Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:89489 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 18954 invoked from network); 30 Nov 2015 11:39:58 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 30 Nov 2015 11:39:58 -0000 Authentication-Results: pb1.pair.com header.from=t.carnage@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=t.carnage@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.48 as permitted sender) X-PHP-List-Original-Sender: t.carnage@gmail.com X-Host-Fingerprint: 74.125.82.48 mail-wm0-f48.google.com Received: from [74.125.82.48] ([74.125.82.48:35335] helo=mail-wm0-f48.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 83/9A-04444-E853C565 for ; Mon, 30 Nov 2015 06:39:58 -0500 Received: by wmuu63 with SMTP id u63so125416942wmu.0 for ; Mon, 30 Nov 2015 03:39:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=zePibs4LL71i96+ZcAUHJXf42MJXXc0Qip/yDfXKmEQ=; b=b9i4d+AcBOMuaqBrg+t6F3STYUyDvLfcuaRStGYGjG8CmxNrZHkGRR5+G/Q7J+u+4j 7jYYK5dmqP+VEZJVFtUy9o3fMN/iZOWaqtiMSaLx2ShGNxQYfUKoUjZGhRqvmh14TJ7n 6tSOnACtrX1jv3JfDXAPum/wE4cNVpLiCLTov+CqeqR8tOMUXqq0xvV/8/oH+gg8VDzS T6HAXdCS3jOsM1SDnv4R347WPzbLNp2ZncEqqw+07OSI1JGNoclzT6G65el5w2QX/V27 yFMQ7CtNXnn82bXlOonQeAby82rhVDFGPkkunPSl/T+9lK40yp/4A2VcOgclkCndtDox Qf0Q== MIME-Version: 1.0 X-Received: by 10.28.60.84 with SMTP id j81mr26344239wma.15.1448883595043; Mon, 30 Nov 2015 03:39:55 -0800 (PST) Received: by 10.194.115.67 with HTTP; Mon, 30 Nov 2015 03:39:54 -0800 (PST) In-Reply-To: <010e01d12978$231e7cf0$695b76d0$@lool.fr> References: <010e01d12978$231e7cf0$695b76d0$@lool.fr> Date: Mon, 30 Nov 2015 11:39:54 +0000 Message-ID: To: Pascal KISSIAN Cc: Nikita Popov , PHP internals Content-Type: multipart/alternative; boundary=001a1148e18c00ea250525c080ae Subject: Re: [PHP-DEV] RE: HashDos protection From: t.carnage@gmail.com (Chris Riley) --001a1148e18c00ea250525c080ae Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 28 November 2015 at 01:00, Pascal KISSIAN wrote: > -----Message d'origine----- > De : Nikita Popov [mailto:nikita.ppv@gmail.com] > Envoy=C3=A9 : jeudi 26 novembre 2015 18:25 > =C3=80 : PHP internals; Anatol Belski; Remi Collet > Objet : HashDos protection > > >Hi internals! > >his mail turned out to be rather long, so I'll start with a TL;DR: > > >To fix the HashDos vulnerability for *all* cases (rather than just > GET/POST parsing), I propose to introduce collision counting during > hashtable insertion operations. This will throw a fatal error if the numb= er > of collisions during an insertion operation exceed a certain threshold. > > >In PHP 5.3.9 a partial fix for the HashDos vulnerability was introduced > in the form of max_input_vars. > > Hi everybody... > I am very new to this mailing list, and I do not know If my thinking abou= t > this problem is good, but to my opinion, this kind of attack is based on > the fact that the hacker knows in advance how to compute the hash value i= n > order to generate collision. > > If a random salt was added in the _zend_array struct (at a cost of the > salt size 4 bytes? for each hash table), > Then if the hash computation takes that salt into account ( add ht > parameter to each function that calculates the hash) > It would be impossible to predict the hash of a value. > So impossible to perform such kind of attack... > > What do you think about that ? > > Perhaps if you do not want to increase the size of the the _zend_array > struct, perhaps a random salt initialized at the init of a php program (t= he > same for all hash tables, that changes at each run) could be enough! > > Best regards, > Pascal KISSIAN > > > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > As a bare minimum, such a salt would need to be Xor'd with the string before hashing simple addition still produces collisions. I suspect it would still be easy to produce collisions, however my math is not good enough (at least not on a Monday morning) to figure out how. --001a1148e18c00ea250525c080ae--