Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:89474
Return-Path: <anatol.php@belski.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 64679 invoked from network); 27 Nov 2015 23:41:59 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 27 Nov 2015 23:41:59 -0000
Authentication-Results: pb1.pair.com smtp.mail=anatol.php@belski.net; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=anatol.php@belski.net; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain belski.net from 85.214.73.107 cause and error)
X-PHP-List-Original-Sender: anatol.php@belski.net
X-Host-Fingerprint: 85.214.73.107 klapt.com  
Received: from [85.214.73.107] ([85.214.73.107:45178] helo=h1123647.serverkompetenz.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 20/CB-04444-14AE8565 for <internals@lists.php.net>; Fri, 27 Nov 2015 18:41:53 -0500
Received: from w530phpdev (pD9FD2024.dip0.t-ipconnect.de [217.253.32.36])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by h1123647.serverkompetenz.net (Postfix) with ESMTPSA id 0CD6378A21A;
	Sat, 28 Nov 2015 00:41:50 +0100 (CET)
To: "'Nikita Popov'" <nikita.ppv@gmail.com>,
	"'PHP internals'" <internals@lists.php.net>,
	"'Remi Collet'" <remi@php.net>
References: <CAF+90c_pVFVbzqThuPg1V3VDTV-7Ci4O6T6hNtY5XPgVb2Mt-Q@mail.gmail.com>
In-Reply-To: <CAF+90c_pVFVbzqThuPg1V3VDTV-7Ci4O6T6hNtY5XPgVb2Mt-Q@mail.gmail.com>
Date: Sat, 28 Nov 2015 00:41:45 +0100
Message-ID: <002801d1296d$2fe7a7a0$8fb6f6e0$@belski.net>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQEkNhkZaWBBMPbsdhih7rI8XPIJCKAKT6Pg
Content-Language: en-us
Subject: RE: [PHP-DEV] HashDos protection
From: anatol.php@belski.net ("Anatol Belski")

Hi Nikita,

> -----Original Message-----
> From: Nikita Popov [mailto:nikita.ppv@gmail.com]
> Sent: Thursday, November 26, 2015 6:25 PM
> To: PHP internals <internals@lists.php.net>; Anatol Belski
> <anatol.php@belski.net>; Remi Collet <remi@php.net>
> Subject: [PHP-DEV] HashDos protection
>=20
> Hi internals!
>=20
> This mail turned out to be rather long, so I'll start with a TL;DR:
>=20
> To fix the HashDos vulnerability for *all* cases (rather than just =
GET/POST
> parsing), I propose to introduce collision counting during hashtable =
insertion
> operations. This will throw a fatal error if the number of collisions =
during an
> insertion operation exceed a certain threshold.
>=20
> Implementation: https://github.com/php/php-src/pull/1565
>=20
> From my testing the change has no negative performance impact. The =
change is
> small and does not break ABI.
>=20
> Tracking bug (with various implementations):
> https://bugs.php.net/bug.php?id=3D70644
>=20
> What are your thoughts on this?
>=20
Responding to the short version as well :)

I was checking your patch and I think it is great. Currently I see no =
ABI breach (please correct me if I err). So IMHO after sufficient =
discussion, corrections and testing, given there's still no ABI =
incompatibility, it should be backported to 7.0 as early as possible.=20

Regards

Anatol