Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:96038 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 40210 invoked from network); 20 Sep 2016 14:22:52 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 20 Sep 2016 14:22:52 -0000 Authentication-Results: pb1.pair.com header.from=fsb@thefsb.org; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=fsb@thefsb.org; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain thefsb.org designates 173.203.187.123 as permitted sender) X-PHP-List-Original-Sender: fsb@thefsb.org X-Host-Fingerprint: 173.203.187.123 smtp123.iad3a.emailsrvr.com Received: from [173.203.187.123] ([173.203.187.123:60072] helo=smtp123.iad3a.emailsrvr.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 02/E7-19521-C3641E75 for ; Tue, 20 Sep 2016 10:22:52 -0400 Received: from smtp16.relay.iad3a.emailsrvr.com (localhost [127.0.0.1]) by smtp16.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id ED30EC016B; Tue, 20 Sep 2016 10:22:49 -0400 (EDT) X-Auth-ID: fsb@thefsb.org Received: by smtp16.relay.iad3a.emailsrvr.com (Authenticated sender: fsb-AT-thefsb.org) with ESMTPSA id D504EC0420; Tue, 20 Sep 2016 10:22:49 -0400 (EDT) X-Sender-Id: fsb@thefsb.org Received: from yossy.local (c-66-30-62-12.hsd1.ma.comcast.net [66.30.62.12]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA) by 0.0.0.0:587 (trex/5.7.7); Tue, 20 Sep 2016 10:22:49 -0400 To: Scott Arciszewski , PHP Internals References: Message-ID: <27cb79b8-2501-289c-f9f3-091bacca7874@thefsb.org> Date: Tue, 20 Sep 2016 10:22:49 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: HashDoS From: fsb@thefsb.org (Tom Worster) On 9/15/16 2:48 PM, Scott Arciszewski wrote: > Would the Internals team be open to discussing mitigating HashDoS in a > future version of PHP? i.e. everywhere, even for json_decode() and friends, > by fixing the problem rather than capping the maximum number of input > parameters and hoping it's good enough. > > I'd propose SipHash (and/or a derivative): https://www.131002.net/siphash/ > > (Look at all the other languages that already adopted SipHash.) I briefly looked through the "Users" list and didn't find anything equivalent to using it as PHP's internal base hash. Python and Rust have an implementation available to users. Ruby is using it internally but I think it's focused on JSON. There's some good info[1] on the situation in Perl 5. While SipHash is available it requires a non-default compile-time option. Correct me if I'm not reading the situation right. Tom [1] http://news.perlfoundation.org/2012/12/improving-perl-5-grant-report-11.html