Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57302 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 63111 invoked from network); 9 Jan 2012 16:57:38 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 9 Jan 2012 16:57:38 -0000 Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.42 as permitted sender) X-PHP-List-Original-Sender: pierre.php@gmail.com X-Host-Fingerprint: 209.85.213.42 mail-yw0-f42.google.com Received: from [209.85.213.42] ([209.85.213.42:48325] helo=mail-yw0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 6C/C3-46289-08C1B0F4 for ; Mon, 09 Jan 2012 11:57:37 -0500 Received: by yhnn56 with SMTP id n56so97878yhn.29 for ; Mon, 09 Jan 2012 08:57:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=HISUB2rAYxJQ5JWBz6OvWu39KpRdzu69d6DfQedL/6Q=; b=CDuk6b/o7BdZROQr74XfCsUJYQiZxCTucqGnWF7FWBU2hjC/URdtCvQxL3RdWrDIyO wt4+IUbWBSoKjU9ax/N8xmoVIaH7NuQHLAvTgzhtxX0VckRv6wKcjPBVLRK0YJkXVK5q CbLXwfIEPwZBWSQ0VtblCPyF7oKkIHmOxiFWk= MIME-Version: 1.0 Received: by 10.236.121.168 with SMTP id r28mr3435081yhh.51.1326128254343; Mon, 09 Jan 2012 08:57:34 -0800 (PST) Received: by 10.146.238.8 with HTTP; Mon, 9 Jan 2012 08:57:34 -0800 (PST) In-Reply-To: <6268389813742875794@unknownmsgid> References: <6268389813742875794@unknownmsgid> Date: Mon, 9 Jan 2012 17:57:34 +0100 Message-ID: To: Xinchen Hui Cc: PHP internals , =?ISO-8859-1?Q?Johannes_Schl=FCter?= , Laruence Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: 5.3.9, Hash DoS, release From: pierre.php@gmail.com (Pierre Joye) hi, No time for new ideas yet. We cannot afford to implement, test and valid new propositions and provide a fix as soon as possible (read: in the next days). What's the status of your patch? The max input var one, not the random (or derived version), can you post it in this thread again for the record please? If not, we will go final with the current fix in 5.3. On Mon, Jan 9, 2012 at 5:36 PM, Xinchen Hui wrote: > Hi: > =C2=A0 I have a new idea, which is simple and also works for Jason/serial= ized etc. > > =C2=A0That is Restricting a max length of a buckets list in a hash table. > > =C2=A0 If a bucket's length exceed 1024, any insertion into this bucket > will return failure and a warning will be generated. > > =C2=A0 What do you think? > > Sent from my iPhone > > =E5=9C=A8 2012-1-9=EF=BC=8C23:42=EF=BC=8CPierre Joye =E5=86=99=E9=81=93=EF=BC=9A > >> hi, >> >> Moving this discussion here as it makes little to non sense to discuss >> that any longer on security@ >> >> We are now very late behind an acceptable delay to provide a fix for >> the hash DoS, to say it nicely. >> >> I'd strongly suggest to release 5.3.9 (RC5 has been tested now) final >> this week using the max_input_vars fix, with the modification from >> Laruence (but with a larger limit). Laruence addition also fixes >> serialize or json, which are parts that need this fix as well as it is >> impossible to valid a string manually (length check only is not enough >> or cannot work in all cases). >> >> But 1st of all, the fix addition has to be applied and fully tested. >> But if the addition is not desired yet, then we must at least release >> 5.3.9 with Dmitry's fix only and we can fix json&serialize later, >> ideally within 2 weeks max. >> >> Cheers, >> -- >> Pierre >> >> @pierrejoye | http://blog.thepimp.net | http://www.libgd.org --=20 Pierre @pierrejoye | http://blog.thepimp.net | http://www.libgd.org