Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:63218
Return-Path: <tyra3l@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 82972 invoked from network); 21 Sep 2012 12:08:11 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 21 Sep 2012 12:08:11 -0000
Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.42 as permitted sender)
X-PHP-List-Original-Sender: tyra3l@gmail.com
X-Host-Fingerprint: 209.85.160.42 mail-pb0-f42.google.com  
Received: from [209.85.160.42] ([209.85.160.42:43137] helo=mail-pb0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 26/43-62301-9A85C505 for <internals@lists.php.net>; Fri, 21 Sep 2012 08:08:09 -0400
Received: by pbbrp8 with SMTP id rp8so7361124pbb.29
        for <internals@lists.php.net>; Fri, 21 Sep 2012 05:08:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=MhKCDGxVu2zI6zvFqXheTPnBTUtfo1vVM+nZkw/p8cw=;
        b=eT4u12RBa7mMNdT6xw8yDatgg3O5phwJEyQmIyVeEGdVXX7qVy6IILwMdhmvY+06Kl
         V4zyFyoXrkO8845Uvy1pJudBNE7C+B+7LEdJ2pYd7qZZszs+ybkvw6I9brdRV54+4KvW
         ACDsD7/og/ETLVLk6YCQNX/2lkSjvAPpbrQ+67GG1E3k+QuOFsEUl2xHMI3LjaqCEQ6e
         ZEJeZC4t8xAh9HIOczTzbw65/eENJPMmtnIxaqyxKU0x4Rpl1KLKy20GJNsZahsgAJsA
         QA/8B5R42BZljqy2wz9NAB32zBraOBwu7rKUcqkiMALr8kYOS0SBa1WO4464wx6yTkhX
         8tqw==
MIME-Version: 1.0
Received: by 10.66.82.3 with SMTP id e3mr12749098pay.56.1348229286748; Fri, 21
 Sep 2012 05:08:06 -0700 (PDT)
Received: by 10.68.54.68 with HTTP; Fri, 21 Sep 2012 05:08:06 -0700 (PDT)
In-Reply-To: <505C5625.7090700@hoa-project.net>
References: <505C4A06.6040304@hoa-project.net>
	<CAH-PCH5BAb8v_OWhO1pv7bBUsxvun3=0u-YjO27ktWfU4ssJZQ@mail.gmail.com>
	<505C5625.7090700@hoa-project.net>
Date: Fri, 21 Sep 2012 14:08:06 +0200
Message-ID: <CAH-PCH7ohkh53iS0HEh6u+EsC0M+u_di8YDZCafV1rHuA1noww@mail.gmail.com>
To: ivan.enderlin@hoa-project.net
Cc: internals@lists.php.net, laruence@php.net
Content-Type: multipart/alternative; boundary=f46d042de69fb6605704ca3517c4
Subject: Re: [PHP-DEV] POST, content-type: application/json and json_decode
From: tyra3l@gmail.com (Ferenc Kovacs)

--f46d042de69fb6605704ca3517c4
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Fri, Sep 21, 2012 at 1:57 PM, Ivan Enderlin @ Hoa <
ivan.enderlin@hoa-project.net> wrote:

>
> On 21/09/12 13:44, Ferenc Kovacs wrote:
>
>> On Fri, Sep 21, 2012 at 1:05 PM, Ivan Enderlin @ Hoa <
>> ivan.enderlin@hoa-project.net> wrote:
>>
>>  Hello,
>>>
>>> If PHP receives a HTTP request with the method POST and with the header
>>> Content-Type: application/x-www-form-**encoded, then, it automatically
>>> parses the request body to populate an array in $_POST. If the
>>> Content-Type
>>> is different (e.g. text/plain or application/json), the request body is
>>> reachable by reading php://input. Well, it is ok.
>>>
>>> But is there any plans to consider application/json by parsing the
>>> request
>>> body and populate the result in $_POST (with the help of json_decode()
>>> maybe)?
>>>
>>> If so, I would like to propose a patch but I don't find in the source
>>> code
>>> where request body is caugth and parsed (for POST). Any ideas?
>>> Maybe a RFC would also be welcome to complete my suggestion?
>>>
>>> Thanks.
>>>
>>>
>>>  please watch out to not reintroduce CVE-2011-4885, afair we discussed
>> about
>> that json_decode also vulnerable to the hash collision, but I don't
>> remember seeing any fix committed to json_decode.
>> depending on how would you extract the json encoded variables, this woul=
d
>> make possible to bypass the protection of max_input_vars limits.
>>
> Laruence has opened a bug with some patches: https://bugs.php.net/bug.php=
?
> **id=3D60655 <https://bugs.php.net/bug.php?id=3D60655>. What is the state=
 of
> this bug?
>
> I don't understand very well the hash collision problem. Any links?
>
>
you should find everything googling for the CVE id(CVE-2011-4885).
basically it was an inefficient handling of the colliding haskeys, which
doesn't happen frequently by accident, but a malicious attacker with a
small crafted request was able to send a bunch of input variables which
will all collide, and triggering that slow codepath, which results in a DOS=
.
see https://bugzilla.redhat.com/show_bug.cgi?id=3DCVE-2011-4885 and for the
theory of the attack here
http://www.cs.rice.edu/~scrosby/hash/CrosbyWallach_UsenixSec2003.pdf

--=20
Ferenc Kov=C3=A1cs
@Tyr43l - http://tyrael.hu

--f46d042de69fb6605704ca3517c4--