Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:79912 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 38676 invoked from network); 24 Dec 2014 08:37:48 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 24 Dec 2014 08:37:48 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.223.178 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.223.178 mail-ie0-f178.google.com Received: from [209.85.223.178] ([209.85.223.178:62793] helo=mail-ie0-f178.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 00/10-37394-B5B7A945 for ; Wed, 24 Dec 2014 03:37:48 -0500 Received: by mail-ie0-f178.google.com with SMTP id vy18so5574504iec.37 for ; Wed, 24 Dec 2014 00:37:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=TCEoxj7vFJxTQKYLIFStuQCcHAUcHhV6/D+tY3o7DsY=; b=UuKQkeJLipsJIXDXouiWZQnkRVZh/+/dG2KITmzi7DYi1EXWa9sOHRsRLsHecIlmZz SVd+QWeFRdi7tFa9c58M73eK+PESuHZhxFcztiKqBocPZVDKTSlU3hgZDeIpRGVUmepi F+gk4qGbYN9LdPT7MDZ6L2rr0+HM9iGv5Jw4Gy+6eYFE28RxP/zfEtPWvHgTXYP0RntH XH7TAO5uFhpsGYKB8/a1ncKsISO8bmLTBEvmbnXqfy34a5VDiNqNQZ8VUEsZDSeioSLt pKTOmozBUB6maX+f2oA7Ah6mcuAuYzb5VC1eKMmM2oMtQPrEMGQYZX2f3Efb4ieeBVT8 IIqA== X-Received: by 10.50.45.38 with SMTP id j6mr6432009igm.11.1419410264915; Wed, 24 Dec 2014 00:37:44 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.107.164.217 with HTTP; Wed, 24 Dec 2014 00:37:04 -0800 (PST) In-Reply-To: References: <09B14273-C621-4AB9-9129-A149A9480A03@ajf.me> Date: Wed, 24 Dec 2014 17:37:04 +0900 X-Google-Sender-Auth: fDYkByu6KfDFUg2s80kRBFrifnY Message-ID: To: Pierre Joye Cc: Andrea Faulds , PHP internals , Scott Arciszewski Content-Type: multipart/alternative; boundary=089e0111b1eea187e7050af2343d Subject: Re: [PHP-DEV] JSON HASHDOS From: yohgaki@ohgaki.net (Yasuo Ohgaki) --089e0111b1eea187e7050af2343d Content-Type: text/plain; charset=UTF-8 Hi Pierre, On Wed, Dec 24, 2014 at 4:23 PM, Pierre Joye wrote: > Please keep in mind that this problem is: > > . not json specific > . not specific at runtime but could also happen before a script get the > hand > > A randomized hash only postpone the issue but won't solve it. > > I fear that a fix is way more work that what we may think. A discussion is > going on security, let hope to get something in a reasonable time. I also > wonder what we could provide right now to at least prevent script kiddies > attacks during this holiday season.. > I only read Zend code on occasion, so it might not be feasible. Anyway, when collision happens, Engine detects collision. Limited number of collision should happen under normal circumstances. Simply limiting number of collisions for a specific hash bucket would prevent DoS. The limit may be INI setting, so that users may set higher limit when they need. We may use more secure hash like half MD4 or CityHash (I'm not sure if CityHash is secure enough, though), but it would be much slower than now. Limiting number of collision would be the best solution. We never worry about intensional collision attack again. Regards, P.S. Did we decide to have 64 bit array keys? 64 bit array key is much more stronger against collisions. -- Yasuo Ohgaki yohgaki@ohgaki.net --089e0111b1eea187e7050af2343d--