Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:57294
Return-Path: <stefan@nopiracy.de>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 47541 invoked from network); 9 Jan 2012 16:34:53 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 9 Jan 2012 16:34:53 -0000
Authentication-Results: pb1.pair.com smtp.mail=stefan@nopiracy.de; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=stefan@nopiracy.de; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain nopiracy.de from 81.169.146.161 cause and error)
X-PHP-List-Original-Sender: stefan@nopiracy.de
X-Host-Fingerprint: 81.169.146.161 mo-p00-ob.rzone.de Solaris 10 (beta)
Received: from [81.169.146.161] ([81.169.146.161:40012] helo=mo-p00-ob.rzone.de)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 0F/10-46289-C271B0F4 for <internals@lists.php.net>; Mon, 09 Jan 2012 11:34:53 -0500
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; t=1326126889; l=1025;
	s=domk; d=nopiracy.de;
	h=To:References:Content-Transfer-Encoding:Cc:Date:In-Reply-To:From:
	Content-Type:Mime-Version:Subject:X-RZG-CLASS-ID:X-RZG-AUTH;
	bh=E3A8L5qNkImGWLG/sTqr67q5RmM=;
	b=TOvnzbc+fCeegmITdmvQXM+Oissn8kfAqmESCv9jJg7SeuJmtDxG5tILkOYnK1lk8hR
	nFj9Tsa0dvXbv13xGgm3E6GHhhCgrHvK7mVN6Cy8LrGMuzJk1yj6g/T80ypyyk2+HqoEl
	q6xySuXWLaA9tEsGGsazpdO2mOEe9W2HGck=
X-RZG-AUTH: :OH4FY0Wkd/plSHgwfKFIgHoVYx5SSathkA9OvI+ii+JXGfvQUzm/Ahii7iullNGyVg==
X-RZG-CLASS-ID: mo00
Received: from [10.23.17.42] (cable-78-34-71-151.netcologne.de [78.34.71.151])
	by post.strato.de (mrclete mo14) (RZmta 27.3 DYNA|AUTH)
	with (AES128-SHA encrypted) ESMTPA id d00c39o09FaLSe ;
	Mon, 9 Jan 2012 17:34:44 +0100 (MET)
Mime-Version: 1.0 (Apple Message framework v1251.1)
Content-Type: text/plain; charset=windows-1252
In-Reply-To: <CAF+90c-VWaMG=SETzzYnAhyu_EMTpFsgZ9-ti40GCcL0fZ+XSg@mail.gmail.com>
Date: Mon, 9 Jan 2012 17:34:43 +0100
Cc: PHP internals <internals@lists.php.net>
Content-Transfer-Encoding: quoted-printable
Message-ID: <69E4BB23-9F97-449F-A44A-8731B0D5141E@nopiracy.de>
References: <CAEZPtU44aag3z-oGAx+mF1dvr9qF0ZLpdW3pHFWEe0uwbchMBQ@mail.gmail.com> <CAF+90c8ajB0RUnEGHxo-sjYh+YZCkqaXGE7e-3YX11PCvSZ+uw@mail.gmail.com> <F6CEA653-DD25-4461-A963-99B0DCD0EB24@nopiracy.de> <CAF+90c-VWaMG=SETzzYnAhyu_EMTpFsgZ9-ti40GCcL0fZ+XSg@mail.gmail.com>
To: Nikita Popov <nikita.ppv@googlemail.com>
X-Mailer: Apple Mail (2.1251.1)
Subject: Re: [PHP-DEV] 5.3.9, Hash DoS, release
From: stefan@nopiracy.de (Stefan Esser)

Hey,

> I think you accidentially sent this to me, not to the list ;) By the
> way, I think you and Pierre are talking about different patches. We do
> know that the hash size randomization will not work. Pierre is
> referring to another patch that extends max_input_vars to
> unserilized() and json_decode().

ah okay. I see now that there is a different patch, but it is not clear =
if Pierre meant this or the HashTable randomization patch, because both =
were advocated to fix the unserialize() and json_decode(), too.

Just a quick look at it tells me that I don't like this patch either. It =
adds code to each POST handler. The POST handler interface is something =
extensions can extend. With Laurence's patch: suddenly all extensions =
that implement their own POST handlers must add the max_input_vars =
check.

Of course I am biased, because suhosin is one of the affected =
extensions. But that said suhosin has a limit similar to max_input_vars =
for 7 years now.

Regards,
Stefan Esser=