Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:96048 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 25280 invoked from network); 21 Sep 2016 12:02:25 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 Sep 2016 12:02:25 -0000 Authentication-Results: pb1.pair.com smtp.mail=geggleto@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=geggleto@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.54 as permitted sender) X-PHP-List-Original-Sender: geggleto@gmail.com X-Host-Fingerprint: 209.85.215.54 mail-lf0-f54.google.com Received: from [209.85.215.54] ([209.85.215.54:33981] helo=mail-lf0-f54.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id BD/52-04117-FC672E75 for ; Wed, 21 Sep 2016 08:02:24 -0400 Received: by mail-lf0-f54.google.com with SMTP id y6so38917967lff.1 for ; Wed, 21 Sep 2016 05:02:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=dwt7cCOzhrps53w1O6HUx2lJzTzvwx3JMClpKG15gRc=; b=OMCHbSsEK67hrCRGye2n+XvTB7157EffzQ6sVoevOCoxW/FeUKXsVEUVFf5xUQwEmf RLbOQRCOdMSIh2Xox0SYeVRImDAAwjULe/EdkEpRwCbjnol2yPuplymKkAzd3sLk/WQu 8Lf+PVNLwYvSMArDS0uJb4s9EQfzg0+zIDo4fsn9FoDr0psE6Il5FBBVqpzlelOszzd/ loxLXxqQeQMlHXLWawCzXPipO1djhhmIBxRsJz0IB/dRz1C8MGk2awIQJ2bY4l5NH91C hGmANPizWi48Lh5qrg8nZ/2u4InLxP0h9KMYyjN+jXqA+ZFl2frXiVyv1it17/ogR8RH Ss/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=dwt7cCOzhrps53w1O6HUx2lJzTzvwx3JMClpKG15gRc=; b=esy1whIt/7EqEULlIU8SdsyZplFLq8LpwFuYxueN5YXwCSH7LuS9n9GOXBggHa07KI FqIWNKOfGA2kCBpA9gwxignSUfy4L+lM+yTOdjassy2/7BTXHOdpopO29WPFop5dLYIR AOW9vaf6IAafZq5dtQANHHIGaoTpZEvRkz/YLOKwvINMelotb1MEzLFjHOVbQsxXVduS uePMEPBjI4gKF9RoqiSY2tC5dwWAHWHvy+zlmKQb9KVLLyC5kV+ElW2fZtTuw2hy9aFM NNrHcWKkLC4CxKV97OTYAIfz12/Y/jxmgw7cRlu9XYz8hQHiMzGyv6VJgiflS85dcZzK B2lA== X-Gm-Message-State: AE9vXwO2OGaDhBKieAl0eElTXD0tQ7Nz6xgC1oos8HNnHeZ7W0oUdGt4gH1qvwXGTd3gv5srvWnlFAcOtSP+uw== X-Received: by 10.25.207.10 with SMTP id f10mr14321512lfg.108.1474459340948; Wed, 21 Sep 2016 05:02:20 -0700 (PDT) MIME-Version: 1.0 Received: by 10.25.158.2 with HTTP; Wed, 21 Sep 2016 05:02:20 -0700 (PDT) In-Reply-To: References: <7d5727ba-da33-e3c5-1d1f-318c45d81616@cubiclesoft.com> <9522ebc9-8d8b-045e-b701-02f1166063e6@gmail.com> Date: Wed, 21 Sep 2016 08:02:20 -0400 Message-ID: To: Niklas Keller Cc: Yasuo Ohgaki , Stanislav Malyshev , Scott Arciszewski , Thomas Hruska , PHP Internals Content-Type: multipart/alternative; boundary=001a1141886e40cc24053d035126 Subject: Re: [PHP-DEV] HashDoS From: geggleto@gmail.com (Glenn Eggleton) --001a1141886e40cc24053d035126 Content-Type: text/plain; charset=UTF-8 Hello, What if we had some sort of configuration limit on collision length? Would give most of us a viable way to prevent our apps from being attacked, and yet in the use cases where we require a higher limit we retain the ability to up the limit or disable it completely. Regards, Glenn On Wed, Sep 21, 2016 at 4:06 AM, Niklas Keller wrote: > 2016-09-21 8:54 GMT+02:00 Yasuo Ohgaki : > > > Hi Stas, > > > > On Wed, Sep 21, 2016 at 11:26 AM, Stanislav Malyshev > > wrote: > > > > > >> I think we are better to limit max collisions. > > >> I'm +1 for Nikita's proposal does this. > > > > > > Max collision per what? How much would be the limit? > > > > Collision by keys. > > > > It would be nice to have configurable limit like regex stack/backtrack > > limit. > > That said, wouldn't 1000 enough for almost all apps? > > > > Having a limit isn't a good idea for all use cases, but it works for some. > > > > Anyway, we have two choices > > - Simply limit the number of collisions. (Fast and has no impact to > code) > > > > It totally has impact to code. What happens if we have enough collisions? > Throw an exception? Might break code, any array insert operation might > suddenly fail. Simply fatal? Not suitable for long running applications > like Aerys (https://github.com/amphp/aerys) or PPM ( > https://github.com/php-pm/php-pm). > > I guess to support these use cases, we have to switch to a cryptographic > hash function here. But I guess it would be totally fine having such a > feature as compile flag, limiting the number of collisions usually and > provide a cryptographic hash function for long running apps to protect > them. > > I think such an option is fine for those running long running applications, > since they don't rely on setups like shared hosting and can usually compile > their own versions. > > > > - Use crypt safe hash and salt. (Slow and has impact to opcache/etc) > > > > Do we need a salt here? If not, how does it then impact opcache? > > > > Limiting something is good to have sometimes. > > Python even limits number of recursions to 1000 by default. > > > > Recursion is / should not be affected by user input and thus is a slightly > different topic. > > Regards, Niklas > > > > We have PCRE stack/backtrack limits. (We'll have mbregex stack limit > soon) > > Collision limit is good one also. > > > > Regards, > > > > -- > > Yasuo Ohgaki > > yohgaki@ohgaki.net > > > > -- > > PHP Internals - PHP Runtime Development Mailing List > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > --001a1141886e40cc24053d035126--