Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:79894 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 76002 invoked from network); 23 Dec 2014 20:26:22 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 23 Dec 2014 20:26:22 -0000 Authentication-Results: pb1.pair.com header.from=kobrasrealm@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=kobrasrealm@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.49 as permitted sender) X-PHP-List-Original-Sender: kobrasrealm@gmail.com X-Host-Fingerprint: 74.125.82.49 mail-wg0-f49.google.com Received: from [74.125.82.49] ([74.125.82.49:61520] helo=mail-wg0-f49.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 15/91-01814-DEFC9945 for ; Tue, 23 Dec 2014 15:26:21 -0500 Received: by mail-wg0-f49.google.com with SMTP id n12so9856798wgh.22 for ; Tue, 23 Dec 2014 12:26:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=XjhKfc9WKle3cQRW/Q7y51Vkw/0Y79myJ715v0WA5+o=; b=bkN3PANW5PajMSQ1stdec9wy3iwVZfoHTlRdkYY09iizncTXDDtXrr5WTnFJuTP5Lh DhJ3+KA4RWnEtUT15o4hLFjJl+l2cAcBBPWVZntgV249Qnlmz2exl1ZiPVL8bAiGXr5u bYxL13KP5Fq1VJoo+nOk/wSTg5h8O/eifNamRZmUgnHCssHELfgB9x7YhqCbO7S8IG3e eHAdbCf7hb3vd+UvSKggNLR1oo7eQChauPrfL+oMQwfIXCm2rYSQJc8wiMbxi2XjLBER CuA9YpWwwNXOtcRMqeKcp4R+0EY7byZKqY5zk/9rz4H6wByH9JJA2tX6rYhQlXZASyaF 4HEQ== MIME-Version: 1.0 X-Received: by 10.194.192.167 with SMTP id hh7mr18676317wjc.111.1419366378178; Tue, 23 Dec 2014 12:26:18 -0800 (PST) Received: by 10.27.179.137 with HTTP; Tue, 23 Dec 2014 12:26:18 -0800 (PST) In-Reply-To: <09B14273-C621-4AB9-9129-A149A9480A03@ajf.me> References: <09B14273-C621-4AB9-9129-A149A9480A03@ajf.me> Date: Tue, 23 Dec 2014 15:26:18 -0500 Message-ID: To: Andrea Faulds Cc: Yasuo Ohgaki , Pierre Joye , PHP internals Content-Type: multipart/alternative; boundary=047d7b8743f8c70e0a050ae7fc34 Subject: Re: [PHP-DEV] JSON HASHDOS From: kobrasrealm@gmail.com (Scott Arciszewski) --047d7b8743f8c70e0a050ae7fc34 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Not all json_decode()s will operate on user-supplied data. Why not add a DoS-resistant variant? I propose the addition of json_safe_decode() to use a randomized hash. I'm not trolling about the bin2hex() -> ts_bin2hex() when I say this. Well, not entirely. On Tue, Dec 23, 2014 at 3:16 PM, Andrea Faulds wrote: > > > On 23 Dec 2014, at 20:12, Yasuo Ohgaki wrote: > > > > Hi, > > > > On Wed, Dec 24, 2014 at 4:51 AM, Pierre Joye > wrote: > > > >> This issue has been reported earlier on security@php.net and is being > >> discussed and analyzed. It is not a simple task. > >> > > > > If we are not going to use other hash (i.e. half MD4 like other langs), > how > > about > > add max allowed collisions? It would be simple and fast enough. I'm not > > looking > > at the code, so I could be wrong. > > Hey, > > We could implement a special JSONObject class with custom __get/__set > handlers and that=E2=80=99s Traversable, which implements a randomised ha= shing > algorithm rather than using zend_hash. That could be overkill though. > > Thanks. > -- > Andrea Faulds > http://ajf.me/ > > > > > --047d7b8743f8c70e0a050ae7fc34--