Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:57298
Return-Path: <pierre.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 55765 invoked from network); 9 Jan 2012 16:48:36 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 9 Jan 2012 16:48:36 -0000
Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.170 as permitted sender)
X-PHP-List-Original-Sender: pierre.php@gmail.com
X-Host-Fingerprint: 209.85.213.170 mail-yx0-f170.google.com  
Received: from [209.85.213.170] ([209.85.213.170:40570] helo=mail-yx0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 5B/02-46289-26A1B0F4 for <internals@lists.php.net>; Mon, 09 Jan 2012 11:48:34 -0500
Received: by yenl6 with SMTP id l6so1647630yen.29
        for <internals@lists.php.net>; Mon, 09 Jan 2012 08:48:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=0L+lOh3kU4XfdChW62BfBWAZZuxFkYPXFEEV992bUfk=;
        b=QXrekZrvv6lHqxItH+CXJTG18i/8bKXzitbKni/WO6pqsSK1WjtVDOt9/Cc8JhpRll
         BqiyD4wLDWdlhR+83niLnUQFuir4VKm82JlabEiXXoBVR3Z6r3szJ16JOHq1kOB52p9o
         2gLnIZ3e/SOHGvp7hmX9EybFlPRb31M49QXsQ=
MIME-Version: 1.0
Received: by 10.236.121.168 with SMTP id r28mr3370821yhh.51.1326127711809;
 Mon, 09 Jan 2012 08:48:31 -0800 (PST)
Received: by 10.146.238.8 with HTTP; Mon, 9 Jan 2012 08:48:31 -0800 (PST)
In-Reply-To: <ACB36599-E7B4-45F8-889A-223F945D5444@nopiracy.de>
References: <CAEZPtU44aag3z-oGAx+mF1dvr9qF0ZLpdW3pHFWEe0uwbchMBQ@mail.gmail.com>
	<CAF+90c8ajB0RUnEGHxo-sjYh+YZCkqaXGE7e-3YX11PCvSZ+uw@mail.gmail.com>
	<ACB36599-E7B4-45F8-889A-223F945D5444@nopiracy.de>
Date: Mon, 9 Jan 2012 17:48:31 +0100
Message-ID: <CAEZPtU4pL+xToXyEOe6K+CD9ZqgJ+bk_tSHr73a6GVsknhqJbQ@mail.gmail.com>
To: Stefan Esser <stefan@nopiracy.de>
Cc: PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [PHP-DEV] 5.3.9, Hash DoS, release
From: pierre.php@gmail.com (Pierre Joye)

On Mon, Jan 9, 2012 at 5:18 PM, Stefan Esser <stefan@nopiracy.de> wrote:
> Dear Pierre and others,
>
>> I'd strongly suggest to release 5.3.9 (RC5 has been tested now) final
>> this week using the max_input_vars fix, with the modification from
>> Laruence (but with a larger limit). Laruence addition also fixes
>> serialize or json, which are parts that need this fix as well as it is
>> impossible to valid a string manually (length check only is not enough
>> or cannot work in all cases).
>
> Why do you advocate a patch from Laruence that randomizes the size of the HashTable, which does not fix the HashDOS security problem at all?

I do not, I refer to his other patch which does exactly what Dmitry's
one does and uses the same limit for json and serialize.

I'm actually against the randomize version of the fix as we have not
yet enough clue about how good (or bad) it is.

Cheers,
-- 
Pierre

@pierrejoye | http://blog.thepimp.net | http://www.libgd.org