Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:96038
Return-Path: <fsb@thefsb.org>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 40210 invoked from network); 20 Sep 2016 14:22:52 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 20 Sep 2016 14:22:52 -0000
Authentication-Results: pb1.pair.com header.from=fsb@thefsb.org; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=fsb@thefsb.org; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain thefsb.org designates 173.203.187.123 as permitted sender)
X-PHP-List-Original-Sender: fsb@thefsb.org
X-Host-Fingerprint: 173.203.187.123 smtp123.iad3a.emailsrvr.com  
Received: from [173.203.187.123] ([173.203.187.123:60072] helo=smtp123.iad3a.emailsrvr.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 02/E7-19521-C3641E75 for <internals@lists.php.net>; Tue, 20 Sep 2016 10:22:52 -0400
Received: from smtp16.relay.iad3a.emailsrvr.com (localhost [127.0.0.1])
	by smtp16.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id ED30EC016B;
	Tue, 20 Sep 2016 10:22:49 -0400 (EDT)
X-Auth-ID: fsb@thefsb.org
Received: by smtp16.relay.iad3a.emailsrvr.com (Authenticated sender: fsb-AT-thefsb.org) with ESMTPSA id D504EC0420;
	Tue, 20 Sep 2016 10:22:49 -0400 (EDT)
X-Sender-Id: fsb@thefsb.org
Received: from yossy.local (c-66-30-62-12.hsd1.ma.comcast.net [66.30.62.12])
	(using TLSv1.2 with cipher DHE-RSA-AES128-SHA)
	by 0.0.0.0:587 (trex/5.7.7);
	Tue, 20 Sep 2016 10:22:49 -0400
To: Scott Arciszewski <scott@paragonie.com>,
 PHP Internals <internals@lists.php.net>
References: <CAKws9z2EWkNNhM7tOMh-_pQ3iLjVj7hbXTB1Hh3a19utPzj-9A@mail.gmail.com>
Message-ID: <27cb79b8-2501-289c-f9f3-091bacca7874@thefsb.org>
Date: Tue, 20 Sep 2016 10:22:49 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0)
 Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <CAKws9z2EWkNNhM7tOMh-_pQ3iLjVj7hbXTB1Hh3a19utPzj-9A@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: HashDoS
From: fsb@thefsb.org (Tom Worster)

On 9/15/16 2:48 PM, Scott Arciszewski wrote:

> Would the Internals team be open to discussing mitigating HashDoS in a
> future version of PHP? i.e. everywhere, even for json_decode() and friends,
> by fixing the problem rather than capping the maximum number of input
> parameters and hoping it's good enough.
>
> I'd propose SipHash (and/or a derivative): https://www.131002.net/siphash/
>
> (Look at all the other languages that already adopted SipHash.)

I briefly looked through the "Users" list and didn't find anything 
equivalent to using it as PHP's internal base hash.

Python and Rust have an implementation available to users. Ruby is using 
it internally but I think it's focused on JSON.

There's some good info[1] on the situation in Perl 5. While SipHash is 
available it requires a non-default compile-time option.

Correct me if I'm not reading the situation right.

Tom

[1] 
http://news.perlfoundation.org/2012/12/improving-perl-5-grant-report-11.html