Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:86056
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 67263 invoked from network); 30 Apr 2015 02:18:02 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 30 Apr 2015 02:18:02 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.182 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.214.182 mail-ob0-f182.google.com  
Received: from [209.85.214.182] ([209.85.214.182:35075] helo=mail-ob0-f182.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id CA/80-64175-9D091455 for <internals@lists.php.net>; Wed, 29 Apr 2015 22:18:02 -0400
Received: by obcux3 with SMTP id ux3so34306176obc.2
        for <internals@lists.php.net>; Wed, 29 Apr 2015 19:17:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=bm1dg+kZ3cY6wSL6Z4gneXd0HDtM8+b6Ru0a85Y4D5o=;
        b=bS6xqLIXS6+RogE95CxcQAJ6kotWOQS7Jo44ISjeygvaTiaWkzFvh1DgvWccV1frWL
         yokjsM/JVfVYwde4oDlurCPUk6XlVc9Kr1T1QSxCF/Q2bDUyEKJXJlPmBUbDurIU9A1v
         H7uYPlmrfwlrUEFQXZ4xYZOusgGgVoEubAxtX1TzcJfX3g6EKlLnw/XlYlZC42tMobiZ
         iTHyX5MnTH0q/RbgZa+04S2BBPZSIziZzBOTKrXhQ9ME8aHihsgydiSaGsYFp3Pl5yiQ
         slOY5bSGLsgkzxf/PcHt3lrk8QFA6ZCFyN7aPlWZ9ZWwBMjtfNg4/WKBDVDxHAkC9g9I
         5MrQ==
X-Received: by 10.60.178.33 with SMTP id cv1mr1607600oec.11.1430360279110;
 Wed, 29 Apr 2015 19:17:59 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.202.104.196 with HTTP; Wed, 29 Apr 2015 19:17:17 -0700 (PDT)
In-Reply-To: <55418CBE.6050609@gmail.com>
References: <CAGa2bXYzp3XimLXxC+Py2t1DWhCfX8coTdYHzf6zEiKdxA7r8Q@mail.gmail.com>
 <55401F31.9030703@gmail.com> <CAObuZduZBM0GyWJMA1Fd7eCgPE4vFFZrrhpREQ50a4QJhG6Nvg@mail.gmail.com>
 <CAGa2bXar_oXrsPAErNx5BUdkFAy-p8-D0tfhc3pAnDTGBGJJ7Q@mail.gmail.com>
 <55416849.9010808@gmail.com> <CAGa2bXbkCx2Nqb9YBut3id4N=nhjLBGPN8Ucrx7R6mRnGjB2og@mail.gmail.com>
 <554176D6.2030007@gmx.de> <CAGa2bXaPjvkFYtkhRM1JisSvxgR0v8adkD_P_zkUng4xfBWFHg@mail.gmail.com>
 <55418CBE.6050609@gmail.com>
Date: Thu, 30 Apr 2015 11:17:17 +0900
X-Google-Sender-Auth: UT4zVU_CaczqIupsOhFymid-lbY
Message-ID: <CAGa2bXZAY_9qx9D+K11ApJH9DKzTvxze+=E5=rVhQj_OaGfxGQ@mail.gmail.com>
To: Rowan Collins <rowan.collins@gmail.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=089e01182252565b8c0514e7b416
Subject: Re: [PHP-DEV] Adding "numeric" type hint
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--089e01182252565b8c0514e7b416
Content-Type: text/plain; charset=UTF-8

Hi Rowan,

On Thu, Apr 30, 2015 at 11:00 AM, Rowan Collins <rowan.collins@gmail.com>
wrote:

> On 30/04/2015 02:24, Yasuo Ohgaki wrote:
>
>> "Type hints" have never been hints.  The wording is a misnomer.  Try to
>>> pass an int to a parameter declared as array, for instance.
>>>
>>>  I understand how it worked and how it will.
>> "hint" sounds a little misleading. Since we named it already, we may
>> follow
>> the semantics.
>>
>
> Or, since we chose the semantics already, we may consider better names
> (see on-going discussion on PHP-DOC list, for example).


I noticed that.
Type hint became "hint" actually by PHP7 because it convert string/float to
int, for example. IMHO.


>  A fatal error wouldn't constitute a DoS vulnerability, would it?
>>>
>>>  Attacker may inject huge ID value and/or they may simply access
>> web sites to reach 2 billion limit, for example.
>>
>
> That's not a DoS vector unless you've also done something else wrong, it's
> just an embarassing error like many others. A lot of the time, the DB will
> overflow first anyway, because an SQL "int" is signed 32-bit. Hell, YouTube
> had a 32-bit int for number of views until Gangnam Style overflowed it!
>

Not really. Primary key is out of user control almost always. However,
suppose code allows to specify foreign key and code assumes that non
existing foreign key results in search query failure.

Current PHP: Search query failure.
New PHP type hint: Fatal error because foreign key is out of PHP int range.

If user are using type hints everywhere, it may be limited to attackers
seeing fatal errors. If not, attacker can succeed system wide DoS attack by
simple operation.


> Sure, if a user can somehow insert custom data into a BigInt DB column,
> via a 32-bit webserver, without causing the error on the way in, but in
> such a way that other users would end up retrieving that record when they
> tried to access the site, and it was then run through a function with an
> "int" type annotation you'd have a Denial of Service. That's hardly "PHP 7
> broke my website", though.


There are systems that has "32 bit PHP client that queries 64 bit server".
Many IoT devices will stick to 32 bit CPUs.

Current PHP:  Database ID is string and it works for any value.
New PHP type hint: Fatal error for values beyond PHP int range.

There are IoT devices that can be controlled by PHP already. We don't have
to limit ourselves.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--089e01182252565b8c0514e7b416--