Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:87748 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 76647 invoked from network); 13 Aug 2015 23:10:03 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 13 Aug 2015 23:10:03 -0000 Authentication-Results: pb1.pair.com header.from=anatol.php@belski.net; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=anatol.php@belski.net; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain belski.net from 85.214.73.107 cause and error) X-PHP-List-Original-Sender: anatol.php@belski.net X-Host-Fingerprint: 85.214.73.107 klapt.com Received: from [85.214.73.107] ([85.214.73.107:34139] helo=h1123647.serverkompetenz.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id CE/F1-22150-6C32DC55 for ; Thu, 13 Aug 2015 19:09:59 -0400 Received: by h1123647.serverkompetenz.net (Postfix, from userid 1006) id AA62023D6299; Fri, 14 Aug 2015 01:09:55 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on h1123647.serverkompetenz.net X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.5 tests=ALL_TRUSTED,BAYES_00, URIBL_BLOCKED autolearn=unavailable version=3.3.2 Received: from w530phpdev (p579F3987.dip0.t-ipconnect.de [87.159.57.135]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by h1123647.serverkompetenz.net (Postfix) with ESMTPSA id BF1C023D6003; Fri, 14 Aug 2015 01:09:53 +0200 (CEST) To: "'Dan Ackroyd'" , "'Christoph Becker'" Cc: References: In-Reply-To: Date: Fri, 14 Aug 2015 01:09:56 +0200 Message-ID: <066601d0d61d$2dbb4e30$8931ea90$@belski.net> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 15.0 Thread-Index: AQGpQ2TeSytRGVHqXWOQEYcRS7At755Zrn4w Content-Language: en-us Subject: RE: [PHP-DEV] PCRE jit security hole WAS PCRE JIT stack size limit From: anatol.php@belski.net ("Anatol Belski") > -----Original Message----- > From: Dan Ackroyd [mailto:danack@basereality.com] > Sent: Thursday, August 13, 2015 5:00 PM > To: Christoph Becker > Cc: internals@lists.php.net > Subject: [PHP-DEV] PCRE jit security hole WAS PCRE JIT stack size = limit >=20 > On 23 July 2015 at 11:07, Christoph Becker wrote: > > PHP7 supports PCRE's JIT compilation of patterns by default, which > > mostly works fine. However, there are issues when the matching > > exceeds the JIT stack limit, see bug #70110[1]. >=20 >=20 > So to summarise and bring more people's attention to this = conversation; the > change to using pcre.jit does not seem to be a fantastic one. It = allows > preg_match to fail silently e.g. this code: >=20 > preg_match('~(a)*~', str_repeat('a', 5431), $match); var_dump($match); >=20 > gives the output: >=20 > array(0) { > } >=20 > i.e. there is no notification that the preg_match failed to match. >=20 > People use preg_match for black/white listing input for security = purposes. As the > input is under attacker control this seems like a very bad situation, = as attackers > will be able to figure out what input can be used to make those = security checks > give incorrect results silently. >=20 > I don't think we should ship PHP 7 with this issue unresolved. A = suggested fix for > PHP 7.1 has been mentioned: >=20 Could you please point to a real example where security is hurt, maybe = in a real app? A security one were like password match. But even if an = attacker sends str_repeat('a', 5431) and application doesn't check = input password length - it's a flaw in the app itself with or without = jit. If at the same time the stored password were "(a)*" and not escaped = prior to matching - same, it's already a security flaw before. Thanks Anatol