Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:57316
Return-Path: <laruence@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 39424 invoked from network); 10 Jan 2012 03:13:08 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 10 Jan 2012 03:13:08 -0000
Authentication-Results: pb1.pair.com header.from=laruence@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=laruence@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.212.42 as permitted sender)
X-PHP-List-Original-Sender: laruence@gmail.com
X-Host-Fingerprint: 209.85.212.42 mail-vw0-f42.google.com  
Received: from [209.85.212.42] ([209.85.212.42:56209] helo=mail-vw0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 4E/81-27438-1CCAB0F4 for <internals@lists.php.net>; Mon, 09 Jan 2012 22:13:05 -0500
Received: by vbbfd1 with SMTP id fd1so3367670vbb.29
        for <internals@lists.php.net>; Mon, 09 Jan 2012 19:13:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc:content-type;
        bh=znD7FdyJsauY8SPkSUSBnEEhtOqel2i7h4puwbLIzzE=;
        b=LR8xFq5qNMmIuqx5njEHeqFgWolq90VwDDtccJNSlLpXQu3qKCHvdeCLWoRtFB7RCR
         OMI1xo7waMDyeXXRod8QuNo9LKJfFEfy86stpcJPWBh0ZUOfWIHWWB9rnpGPsLQgsK/S
         nnj8xJVFYB3zw5+M9dGfEuorFpqWqslocaGQc=
Received: by 10.52.33.68 with SMTP id p4mr8826560vdi.52.1326165182405; Mon, 09
 Jan 2012 19:13:02 -0800 (PST)
MIME-Version: 1.0
Received: by 10.220.7.19 with HTTP; Mon, 9 Jan 2012 19:12:41 -0800 (PST)
In-Reply-To: <CAEZPtU6bSu0yVcBTKw7SXM29cNb_=b_kthpKr4B-z3ArreXyhQ@mail.gmail.com>
References: <CAEZPtU44aag3z-oGAx+mF1dvr9qF0ZLpdW3pHFWEe0uwbchMBQ@mail.gmail.com>
 <6268389813742875794@unknownmsgid> <CAEZPtU6bSu0yVcBTKw7SXM29cNb_=b_kthpKr4B-z3ArreXyhQ@mail.gmail.com>
Date: Tue, 10 Jan 2012 11:12:41 +0800
Message-ID: <CABBJUpeWophF3Z9wU66L6qNdQRxC0H3_eHF8Y+OoN42ub0=THQ@mail.gmail.com>
To: Pierre Joye <pierre.php@gmail.com>
Cc: PHP internals <internals@lists.php.net>, =?UTF-8?Q?Johannes_Schl=C3=BCter?= <johannes@schlueters.de>
Content-Type: multipart/mixed; boundary=20cf3079ba569c5a5e04b623e4d2
Subject: Re: 5.3.9, Hash DoS, release
From: laruence@gmail.com (Xinchen Hui)

--20cf3079ba569c5a5e04b623e4d2
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Tue, Jan 10, 2012 at 12:57 AM, Pierre Joye <pierre.php@gmail.com> wrote:
> hi,
>
> No time for new ideas yet. We cannot afford to implement, test and
> valid new propositions and provide a fix as soon as possible (read: in
> the next days).
>
> What's the status of your patch? The max input var one, not the random
> (or derived version), can you post it in this thread again for the
> record please?
Hi, FYI

thanks
>
> If not, we will go final with the current fix in 5.3.
>
> On Mon, Jan 9, 2012 at 5:36 PM, Xinchen Hui <laruence@gmail.com> wrote:
>> Hi:
>> =C2=A0 I have a new idea, which is simple and also works for Jason/seria=
lized etc.
>>
>> =C2=A0That is Restricting a max length of a buckets list in a hash table=
.
>>
>> =C2=A0 If a bucket's length exceed 1024, any insertion into this bucket
>> will return failure and a warning will be generated.
>>
>> =C2=A0 What do you think?
>>
>> Sent from my iPhone
>>
>> =E5=9C=A8 2012-1-9=EF=BC=8C23:42=EF=BC=8CPierre Joye <pierre.php@gmail.c=
om> =E5=86=99=E9=81=93=EF=BC=9A
>>
>>> hi,
>>>
>>> Moving this discussion here as it makes little to non sense to discuss
>>> that any longer on security@
>>>
>>> We are now very late behind an acceptable delay to provide a fix for
>>> the hash DoS, to say it nicely.
>>>
>>> I'd strongly suggest to release 5.3.9 (RC5 has been tested now) final
>>> this week using the max_input_vars fix, with the modification from
>>> Laruence (but with a larger limit). Laruence addition also fixes
>>> serialize or json, which are parts that need this fix as well as it is
>>> impossible to valid a string manually (length check only is not enough
>>> or cannot work in all cases).
>>>
>>> But 1st of all, the fix addition has to be applied and fully tested.
>>> But if the addition is not desired yet, then we must at least release
>>> 5.3.9 with Dmitry's fix only and we can fix json&serialize later,
>>> ideally within 2 weeks max.
>>>
>>> Cheers,
>>> --
>>> Pierre
>>>
>>> @pierrejoye | http://blog.thepimp.net | http://www.libgd.org
>
>
>
> --
> Pierre
>
> @pierrejoye | http://blog.thepimp.net | http://www.libgd.org



--=20
=E6=83=A0=E6=96=B0=E5=AE=B8=C2=A0 =C2=A0 =C2=A0 =C2=A0 laruence
Senior PHP Engineer
http://www.laruence.com

--20cf3079ba569c5a5e04b623e4d2--