Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:58995 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 84232 invoked from network); 18 Mar 2012 07:05:54 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 18 Mar 2012 07:05:54 -0000 Authentication-Results: pb1.pair.com header.from=tjerk.meesters@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=tjerk.meesters@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.210.42 as permitted sender) X-PHP-List-Original-Sender: tjerk.meesters@gmail.com X-Host-Fingerprint: 209.85.210.42 mail-pz0-f42.google.com Received: from [209.85.210.42] ([209.85.210.42:38395] helo=mail-pz0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 2B/00-18036-059856F4 for ; Sun, 18 Mar 2012 02:05:53 -0500 Received: by dang27 with SMTP id g27so9849826dan.29 for ; Sun, 18 Mar 2012 00:05:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=references:in-reply-to:mime-version:content-transfer-encoding :content-type:message-id:cc:x-mailer:from:subject:date:to; bh=frJpSbqn+P+aocjmuzW3HCvAMkV/emI4Pi4nozFkAlo=; b=JjIIpfybITcAecP7rtt1mDmDDVhnB57GRlzM+5jbb/xDH4bFPM7Xge1nhxZ6OG6kIL C4AmgMiIbKa+eENMTgirkzVO03kX6LNY1bsSehVBg7xK0LbP2FC8ZCMe9h54NqgAgUlX q8Xddme4BECo4dhsq66q2IjIHF7fnJiEWIjO1JHbiCpvLvi9lUrxnWxKvpcZ1/LibXQM k5n4McgKobBuhMh7Ex6Rp8MjPyFP5UF6mtTFwU76/6puXwEhzmgD5l379arNb0J7uPr0 Gbj8XGh8jb5FO3WRHGhkBaYo48Cukvarm3ACofp73cQDj6Vpu193RXI2ckPHca+5tAb4 UTtA== Received: by 10.68.216.6 with SMTP id om6mr1700039pbc.117.1332054350021; Sun, 18 Mar 2012 00:05:50 -0700 (PDT) Received: from [192.168.1.104] (bb115-66-192-159.singnet.com.sg. [115.66.192.159]) by mx.google.com with ESMTPS id f7sm8341585pbr.3.2012.03.18.00.05.46 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 18 Mar 2012 00:05:49 -0700 (PDT) References: <4F65267D.3040005@googlemail.com> <4F652868.7070901@sugarcrm.com> <4619201592745010989@unknownmsgid> In-Reply-To: <4619201592745010989@unknownmsgid> Mime-Version: 1.0 (1.0) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=GB2312 Message-ID: <8053D167-CC6F-42C6-A589-E33B62EEF31A@gmail.com> Cc: Tjerk Anne Meesters , Stas Malyshev , Sam , "internals@lists.php.net" X-Mailer: iPhone Mail (9B179) Date: Sun, 18 Mar 2012 15:05:42 +0800 To: Xinchen Hui Subject: Re: [PHP-DEV] Randomize hash-function in php From: tjerk.meesters@gmail.com (Tjerk Meesters) On 18 Mar, 2012, at 2:32 PM, Xinchen Hui wrote: >> What if php uses salts for specific hashes only, such as GPC (or all >> hashes whose lifetime is limited to the current reuqest), and use a >> zero-value salt for all others? > definitely no=A3=ACthinking of pre-calculated hash. Pre-calculated hash of what? You mean binary serialisation? > Or Ajax which use > json_decode parse input json. That would be considered a request lifetime hash and therefore could be salt= ed.=20 >=20 > IMO, this Make no sense but mess things up. We all have opinions. If a clear distinction between vulnerable and non vuln= erable data can be reliably made, in my limited knowledge of the whole ecosy= stem I genuinely think this has a shot :)