Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:57303
Return-Path: <laruence@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 64594 invoked from network); 9 Jan 2012 17:02:28 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 9 Jan 2012 17:02:28 -0000
Authentication-Results: pb1.pair.com header.from=laruence@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=laruence@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.170 as permitted sender)
X-PHP-List-Original-Sender: laruence@gmail.com
X-Host-Fingerprint: 209.85.220.170 mail-vx0-f170.google.com  
Received: from [209.85.220.170] ([209.85.220.170:54445] helo=mail-vx0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id D9/14-46289-4AD1B0F4 for <internals@lists.php.net>; Mon, 09 Jan 2012 12:02:28 -0500
Received: by vcdn13 with SMTP id n13so2927611vcd.29
        for <internals@lists.php.net>; Mon, 09 Jan 2012 09:02:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=references:from:in-reply-to:mime-version:date:message-id:subject:to
         :cc:content-type:content-transfer-encoding;
        bh=C/3gIaHydDHhkvLCoXPTxAuU9fcBWiEvlbsRkzm15WQ=;
        b=sDrVA/WhPOAq18o9J7G5XyEKOkHL/VV29GM+uMOvv8QMGrCNblexasIYAi9RkAHez+
         p1akpR5ZyALC7RUrnIY3FEA/ljt6cPJqVTPIues9hNJffs0QIO9wqIErr66A9tKW2J8z
         UF+svz+dvG89rqfb1zFj3ZXe+dWFuxwulDrfI=
Received: by 10.52.156.101 with SMTP id wd5mr7877007vdb.1.1326128543465; Mon,
 09 Jan 2012 09:02:23 -0800 (PST)
References: <CAEZPtU44aag3z-oGAx+mF1dvr9qF0ZLpdW3pHFWEe0uwbchMBQ@mail.gmail.com>
 <6268389813742875794@unknownmsgid> <CAEZPtU6bSu0yVcBTKw7SXM29cNb_=b_kthpKr4B-z3ArreXyhQ@mail.gmail.com>
In-Reply-To: <CAEZPtU6bSu0yVcBTKw7SXM29cNb_=b_kthpKr4B-z3ArreXyhQ@mail.gmail.com>
Mime-Version: 1.0 (1.0)
Date: Tue, 10 Jan 2012 01:02:17 +0800
Message-ID: <-7181840688573870879@unknownmsgid>
To: Pierre Joye <pierre.php@gmail.com>
Cc: PHP internals <internals@lists.php.net>, =?UTF-8?Q?Johannes_Schl=C3=BCter?= <johannes@schlueters.de>, 
	Laruence <laruence@php.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: 5.3.9, Hash DoS, release
From: laruence@gmail.com (Xinchen Hui)

Sent from my iPhone

=E5=9C=A8 2012-1-10=EF=BC=8C0:57=EF=BC=8CPierre Joye <pierre.php@gmail.com>=
 =E5=86=99=E9=81=93=EF=BC=9A

> hi,
>
> No time for new ideas yet. We cannot afford to implement, test and
> valid new propositions and provide a fix as soon as possible (read: in
> the next days)
That idea will only need one hour to be implemented. :)

Anyone who have time now can do that ?

>
> What's the status of your patch? The max input var one, not the random
> (or derived version), can you post it in this thread again for the
> record please?
Sorry, can't now, it's 01:00am here.

>
> If not, we will go final with the current fix in 5.3.
>
> On Mon, Jan 9, 2012 at 5:36 PM, Xinchen Hui <laruence@gmail.com> wrote:
>> Hi:
>>   I have a new idea, which is simple and also works for Jason/serialized=
 etc.
>>
>>  That is Restricting a max length of a buckets list in a hash table.
>>
>>   If a bucket's length exceed 1024, any insertion into this bucket
>> will return failure and a warning will be generated.
>>
>>   What do you think?
>>
>> Sent from my iPhone
>>
>> =E5=9C=A8 2012-1-9=EF=BC=8C23:42=EF=BC=8CPierre Joye <pierre.php@gmail.c=
om> =E5=86=99=E9=81=93=EF=BC=9A
>>
>>> hi,
>>>
>>> Moving this discussion here as it makes little to non sense to discuss
>>> that any longer on security@
>>>
>>> We are now very late behind an acceptable delay to provide a fix for
>>> the hash DoS, to say it nicely.
>>>
>>> I'd strongly suggest to release 5.3.9 (RC5 has been tested now) final
>>> this week using the max_input_vars fix, with the modification from
>>> Laruence (but with a larger limit). Laruence addition also fixes
>>> serialize or json, which are parts that need this fix as well as it is
>>> impossible to valid a string manually (length check only is not enough
>>> or cannot work in all cases).
>>>
>>> But 1st of all, the fix addition has to be applied and fully tested.
>>> But if the addition is not desired yet, then we must at least release
>>> 5.3.9 with Dmitry's fix only and we can fix json&serialize later,
>>> ideally within 2 weeks max.
>>>
>>> Cheers,
>>> --
>>> Pierre
>>>
>>> @pierrejoye | http://blog.thepimp.net | http://www.libgd.org
>
>
>
> --
> Pierre
>
> @pierrejoye | http://blog.thepimp.net | http://www.libgd.org