Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:58996
Return-Path: <laruence@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 85906 invoked from network); 18 Mar 2012 07:18:25 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Mar 2012 07:18:25 -0000
Authentication-Results: pb1.pair.com header.from=laruence@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=laruence@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.170 as permitted sender)
X-PHP-List-Original-Sender: laruence@gmail.com
X-Host-Fingerprint: 209.85.220.170 mail-vx0-f170.google.com  
Received: from [209.85.220.170] ([209.85.220.170:47314] helo=mail-vx0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 4D/50-18036-14C856F4 for <internals@lists.php.net>; Sun, 18 Mar 2012 02:18:25 -0500
Received: by vcbfo14 with SMTP id fo14so6426002vcb.29
        for <internals@lists.php.net>; Sun, 18 Mar 2012 00:18:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=references:from:in-reply-to:mime-version:date:message-id:subject:to
         :cc:content-type:content-transfer-encoding;
        bh=V2k9a0GHxc6MUsrHI92rggLB5M1skADe66odGvmOBBw=;
        b=TxK3B4+oHNiDyMlGJQrTz2lFJEfW0fds4yRNGMEZDB9XhtUehluYcBqsR3xt3QOzjw
         vbaxnNFCvW74x/+Fu9W3v2YzZUqwAUAqZnfhGOoYDjcJYJuH70MkBFdjyz+9YIM9J1Hl
         1hfOGwFosMzXxy0iIYKSYLoncPvZEVCGywLZ9/MF2x5lquH38dcsmH5b4dk/JIRHJBAF
         PeCAWcS4E6F1PxPVIqpkKU1cTIurGTPRTw1SAc6N3TU1ZpqQT691jSkl//BFKQSP+8rH
         sgpSvwLwDkKftzGKB1OXlbKH7uLojgARJui4PtePqz8Y5qyvr2H22oh7SvGT5/nrMfbA
         EU5A==
Received: by 10.220.107.208 with SMTP id c16mr2855035vcp.65.1332055102536;
 Sun, 18 Mar 2012 00:18:22 -0700 (PDT)
References: <CAJWj5+HwwLCzc2QXkYgTba+6CT5Liae3ZG2TrCThqx+C6mkS8A@mail.gmail.com>
 <CAJWj5+HPtUTnmqC83AasB8SqaPBBY98sEivBjDrwkaMMfjzuZA@mail.gmail.com>
 <4F65267D.3040005@googlemail.com> <4F652868.7070901@sugarcrm.com>
 <CAHMUw2H3MrN_1kgqyL++FYp-F8y2W1GGNsgBqrNMzfvL4E15gg@mail.gmail.com>
 <4619201592745010989@unknownmsgid> <8053D167-CC6F-42C6-A589-E33B62EEF31A@gmail.com>
In-Reply-To: <8053D167-CC6F-42C6-A589-E33B62EEF31A@gmail.com>
Mime-Version: 1.0 (1.0)
Date: Sun, 18 Mar 2012 15:17:58 +0800
Message-ID: <-9209664143670810770@unknownmsgid>
To: Tjerk Meesters <tjerk.meesters@gmail.com>
Cc: Tjerk Anne Meesters <datibbaw@php.net>, Stas Malyshev <smalyshev@sugarcrm.com>, 
	Sam <sam.e.giles@gmail.com>, "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] Randomize hash-function in php
From: laruence@gmail.com (Xinchen Hui)

Sent from my iPhone

=E5=9C=A8 2012-3-18=EF=BC=8C15:05=EF=BC=8CTjerk Meesters <tjerk.meesters@gm=
ail.com> =E5=86=99=E9=81=93=EF=BC=9A

> On 18 Mar, 2012, at 2:32 PM, Xinchen Hui <laruence@gmail.com> wrote:
>
>>> What if php uses salts for specific hashes only, such as GPC (or all
>>> hashes whose lifetime is limited to the current reuqest), and use a
>>> zero-value salt for all others?
>> definitely no=EF=BC=8Cthinking of pre-calculated hash.
>
> Pre-calculated hash of what? You mean binary serialisation?
>
>> Or Ajax which use
>> json_decode parse input json.
>
> That would be considered a request lifetime hash and therefore could be s=
alted.
>
>>
>> IMO, this Make no sense but mess things up.
>
> We all have opinions. If a clear distinction between vulnerable and non v=
ulnerable data can be reliably made, in my limited knowledge of the whole e=
cosystem I genuinely think this has a shot :)
>
Ha, sorry for my rude words, I am not meaning you=EF=BC=8C but the point se=
lf;)

And it's also why I am not usually saying words at internal@ , my poor
English :)