Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:79893 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 74324 invoked from network); 23 Dec 2014 20:17:29 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 23 Dec 2014 20:17:29 -0000 Authentication-Results: pb1.pair.com header.from=ajf@ajf.me; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=ajf@ajf.me; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain ajf.me designates 192.64.116.200 as permitted sender) X-PHP-List-Original-Sender: ajf@ajf.me X-Host-Fingerprint: 192.64.116.200 imap1-2.ox.privateemail.com Received: from [192.64.116.200] ([192.64.116.200:40000] helo=imap1-2.ox.privateemail.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 5D/31-01814-8DDC9945 for ; Tue, 23 Dec 2014 15:17:29 -0500 Received: from localhost (localhost [127.0.0.1]) by mail.privateemail.com (Postfix) with ESMTP id 23A81B0008B; Tue, 23 Dec 2014 15:17:26 -0500 (EST) X-Virus-Scanned: Debian amavisd-new at imap1.ox.privateemail.com Received: from mail.privateemail.com ([127.0.0.1]) by localhost (imap1.ox.privateemail.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 88Nghtm5bTCe; Tue, 23 Dec 2014 15:17:25 -0500 (EST) Received: from [192.168.0.13] (unknown [94.13.96.117]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.privateemail.com (Postfix) with ESMTPSA id B400EB00068; Tue, 23 Dec 2014 15:17:24 -0500 (EST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\)) In-Reply-To: Date: Tue, 23 Dec 2014 20:16:51 +0000 Cc: Pierre Joye , Scott Arciszewski , PHP internals Content-Transfer-Encoding: quoted-printable Message-ID: <09B14273-C621-4AB9-9129-A149A9480A03@ajf.me> References: To: Yasuo Ohgaki X-Mailer: Apple Mail (2.1993) Subject: Re: [PHP-DEV] JSON HASHDOS From: ajf@ajf.me (Andrea Faulds) > On 23 Dec 2014, at 20:12, Yasuo Ohgaki wrote: >=20 > Hi, >=20 > On Wed, Dec 24, 2014 at 4:51 AM, Pierre Joye = wrote: >=20 >> This issue has been reported earlier on security@php.net and is being >> discussed and analyzed. It is not a simple task. >>=20 >=20 > If we are not going to use other hash (i.e. half MD4 like other = langs), how > about > add max allowed collisions? It would be simple and fast enough. I'm = not > looking > at the code, so I could be wrong. Hey,=20 We could implement a special JSONObject class with custom __get/__set = handlers and that=E2=80=99s Traversable, which implements a randomised = hashing algorithm rather than using zend_hash. That could be overkill = though. Thanks. -- Andrea Faulds http://ajf.me/