Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57248 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 82561 invoked from network); 6 Jan 2012 07:43:16 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 6 Jan 2012 07:43:16 -0000 Authentication-Results: pb1.pair.com header.from=laruence@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=laruence@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.212.42 as permitted sender) X-PHP-List-Original-Sender: laruence@gmail.com X-Host-Fingerprint: 209.85.212.42 mail-vw0-f42.google.com Received: from [209.85.212.42] ([209.85.212.42:38335] helo=mail-vw0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 58/10-15825-C06A60F4 for ; Fri, 06 Jan 2012 02:43:08 -0500 Received: by vbbfd1 with SMTP id fd1so1085733vbb.29 for ; Thu, 05 Jan 2012 23:43:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=HbhS20RPaK5S0f3XrJI+RVQaUHxcpWD3e8rPno/iN/0=; b=kByvaCqTknmERPrk6DRNsfIBu4B/aQfBbP0UFwa8bCsEqw8dhk5hk6vFqYEqGha+5+ F+LHNio3JLZ51lMkYYV3hEZSWO4k+yJeeEz0avkzkZvPnEPDm2u+TrdP9H+e6GhrNyQd 9DdRl05T2jbfIxrb4YLiq3Mu6Rc6umMNUBROQ= Received: by 10.52.26.199 with SMTP id n7mr2788461vdg.17.1325835784283; Thu, 05 Jan 2012 23:43:04 -0800 (PST) MIME-Version: 1.0 Sender: laruence@gmail.com Received: by 10.220.3.14 with HTTP; Thu, 5 Jan 2012 23:42:43 -0800 (PST) In-Reply-To: References: Date: Fri, 6 Jan 2012 15:42:43 +0800 X-Google-Sender-Auth: uA0FnOFeRmWqr6On5waVQydEGbw Message-ID: To: Etienne Kneuss Cc: Nikita Popov , PHP Internals , Rasmus Lerdorf , Stas Malyshev , Pierre Joye , =?UTF-8?Q?Johannes_Schl=C3=BCter?= , Dmitry Stogov , sesser@php.net Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] Yet another fix for max_input_vars From: laruence@php.net (Laruence) Hi: so here is the problem, the number index collision can be fixed by this idea (increase table size with a random delta). now we need add the random number into DJB hash, and I am not good at m= ath, so Calling for help, and the random number will be stored in a process global variable like: PHPAPI int zend_hash_random_number. and the reason for use a process global variable are: 1. this would break the zend hash cache 2. no abi backward break ( zend_hash_func) 3. simplify ZTS protection.. any help will be appreciated. thanks On Thu, Jan 5, 2012 at 10:21 PM, Laruence wrote: > Hi, > =C2=A0thanks to sesser, he point out that this won't work for string keys= , > > =C2=A0so, I guess, we should change the hash logic in the mean time.. I > will keep trying. > > thanks > > On Thu, Jan 5, 2012 at 9:12 PM, Etienne Kneuss wrote: >> Hi, >> >> On Thu, Jan 5, 2012 at 13:05, Nikita Popov w= rote: >>> On Thu, Jan 5, 2012 at 9:53 AM, Laruence wrote: >>>> Hi: >>>> =C2=A0 =C2=A0the origin thread is too long, so I open a new thread for= this. >>>> >>>> =C2=A0 =C2=A0I have made another patch try to fix this issue. >>>> >>>> =C2=A0 =C2=A0the key point is, randomizing the table size(tableMask). >>>> >>>> =C2=A0 =C2=A0instead of double the the table size in zend_hash_do_resi= ze, =C2=A0I >>>> increase the table size with a random delta ( the value now is just a >>>> try, =C2=A0we can change it to a more appropriate value), >>>> =C2=A0that is: =C2=A0new_table_size =3D old_table_size * 2 + random_nu= m. >>>> >>>> =C2=A0 =C2=A0then, =C2=A0the collision can not be predicatible, which = fix the >>>> problem, =C2=A0and also fixed the issue in json/soap/serialize etc. >>>> >>>> =C2=A0 =C2=A0here is the patch(draft now): >>>> https://bugs.php.net/patch-display.php?bug_id=3D60655&patch=3Drand_has= h_resize.patch&revision=3Dlatest >>>> >>>> =C2=A0 =C2=A0after this fix , may slow down the php, but compared to t= he >>>> security threat I thinks the cost could be ignored. >>>> >>>> =C2=A0 =C2=A0for the test script list in >>>> http://nikic.github.com/2011/12/28/Supercolliding-a-PHP-array.html: >>>> >>>> =C2=A0 =C2=A0*before patched: >>>> =C2=A0 =C2=A0 =C2=A0 =C2=A0Inserting 65536 evil elements took 162.6594= 0284729 seconds >>>> =C2=A0 =C2=A0 =C2=A0 =C2=A0Inserting 65536 good elements took 0.075557= 947158813 seconds >>>> >>>> =C2=A0 =C2=A0*after =C2=A0patched: >>>> =C2=A0 =C2=A0 =C2=A0 =C2=A0Inserting 65536 evil elements took 0.074128= 866195679 seconds >>>> =C2=A0 =C2=A0 =C2=A0 =C2=A0Inserting 65536 good elements took 0.091044= 902801514 seconds >>>> >>>> =C2=A0 =C2=A0what do you think ? >>> >>> At least one problem with your patch is that it uses crypto safe >>> random numbers. The problem with that is that the very frequent random >>> number fetches could deplete the entropy pool and thus make >>> /dev/urandom (and probably the Windows RNG too) block. So you would >>> again have a DOS vulnerability (just create many small arrays with 16 >>> elements so they get resized a few times). Additionally this could >>> also impose a security threat to other application that rely on the >>> entropy source. >> >> In essence there should only be the need for one random number per >> request, so it should be fine in that regard. >> >>> >>> Nikita >>> >>> -- >>> PHP Internals - PHP Runtime Development Mailing List >>> To unsubscribe, visit: http://www.php.net/unsub.php >>> >> >> >> >> -- >> Etienne Kneuss >> http://www.colder.ch > > > > -- > Laruence =C2=A0Xinchen Hui > http://www.laruence.com/ --=20 Laruence =C2=A0Xinchen Hui http://www.laruence.com/