Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:89460
Return-Path: <leight@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 8685 invoked from network); 27 Nov 2015 08:44:49 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 27 Nov 2015 08:44:49 -0000
Authentication-Results: pb1.pair.com header.from=leight@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=leight@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.50 as permitted sender)
X-PHP-List-Original-Sender: leight@gmail.com
X-Host-Fingerprint: 74.125.82.50 mail-wm0-f50.google.com  
Received: from [74.125.82.50] ([74.125.82.50:34666] helo=mail-wm0-f50.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id A3/05-04444-00818565 for <internals@lists.php.net>; Fri, 27 Nov 2015 03:44:49 -0500
Received: by wmvv187 with SMTP id v187so60551170wmv.1
        for <internals@lists.php.net>; Fri, 27 Nov 2015 00:44:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :content-type;
        bh=dAqEjiW2u3ffHTnFuG0ONCA6I2tvO5kib5xlgeQtPjc=;
        b=PxPh3iOzR3Mkbot32FJVT77f5WhiDn2634pkJv7RoYE2MNV8eovpW6hfCd7R0TgvuA
         WVgZJRicf+18nG4GLHJ+PGy35Bglq7cHgwB7FVtcpVm6kvwCGiSE5G1BSlOIP9XwOSUe
         tX5zZSEhfc762ZeHoPEjXnBkvzsnlO7qIowMU57pfH48KD1wbr+/zNCdt/pBQBdG4B1n
         tCQzVoQ0BOWiSiiQHt7zffRAcDDwXe8R9Q+DN1IHMyTMC8g2bDqI0a9e5tsxTmX+ZwZ8
         X6KHr/tzpvp9TUvMj3lD/Mx+zzKMcRs7VzzZCyQ1vfm4H51as0pX5urG/5xgfDhZW02W
         lqgA==
X-Received: by 10.194.6.196 with SMTP id d4mr34926222wja.120.1448613885446;
 Fri, 27 Nov 2015 00:44:45 -0800 (PST)
MIME-Version: 1.0
References: <CAF+90c_pVFVbzqThuPg1V3VDTV-7Ci4O6T6hNtY5XPgVb2Mt-Q@mail.gmail.com>
In-Reply-To: <CAF+90c_pVFVbzqThuPg1V3VDTV-7Ci4O6T6hNtY5XPgVb2Mt-Q@mail.gmail.com>
Date: Fri, 27 Nov 2015 08:44:36 +0000
Message-ID: <CAPwsocHovxRs-7pW_V2gCdgxMzjt2tO2Z=GT0MMSu+YGKEUtFQ@mail.gmail.com>
To: Nikita Popov <nikita.ppv@gmail.com>, PHP internals <internals@lists.php.net>, 
	Anatol Belski <anatol.php@belski.net>, Remi Collet <remi@php.net>
Content-Type: multipart/alternative; boundary=047d7b5d49760f119f052581b439
Subject: Re: [PHP-DEV] HashDos protection
From: leight@gmail.com (Leigh)

--047d7b5d49760f119f052581b439
Content-Type: text/plain; charset=UTF-8

On Thu, 26 Nov 2015 at 17:25 Nikita Popov <nikita.ppv@gmail.com> wrote:

> This will throw a fatal error if the number of
> collisions during an insertion operation exceed a certain threshold.
>

To me this feels like it's just moving a DoS vector from one place to
another.

As Niklas already pointed out, he is directly affected by this.

I was considering the scenario:
1) Open resources
2) json_decode
3) Do stuff
4) Clean up resources

This makes the DoS more application specific, but there's any number of
creative uses for making an application unexpectedly fail half way through.

You can argue it's similar to any DoS that causes a request to run out of
memory half way through, it is in some ways.

I don't think an exception is right for this either. People blindly catch
all exceptions because they can.

Not sure what to suggest.

--047d7b5d49760f119f052581b439--