Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:86226 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 31634 invoked from network); 15 May 2015 05:12:44 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 15 May 2015 05:12:44 -0000 Authentication-Results: pb1.pair.com smtp.mail=davidkmuir@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=davidkmuir@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.174 as permitted sender) X-PHP-List-Original-Sender: davidkmuir@gmail.com X-Host-Fingerprint: 209.85.213.174 mail-ig0-f174.google.com Received: from [209.85.213.174] ([209.85.213.174:34987] helo=mail-ig0-f174.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 39/81-18748-B4085555 for ; Fri, 15 May 2015 01:12:44 -0400 Received: by igbyr2 with SMTP id yr2so197988900igb.0 for ; Thu, 14 May 2015 22:12:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=b6ouC11ft443bpV1VlYwHKV+92NaQQZ85xly2ZepM7M=; b=dBoRKwUVansLh6XmiwdWlpaymZ8oZllFHV5vTWRqRwzIjaz61eve9t8RKLXlj5Hx1w YelZ3+9G5bUtG465ZpP/8xg47hoUDOlUoH18T53gLTR1rVUgKIOZtDUppl1VDNQSXnX7 QzvCL5/vU6JR1GYwITfhsfpYEIPJlkBYfdxOJfVlJLY00ctlU+t4AiIP7o/MrJVXF3rz YNaD94ASDIGHcMl9kLMoCc4bEHcEIttKPVtbHOExatVelbHoBwdMbIsNFfda/5zmYCIW 8rtESAsoFmZHLh5cI1fxjMEsw2ujOvXohgMTXAJeXpLCdk9dVfvXzxuzhJRaN2WjmuBa KL9w== X-Received: by 10.66.161.102 with SMTP id xr6mr15058836pab.8.1431666761511; Thu, 14 May 2015 22:12:41 -0700 (PDT) Received: from [192.168.0.12] (115-64-165-88.static.tpgi.com.au. [115.64.165.88]) by mx.google.com with ESMTPSA id eo3sm446319pbd.66.2015.05.14.22.12.39 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 14 May 2015 22:12:40 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\)) In-Reply-To: Date: Fri, 15 May 2015 15:12:32 +1000 Cc: Arvids Godjuks , "internals@lists.php.net" Content-Transfer-Encoding: quoted-printable Message-ID: References: To: Yasuo Ohgaki X-Mailer: Apple Mail (2.2098) Subject: Re: [PHP-DEV] Adding "numeric" type hint From: davidkmuir@gmail.com (David Muir) > On 14 May 2015, at 9:27 pm, Yasuo Ohgaki wrote: >=20 > Hi Arvids, >=20 > On Mon, May 11, 2015 at 8:01 PM, Arvids Godjuks = > wrote: >=20 >> Hello, I have read through your blog post, and I agreed on the issue >> earlier, nut I have a question that bugs me for a while: what DoS = issue are >> you talking about? I tried to imagine any scenario that can lead to a = DoS >> wuith a type hint and can't think of any happening... >=20 >=20 > Too large value raise typeException (Thanks Nikita) > DoS is easy on 32 bit CPU machines, but it's possible on 64 bit = machines > also. >=20 > Simplest scenario would be client side DoS. Many IoT devices will = remain 32 > bits and if it > gets result value larger than 2 billions, execution may stopped by > unhandled exception > sudduly. Library/framework uses basic type hint may harm system like = this. >=20 > Some databases support unsigned INT8. Most databases support = NUMERIC/DECIMAL > which can have value larger signed 64 bit int. If attacker find way to > store too large ID > somewhere (e.g. as JSON/XML text that queries database), then system = may > use the > value against type hinted functions/methods. >=20 > Without basic type hints, these concerns weren't existed. >=20 > Regards, >=20 > -- > Yasuo Ohgaki > yohgaki@ohgaki.net Yasuo, I still don=E2=80=99t see how you can put the blame for the unhanded = exception on type hints. The problem you=E2=80=99re describing is not = new and exists today with libraries using code like this: function foo($int) { if(!is_int($int)) { throw new InvalidArgumentException(=E2=80=98Parameter must be of = type int=E2=80=99); } //=E2=80=A6 do something with $int } Cheers, David