Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:86057 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 69224 invoked from network); 30 Apr 2015 02:38:05 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 30 Apr 2015 02:38:05 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.218.45 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.218.45 mail-oi0-f45.google.com Received: from [209.85.218.45] ([209.85.218.45:35636] helo=mail-oi0-f45.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id AB/E0-64175-B8591455 for ; Wed, 29 Apr 2015 22:38:04 -0400 Received: by oign205 with SMTP id n205so37519396oig.2 for ; Wed, 29 Apr 2015 19:38:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=357T/eZylyOTH2j0TX1dgJCsDlE4QjzToNPtrGDfNwA=; b=TKkAiEqPsSMBOIl5nPjXug3s/g4CTHXXBy1SXrpMS/EC/A9cl4InJGDPC1SSl9C9QC jvFFmWMJHkp3q7cU2v9H7G/SbfG0YaUxcka5skLh4dj+1TwMA0TLgD/C19zgnSicGBu5 DXkhOwJNJ/cuOwmvwJY5P3U4viKehXu6XFk9RFXlMN/jCHasLqJjI9yfAJv5+xUdk7Zj qgRQ2iI9zQyp7MvlQxtlPNB9QHP1Q09YMLZAdrLBhkvKp/0DZNHrhugUcO7vD4Tkzlic 5tdUcQLgXpCy70qxn5iMSaSYLDd0SV/JdJqWNw2wr/xVR17H2YCvjeSgeatPCpE44uNa AuDg== X-Received: by 10.202.10.193 with SMTP id 184mr1588273oik.90.1430361480350; Wed, 29 Apr 2015 19:38:00 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.202.104.196 with HTTP; Wed, 29 Apr 2015 19:37:19 -0700 (PDT) In-Reply-To: References: <55401F31.9030703@gmail.com> <55416849.9010808@gmail.com> <554176D6.2030007@gmx.de> <55418CBE.6050609@gmail.com> Date: Thu, 30 Apr 2015 11:37:19 +0900 X-Google-Sender-Auth: i55hLyWaJZWeTeW_IDeVPZcDJXk Message-ID: To: Rowan Collins Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a113d1dc6efd0f00514e7fb17 Subject: Re: [PHP-DEV] Adding "numeric" type hint From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a113d1dc6efd0f00514e7fb17 Content-Type: text/plain; charset=UTF-8 Hi Rowan, On Thu, Apr 30, 2015 at 11:17 AM, Yasuo Ohgaki wrote: > >> A fatal error wouldn't constitute a DoS vulnerability, would it? >>>> >>>> Attacker may inject huge ID value and/or they may simply access >>> web sites to reach 2 billion limit, for example. >>> >> >> That's not a DoS vector unless you've also done something else wrong, >> it's just an embarassing error like many others. A lot of the time, the DB >> will overflow first anyway, because an SQL "int" is signed 32-bit. Hell, >> YouTube had a 32-bit int for number of views until Gangnam Style overflowed >> it! >> > > Not really. Primary key is out of user control almost always. However, > suppose code allows to specify foreign key and code assumes that non > existing foreign key results in search query failure. > > Current PHP: Search query failure. > New PHP type hint: Fatal error because foreign key is out of PHP int range. > > If user are using type hints everywhere, it may be limited to attackers > seeing fatal errors. If not, attacker can succeed system wide DoS attack by > simple operation. > I should have mentioned that I'm supposing DBMS like SQLite here. As we know, SQLite column accepts any value including value beyond 64 bit int. https://www.sqlite.org/datatype3.html (Those who don't now "Type Affinity", please read the section) SQLite is the most used RDBMS in the world. MySQL supports unsigned 64 bit integer also, BTW. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a113d1dc6efd0f00514e7fb17--