Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:57295
Return-Path: <laruence@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 48825 invoked from network); 9 Jan 2012 16:36:48 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 9 Jan 2012 16:36:48 -0000
Authentication-Results: pb1.pair.com header.from=laruence@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=laruence@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.170 as permitted sender)
X-PHP-List-Original-Sender: laruence@gmail.com
X-Host-Fingerprint: 209.85.220.170 mail-vx0-f170.google.com  
Received: from [209.85.220.170] ([209.85.220.170:53498] helo=mail-vx0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 5A/60-46289-F971B0F4 for <internals@lists.php.net>; Mon, 09 Jan 2012 11:36:47 -0500
Received: by vcdn13 with SMTP id n13so2900516vcd.29
        for <internals@lists.php.net>; Mon, 09 Jan 2012 08:36:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=references:from:in-reply-to:mime-version:date:message-id:subject:to
         :cc:content-type:content-transfer-encoding;
        bh=G2/r2CkbgeGIFmn37nM0p8zIK5J/t7/NpvfEgO266x4=;
        b=cse27bmUUrfMqfOuE/QK/bv/w6agdhrYjnRM+f54dsApwcDOaA2S0rgibOSbsYWnJU
         mqC4yhA/T5Tw/+dd9QaUcy5XmharcdOLgxOkS6oMMJPXohwJrdlH50uq3xrkVdPTLMw1
         tu6cqkpWFv5MjUavY5yLtOg0W76vX7AFO3b0w=
Received: by 10.52.156.101 with SMTP id wd5mr7823188vdb.1.1326127004164; Mon,
 09 Jan 2012 08:36:44 -0800 (PST)
References: <CAEZPtU44aag3z-oGAx+mF1dvr9qF0ZLpdW3pHFWEe0uwbchMBQ@mail.gmail.com>
In-Reply-To: <CAEZPtU44aag3z-oGAx+mF1dvr9qF0ZLpdW3pHFWEe0uwbchMBQ@mail.gmail.com>
Mime-Version: 1.0 (1.0)
Date: Tue, 10 Jan 2012 00:36:39 +0800
Message-ID: <6268389813742875794@unknownmsgid>
To: Pierre Joye <pierre.php@gmail.com>
Cc: PHP internals <internals@lists.php.net>, =?UTF-8?Q?Johannes_Schl=C3=BCter?= <johannes@schlueters.de>, 
	Laruence <laruence@php.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: 5.3.9, Hash DoS, release
From: laruence@gmail.com (Xinchen Hui)

Hi:
   I have a new idea, which is simple and also works for Jason/serialized e=
tc.

  That is Restricting a max length of a buckets list in a hash table.

   If a bucket's length exceed 1024, any insertion into this bucket
will return failure and a warning will be generated.

   What do you think?

Sent from my iPhone

=E5=9C=A8 2012-1-9=EF=BC=8C23:42=EF=BC=8CPierre Joye <pierre.php@gmail.com>=
 =E5=86=99=E9=81=93=EF=BC=9A

> hi,
>
> Moving this discussion here as it makes little to non sense to discuss
> that any longer on security@
>
> We are now very late behind an acceptable delay to provide a fix for
> the hash DoS, to say it nicely.
>
> I'd strongly suggest to release 5.3.9 (RC5 has been tested now) final
> this week using the max_input_vars fix, with the modification from
> Laruence (but with a larger limit). Laruence addition also fixes
> serialize or json, which are parts that need this fix as well as it is
> impossible to valid a string manually (length check only is not enough
> or cannot work in all cases).
>
> But 1st of all, the fix addition has to be applied and fully tested.
> But if the addition is not desired yet, then we must at least release
> 5.3.9 with Dmitry's fix only and we can fix json&serialize later,
> ideally within 2 weeks max.
>
> Cheers,
> --
> Pierre
>
> @pierrejoye | http://blog.thepimp.net | http://www.libgd.org