Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:58987
Return-Path: <simonsimcity@googlemail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 53927 invoked from network); 17 Mar 2012 23:17:35 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 17 Mar 2012 23:17:35 -0000
Authentication-Results: pb1.pair.com smtp.mail=simonsimcity@googlemail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=simonsimcity@googlemail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain googlemail.com designates 209.85.210.170 as permitted sender)
X-PHP-List-Original-Sender: simonsimcity@googlemail.com
X-Host-Fingerprint: 209.85.210.170 mail-iy0-f170.google.com  
Received: from [209.85.210.170] ([209.85.210.170:41897] helo=mail-iy0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id BB/E2-43639-D8B156F4 for <internals@lists.php.net>; Sat, 17 Mar 2012 18:17:34 -0500
Received: by iaeh11 with SMTP id h11so8839334iae.29
        for <internals@lists.php.net>; Sat, 17 Mar 2012 16:17:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlemail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type;
        bh=fM/z3pV2Os4zDxeJ376RNWcAq4UqdbRbSXAq14efcV4=;
        b=w72gMBSqGvq2X2i1PhYFeKj1Lt9Z85JmmETV3knpj15apUPZ54kZzIZNpX0uxR5WbU
         e7F5gGrOtjaxr3ZSmQXjP0u0uBe3+GjNwT1Czklx51AMOtimnfs6LSvhsIMf85V4P2Sd
         KV1jd2AjGwtiW9Uz/s9TDyCz9numWnFmBhcZYsLuUEBCNoev59ufFzatTMfyYYFeEX9y
         8cGu7OgtIHXiYCZzMx/3suufo98y7a2ImQPwJV5UXOWWA4J2tETwbhSBFd6eWAKJZKz+
         /zLDQaGesM0xD1oznWPqxGbScGzOmiVCoId3ezU3rca1i8bSSOWEXki28Zwt18Ip4gZN
         kVag==
MIME-Version: 1.0
Received: by 10.60.4.170 with SMTP id l10mr8151845oel.67.1332026250592; Sat,
 17 Mar 2012 16:17:30 -0700 (PDT)
Received: by 10.60.18.162 with HTTP; Sat, 17 Mar 2012 16:17:30 -0700 (PDT)
In-Reply-To: <CAJWj5+HwwLCzc2QXkYgTba+6CT5Liae3ZG2TrCThqx+C6mkS8A@mail.gmail.com>
References: <CAJWj5+HwwLCzc2QXkYgTba+6CT5Liae3ZG2TrCThqx+C6mkS8A@mail.gmail.com>
Date: Sun, 18 Mar 2012 00:17:30 +0100
Message-ID: <CAJWj5+HPtUTnmqC83AasB8SqaPBBY98sEivBjDrwkaMMfjzuZA@mail.gmail.com>
To: PHP Internals List <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: [PHP-DEV] Randomize hash-function in php
From: simonsimcity@googlemail.com (Simon Schick)

Hi, All

I just came around that talk a couple of days ago ..
http://www.youtube.com/watch?v=R2Cq3CLI6H8

I don't know much about hash-maps and internal php-stuff at all, but
they say that the fix provided in 5.3.9 (and 5.4.0) is more a
work-around than a fix ...
Would it be an option to provide a real fix in PHP 6.0? They got the
feedback that this will take some time and is not trivial, but we have
a good time before PHP6 and can also break backwards compatibility for
php-plugins if really necessary.

As they said in the movie, PHP seems to have the algorithm DJBX33A
implemented as Ruby. So as they're so proud of the fix provided by the
Ruby-Team, may we can use that for PHP as well :)
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4815

This is not much because some attacker can do something, but what if
you have a real-world-application that (for some reason) build up an
array that just will blow up because of that? I haven't experienced
that until now, but it's possible ...

Bye
Simon