Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:57322
Return-Path: <julienpauli@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 69944 invoked from network); 10 Jan 2012 10:07:39 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 10 Jan 2012 10:07:39 -0000
Authentication-Results: pb1.pair.com header.from=julienpauli@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=julienpauli@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.170 as permitted sender)
X-PHP-List-Original-Sender: julienpauli@gmail.com
X-Host-Fingerprint: 209.85.215.170 mail-ey0-f170.google.com  
Received: from [209.85.215.170] ([209.85.215.170:37724] helo=mail-ey0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id C3/16-27438-7ED0C0F4 for <internals@lists.php.net>; Tue, 10 Jan 2012 05:07:36 -0500
Received: by eaa13 with SMTP id 13so2539884eaa.29
        for <internals@lists.php.net>; Tue, 10 Jan 2012 02:07:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=mime-version:sender:in-reply-to:references:from:date
         :x-google-sender-auth:message-id:subject:to:cc:content-type;
        bh=dsAlNnKtOUCw9D1Q3ma1z3Q5EMGJC6FXs8A6QAC4QFk=;
        b=kh9ip1AOixsk/9p9LqtlARg9Kiit4zQBbBTpBurz3vQkcZD2m4WkwW5KoHSH6ye061
         +W/ZXkbGkEh/u/boK6BU+s5a9GjO/4ZNjLYu3ZkaUW/+T9x8vaJBd7H2GGewu5yu+CT+
         Ax88Tvn3XLstfn8gNppaXR7GNtds1mnI30uUU=
Received: by 10.213.11.19 with SMTP id r19mr251030ebr.111.1326190052305; Tue,
 10 Jan 2012 02:07:32 -0800 (PST)
MIME-Version: 1.0
Sender: julienpauli@gmail.com
Received: by 10.213.30.17 with HTTP; Tue, 10 Jan 2012 02:06:50 -0800 (PST)
In-Reply-To: <CABBJUpeWophF3Z9wU66L6qNdQRxC0H3_eHF8Y+OoN42ub0=THQ@mail.gmail.com>
References: <CAEZPtU44aag3z-oGAx+mF1dvr9qF0ZLpdW3pHFWEe0uwbchMBQ@mail.gmail.com>
 <6268389813742875794@unknownmsgid> <CAEZPtU6bSu0yVcBTKw7SXM29cNb_=b_kthpKr4B-z3ArreXyhQ@mail.gmail.com>
 <CABBJUpeWophF3Z9wU66L6qNdQRxC0H3_eHF8Y+OoN42ub0=THQ@mail.gmail.com>
Date: Tue, 10 Jan 2012 11:06:50 +0100
X-Google-Sender-Auth: CPkI_vG6SoUI4mSb0iwplFBx6Gg
Message-ID: <CAMUwpuT6XnoXS_4yFq8c73p0+0_d=VSD-qEmHguUke6JAj+LZA@mail.gmail.com>
To: Xinchen Hui <laruence@gmail.com>
Cc: Pierre Joye <pierre.php@gmail.com>, PHP internals <internals@lists.php.net>, 
	=?ISO-8859-1?Q?Johannes_Schl=FCter?= <johannes@schlueters.de>
Content-Type: multipart/alternative; boundary=00151748e70cf8ebb104b629aead
Subject: Re: [PHP-DEV] Re: 5.3.9, Hash DoS, release
From: jpauli@php.net (jpauli)

--00151748e70cf8ebb104b629aead
Content-Type: text/plain; charset=GB2312
Content-Transfer-Encoding: quoted-printable

2012/1/10 Xinchen Hui <laruence@gmail.com>

> On Tue, Jan 10, 2012 at 12:57 AM, Pierre Joye <pierre.php@gmail.com>
> wrote:
> > hi,
> >
> > No time for new ideas yet. We cannot afford to implement, test and
> > valid new propositions and provide a fix as soon as possible (read: in
> > the next days).
> >
> > What's the status of your patch? The max input var one, not the random
> > (or derived version), can you post it in this thread again for the
> > record please?
> Hi, FYI
>
> thanks
> >
> > If not, we will go final with the current fix in 5.3.
> >
> > On Mon, Jan 9, 2012 at 5:36 PM, Xinchen Hui <laruence@gmail.com> wrote:
> >> Hi:
> >>   I have a new idea, which is simple and also works for
> Jason/serialized etc.
> >>
> >>  That is Restricting a max length of a buckets list in a hash table.
> >>
> >>   If a bucket's length exceed 1024, any insertion into this bucket
> >> will return failure and a warning will be generated.
> >>
> >>   What do you think?
> >>
> >> Sent from my iPhone
> >>
> >> =D4=DA 2012-1-9=A3=AC23:42=A3=ACPierre Joye <pierre.php@gmail.com> =D0=
=B4=B5=C0=A3=BA
> >>
> >>> hi,
> >>>
> >>> Moving this discussion here as it makes little to non sense to discus=
s
> >>> that any longer on security@
> >>>
> >>> We are now very late behind an acceptable delay to provide a fix for
> >>> the hash DoS, to say it nicely.
> >>>
> >>> I'd strongly suggest to release 5.3.9 (RC5 has been tested now) final
> >>> this week using the max_input_vars fix, with the modification from
> >>> Laruence (but with a larger limit). Laruence addition also fixes
> >>> serialize or json, which are parts that need this fix as well as it i=
s
> >>> impossible to valid a string manually (length check only is not enoug=
h
> >>> or cannot work in all cases).
> >>>
> >>> But 1st of all, the fix addition has to be applied and fully tested.
> >>> But if the addition is not desired yet, then we must at least release
> >>> 5.3.9 with Dmitry's fix only and we can fix json&serialize later,
> >>> ideally within 2 weeks max.
> >>>
> >>> Cheers,
> >>> --
> >>> Pierre
> >>>
> >>> @pierrejoye | http://blog.thepimp.net | http://www.libgd.org
> >
> >
> >
> > --
> > Pierre
> >
> > @pierrejoye | http://blog.thepimp.net | http://www.libgd.org
>
>
>
> --
> =BB=DD=D0=C2=E5=B7        laruence
> Senior PHP Engineer
> http://www.laruence.com
>
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>

Why not double hashing (http://en.wikipedia.org/wiki/Double_hashing)
somelike John Crenshaw proposed ?

Julien

--00151748e70cf8ebb104b629aead--