received: by vcdn13 with SMTP id n13so422829vcd.29 for ; Thu, 05 Jan 2012 06:21:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=5Y3pcTH+0OmY9bbDrMdO2Av4SbTw7VfB3czix7/ywVA=; b=O+C8OzBEq+blW4knzBcV7Vf0HZzdsQGIk5Z3vZpEb+6GYYkAr8qsNR1RqPpLb4Tplz UZ081DDZIA1Oj2hVTIH+hMhtH4taxpl90g9wXoKEIcXCD+qNJTAl402XmsmeomnfyE54 qlPm+aL9G7sHOyWgevN8HyRaDeis/lxfk7tqI= Received: by 10.52.94.227 with SMTP id df3mr1070237vdb.51.1325773315272; Thu, 05 Jan 2012 06:21:55 -0800 (PST) MIME-Version: 1.0 Sender: laruence@gmail.com Received: by 10.220.3.14 with HTTP; Thu, 5 Jan 2012 06:21:34 -0800 (PST) In-Reply-To: References: Date: Thu, 5 Jan 2012 22:21:34 +0800 X-Google-Sender-Auth: 83-bf6F6_o-AQ45g7RQvtFLcvRs Message-ID: To: Etienne Kneuss Cc: Nikita Popov , PHP Internals , Rasmus Lerdorf , Stas Malyshev , Pierre Joye , =?UTF-8?Q?Johannes_Schl=C3=BCter?= , Dmitry Stogov , sesser@php.net Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] Yet another fix for max_input_vars From: laruence@php.net (Laruence) Hi, thanks to sesser, he point out that this won't work for string keys, so, I guess, we should change the hash logic in the mean time.. I will keep trying. thanks On Thu, Jan 5, 2012 at 9:12 PM, Etienne Kneuss wrote: > Hi, > > On Thu, Jan 5, 2012 at 13:05, Nikita Popov wr= ote: >> On Thu, Jan 5, 2012 at 9:53 AM, Laruence wrote: >>> Hi: >>> =C2=A0 =C2=A0the origin thread is too long, so I open a new thread for = this. >>> >>> =C2=A0 =C2=A0I have made another patch try to fix this issue. >>> >>> =C2=A0 =C2=A0the key point is, randomizing the table size(tableMask). >>> >>> =C2=A0 =C2=A0instead of double the the table size in zend_hash_do_resiz= e, =C2=A0I >>> increase the table size with a random delta ( the value now is just a >>> try, =C2=A0we can change it to a more appropriate value), >>> =C2=A0that is: =C2=A0new_table_size =3D old_table_size * 2 + random_num= . >>> >>> =C2=A0 =C2=A0then, =C2=A0the collision can not be predicatible, which f= ix the >>> problem, =C2=A0and also fixed the issue in json/soap/serialize etc. >>> >>> =C2=A0 =C2=A0here is the patch(draft now): >>> https://bugs.php.net/patch-display.php?bug_id=3D60655&patch=3Drand_hash= _resize.patch&revision=3Dlatest >>> >>> =C2=A0 =C2=A0after this fix , may slow down the php, but compared to th= e >>> security threat I thinks the cost could be ignored. >>> >>> =C2=A0 =C2=A0for the test script list in >>> http://nikic.github.com/2011/12/28/Supercolliding-a-PHP-array.html: >>> >>> =C2=A0 =C2=A0*before patched: >>> =C2=A0 =C2=A0 =C2=A0 =C2=A0Inserting 65536 evil elements took 162.65940= 284729 seconds >>> =C2=A0 =C2=A0 =C2=A0 =C2=A0Inserting 65536 good elements took 0.0755579= 47158813 seconds >>> >>> =C2=A0 =C2=A0*after =C2=A0patched: >>> =C2=A0 =C2=A0 =C2=A0 =C2=A0Inserting 65536 evil elements took 0.0741288= 66195679 seconds >>> =C2=A0 =C2=A0 =C2=A0 =C2=A0Inserting 65536 good elements took 0.0910449= 02801514 seconds >>> >>> =C2=A0 =C2=A0what do you think ? >> >> At least one problem with your patch is that it uses crypto safe >> random numbers. The problem with that is that the very frequent random >> number fetches could deplete the entropy pool and thus make >> /dev/urandom (and probably the Windows RNG too) block. So you would >> again have a DOS vulnerability (just create many small arrays with 16 >> elements so they get resized a few times). Additionally this could >> also impose a security threat to other application that rely on the >> entropy source. > > In essence there should only be the need for one random number per > request, so it should be fine in that regard. > >> >> Nikita >> >> -- >> PHP Internals - PHP Runtime Development Mailing List >> To unsubscribe, visit: http://www.php.net/unsub.php >> > > > > -- > Etienne Kneuss > http://www.colder.ch --=20 Laruence =C2=A0Xinchen Hui http://www.laruence.com/