Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:86219
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 59748 invoked from network); 14 May 2015 11:28:08 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 14 May 2015 11:28:08 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.176 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.214.176 mail-ob0-f176.google.com  
Received: from [209.85.214.176] ([209.85.214.176:34300] helo=mail-ob0-f176.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id EF/97-31470-4C684555 for <internals@lists.php.net>; Thu, 14 May 2015 07:28:06 -0400
Received: by obfe9 with SMTP id e9so50575929obf.1
        for <internals@lists.php.net>; Thu, 14 May 2015 04:28:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=YMOfrW32O6AiNXr2R8XqVtcAQVM2XbstVD5RRXI49cE=;
        b=Ka4I4GPEX2zS+LsvhpZ38FcZe+ZHzs4gvd57Rcc4hbcH+z9lb/qsFnnygxgMhdm8PL
         zHss1QEK3lLJfStiQYekxvvfr0Nred5wj2NsXDBygYD1zuDom4dMNmTaW5lBIHbvR6l/
         m3F/VqGlzaG7lmMVVuIXVkTXyeguOjSxjPZMbht/wJ9jgDBb2FL6RaDHfaG3nIA/hxui
         RyiOBTRkLlsGptNv4khLgzj/k0AMsLbzkpSLZ4OhlQOx+TyOIKxV7mJ4SZLE/szboaCM
         Ya2aYCCw9yBbeP8zRPB5HtTiL27K81GbpfaeQewmkyW2+0P9OOwH2YsZMEmWIYDFP+PV
         LvhA==
X-Received: by 10.202.227.130 with SMTP id a124mr2940721oih.59.1431602882156;
 Thu, 14 May 2015 04:28:02 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.202.104.196 with HTTP; Thu, 14 May 2015 04:27:21 -0700 (PDT)
In-Reply-To: <CAL0xaBEb4cxonGcrdZ64YH_vE3M9sdyd+7=vE45gKpH62bVWSQ@mail.gmail.com>
References: <CAGa2bXYzp3XimLXxC+Py2t1DWhCfX8coTdYHzf6zEiKdxA7r8Q@mail.gmail.com>
 <CAGa2bXbs+MsDBYQdiWsG6uX9ZuBd+tstn65V3LK_+mkL+FMTqg@mail.gmail.com> <CAL0xaBEb4cxonGcrdZ64YH_vE3M9sdyd+7=vE45gKpH62bVWSQ@mail.gmail.com>
Date: Thu, 14 May 2015 20:27:21 +0900
X-Google-Sender-Auth: vSW02AkNWi0z_PB7aobej0frF-0
Message-ID: <CAGa2bXZFtjPN7+x2VcCrTPnnDZg3cG-45x4w4BpkU2sLgq4UkQ@mail.gmail.com>
To: Arvids Godjuks <arvids.godjuks@gmail.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a1141c70c4021f80516090585
Subject: Re: [PHP-DEV] Re: Adding "numeric" type hint
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a1141c70c4021f80516090585
Content-Type: text/plain; charset=UTF-8

Hi Arvids,

On Mon, May 11, 2015 at 8:01 PM, Arvids Godjuks <arvids.godjuks@gmail.com>
wrote:

> Hello, I have read through your blog post, and I agreed on the issue
> earlier, nut I have a question that bugs me for a while: what DoS issue are
> you talking about? I tried to imagine any scenario that can lead to a DoS
> wuith a type hint and can't think of any happening...


Too large value raise typeException (Thanks Nikita)
DoS is easy on 32 bit CPU machines, but it's possible on 64 bit machines
also.

Simplest scenario would be client side DoS. Many IoT devices will remain 32
bits and if it
gets result value larger than 2 billions, execution may stopped by
unhandled exception
sudduly. Library/framework uses basic type hint may harm system like this.

Some databases support unsigned INT8. Most databases support NUMERIC/DECIMAL
which can have value larger signed 64 bit int. If attacker find way to
store too large ID
somewhere (e.g. as JSON/XML text that queries database), then system may
use the
value against type hinted functions/methods.

Without basic type hints, these concerns weren't existed.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a1141c70c4021f80516090585--