Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:89457
Return-Path: <me@kelunik.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 66478 invoked from network); 26 Nov 2015 19:35:13 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 26 Nov 2015 19:35:13 -0000
Authentication-Results: pb1.pair.com header.from=me@kelunik.com; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=me@kelunik.com; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain kelunik.com from 81.169.146.219 cause and error)
X-PHP-List-Original-Sender: me@kelunik.com
X-Host-Fingerprint: 81.169.146.219 mo4-p00-ob.smtp.rzone.de  
Received: from [81.169.146.219] ([81.169.146.219:37178] helo=mo4-p00-ob.smtp.rzone.de)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 9F/05-35358-FEE57565 for <internals@lists.php.net>; Thu, 26 Nov 2015 14:35:12 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1448566508; l=1855;
	s=domk; d=kelunik.com;
	h=Content-Type:Cc:To:From:Subject:Date:References:In-Reply-To:
	MIME-Version;
	bh=mSVt/cL4vGT6sGY2j8oYcCj8SMP422EpzI6nfobvD5g=;
	b=isBjNiyQ16lncoVZAOCKaLelBHy3yzIxdwPj/tno4lPyJjR92LjR/QWQKWKIrxKR2ht
	MBxguoCLBOGvQNO5xFsFa9hJXOhhoPcJjUI7TccxBcwZWFidVTDLAB2dwI3hnYVzP9sFe
	JE3yT5RMA/1ZCrnJoWgQanLaWlp/O8MFhTo=
X-RZG-AUTH: :IWkkfkWkbvHsXQGmRYmUo9mls2vWuiu+7SLGvomb4bl9EfHtOnA6
X-RZG-CLASS-ID: mo00
Received: from mail-wm0-f53.google.com ([74.125.82.53])
	by smtp.strato.de (RZmta 37.14 AUTH)
	with ESMTPSA id g06f4crAQJZ8xhY
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (curve secp384r1 with 384 ECDH bits, eq. 7680 bits RSA))
	(Client did not present a certificate)
	for <internals@lists.php.net>;
	Thu, 26 Nov 2015 20:35:08 +0100 (CET)
Received: by wmuu63 with SMTP id u63so32420596wmu.0
        for <internals@lists.php.net>; Thu, 26 Nov 2015 11:35:08 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.28.72.136 with SMTP id v130mr5438018wma.60.1448566508103;
 Thu, 26 Nov 2015 11:35:08 -0800 (PST)
Received: by 10.194.22.5 with HTTP; Thu, 26 Nov 2015 11:35:08 -0800 (PST)
In-Reply-To: <CAF+90c_pVFVbzqThuPg1V3VDTV-7Ci4O6T6hNtY5XPgVb2Mt-Q@mail.gmail.com>
References: <CAF+90c_pVFVbzqThuPg1V3VDTV-7Ci4O6T6hNtY5XPgVb2Mt-Q@mail.gmail.com>
Date: Thu, 26 Nov 2015 20:35:08 +0100
X-Gmail-Original-Message-ID: <CANUQDChV=WRM6WQiNBq4-9JrvwxF_NY5YbGj3-tvgsPgQbc_pg@mail.gmail.com>
Message-ID: <CANUQDChV=WRM6WQiNBq4-9JrvwxF_NY5YbGj3-tvgsPgQbc_pg@mail.gmail.com>
To: Nikita Popov <nikita.ppv@gmail.com>
Cc: PHP internals <internals@lists.php.net>, Anatol Belski <anatol.php@belski.net>, 
	Remi Collet <remi@php.net>
Content-Type: multipart/alternative; boundary=001a114b32b6263059052576ac2e
Subject: Re: [PHP-DEV] HashDos protection
From: me@kelunik.com (Niklas Keller)

--001a114b32b6263059052576ac2e
Content-Type: text/plain; charset=UTF-8

>
> 3. (Fatal error on many collisions). While the two previous options try to
> ensure that hashtables stay efficient regardless of the used keys, the last
> option aims to simply detect malicious array keys and abort the script in
> such a case.
>
> This is done by counting the number of collisions during hashtable
> insertion operations and throwing a fatal error if this collisions count
> exceeds a certain threshold.
>

Would this be a catchable Error (implementing Throwable) or a real fatal?
Having a real fatal could lead to a DOS in Aerys as you'd be able to crash
workers with carefully crafted input variables then.

Thanks, Niklas

--001a114b32b6263059052576ac2e--