Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:89514 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 47514 invoked from network); 1 Dec 2015 16:41:01 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 1 Dec 2015 16:41:01 -0000 Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.48 as permitted sender) X-PHP-List-Original-Sender: pierre.php@gmail.com X-Host-Fingerprint: 209.85.215.48 mail-lf0-f48.google.com Received: from [209.85.215.48] ([209.85.215.48:34717] helo=mail-lf0-f48.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 7C/01-38618-D9DCD565 for ; Tue, 01 Dec 2015 11:41:01 -0500 Received: by lffu14 with SMTP id u14so16211369lff.1 for ; Tue, 01 Dec 2015 08:40:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=doBE/P3wxoAeJXXaB5Vo2D8TsWKlR4+vF+NqMk9MtEE=; b=Q1ywwtx324JFxuE1A3AfJuXQcqJxM3ZKvwtVXuVqJnIGhKTtDs1OyP6IqbdHAmK17o yowS5oJyRsulOGGwNzerrdaUPGm+SxQd9Dmr0sBllYmMHWVc4Ksc/n6JDELUKbnMy8UY dBVGf56ImBiXieAmGukfQY7vq+kcz22gnJVJj1Moq6NPW98OjoSZwEC8KfcGR0kp9s5W eW5qTJh+5bTe8QLPkIZhFDX9LBVJQa9iCjBNalaHTjzd6lRYhTRFO5ZhZ5dTBaAr/T8I ymetxjN/uDbTh5m2KKEWggh354PKm2jQQeK7EIgncgJQJFpadtekjo8Z2giNPp05h7np oBDA== MIME-Version: 1.0 X-Received: by 10.112.200.229 with SMTP id jv5mr30458897lbc.23.1448988057549; Tue, 01 Dec 2015 08:40:57 -0800 (PST) Received: by 10.114.96.161 with HTTP; Tue, 1 Dec 2015 08:40:56 -0800 (PST) Received: by 10.114.96.161 with HTTP; Tue, 1 Dec 2015 08:40:56 -0800 (PST) In-Reply-To: References: Date: Tue, 1 Dec 2015 23:40:56 +0700 Message-ID: To: Dmitry Stogov Cc: Remi Collet , Anatol Belski , Nikita Popov , PHP internals Content-Type: multipart/alternative; boundary=001a11c2665074431f0525d8d2c6 Subject: Re: [PHP-DEV] HashDos protection From: pierre.php@gmail.com (Pierre Joye) --001a11c2665074431f0525d8d2c6 Content-Type: text/plain; charset=UTF-8 On Dec 1, 2015 4:50 PM, "Dmitry Stogov" wrote: > > I think only big arrays coming from external sources should be checked. I tend to agree here. We discussed it with Remote last week. I was trying to explain why having a crafted hash function for inputs may be better and safer. That includes get/post/env/serialize/json and the likes. The performance impact for these is most likely minimal for only them while ensuring a better protection from a long term point of view. I may be wrong and did not think much more than brainstorming about it. So take it with a bit of salt :) --001a11c2665074431f0525d8d2c6--