Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:96092
Return-Path: <jakub.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 26338 invoked from network); 22 Sep 2016 07:52:13 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 22 Sep 2016 07:52:13 -0000
Authentication-Results: pb1.pair.com header.from=jakub.php@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=jakub.php@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.47 as permitted sender)
X-PHP-List-Original-Sender: jakub.php@gmail.com
X-Host-Fingerprint: 209.85.213.47 mail-vk0-f47.google.com  
Received: from [209.85.213.47] ([209.85.213.47:35036] helo=mail-vk0-f47.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id C5/03-01233-CAD83E75 for <internals@lists.php.net>; Thu, 22 Sep 2016 03:52:12 -0400
Received: by mail-vk0-f47.google.com with SMTP id o139so13427068vka.2
        for <internals@lists.php.net>; Thu, 22 Sep 2016 00:52:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=rz+aENI7AlMB3/Ni7F/eBFIZBRf7o09C+oRsa3H2VFQ=;
        b=jMsb4oKEhzBSM2AhVDZHPZGb41r/hP9S3MxAgtpzqfKoj9/oI/AuWIZZukd+Cwes2P
         fsarrDSdV8Mb2Xgs4twPo+IVcrtt0BQjjpgv04K1FFZZY/srMUGYOtB8u3W+2rAh1btQ
         yYwicf1hFZrCYrKNsf+on/HVnuonz5B0lPooA4KQMIRanXER4an4PKwui73cztqpFCPd
         lVw2U4PsYPV9Yg/rKJvguR1U656S6mAYTRFOy9szl3xCIK/xMDY5fx1UQLt6aaE0DVdw
         McOARVLHUGchr7oEl6+cXqYMLofXJcMAB8SleuoMlNgUAf4PaPpqKWTKYKdFE24V23Ek
         Z01g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=rz+aENI7AlMB3/Ni7F/eBFIZBRf7o09C+oRsa3H2VFQ=;
        b=Bl0Ub7D7f3mL5byY6L7u2tloSPNmg/unRaqJCoWWvft6GDlcRmsOqJmqx6r3iqUcne
         PiJ8m7rPX6txGo5e5gDXHENenLQzxXP1pzrgQ9vFSIm1pSvC92UcSeWAJ93v8JBYSaS8
         CepWU3fD3nRxF8Li0MWMX7dkguGxI41Vo2o8LiUjIQ8/tDx7gaole5PM/nII/nrED62i
         D3qbkU6ECWYRvKC15WEVQX+yzkBUH1n8OaowF7+8sR/EvwuPw4JIKK/nNWP27XlspV47
         9ivBdcLlbhvM7rb5cge1cJWNXycD8VEEdSvqlD+jNci8HiTzlrAcHJl11MJpYd7dS2qk
         SqTg==
X-Gm-Message-State: AE9vXwMuudjI4XSP8xSqfWPnHkohc/45Elt+bhOkHKp97aZl002kx2fStTP3KnuK/XzgQGm46VRGF5xY+3c/Mw==
X-Received: by 10.31.77.132 with SMTP id a126mr429527vkb.1.1474530729509; Thu,
 22 Sep 2016 00:52:09 -0700 (PDT)
MIME-Version: 1.0
Sender: jakub.php@gmail.com
Received: by 10.31.174.151 with HTTP; Thu, 22 Sep 2016 00:52:08 -0700 (PDT)
Received: by 10.31.174.151 with HTTP; Thu, 22 Sep 2016 00:52:08 -0700 (PDT)
In-Reply-To: <9ce33625-2737-9933-7dd1-4f7930bccfac@gmail.com>
References: <CAKws9z2EWkNNhM7tOMh-_pQ3iLjVj7hbXTB1Hh3a19utPzj-9A@mail.gmail.com>
 <e741fec3-b301-647c-b24c-dec2fa92554c@gmail.com> <7d5727ba-da33-e3c5-1d1f-318c45d81616@cubiclesoft.com>
 <CAKws9z38_QhH8rnshJu=SP1Aav7jhMnVR2H992+Lse7iMeQ3oA@mail.gmail.com>
 <ffc669b5-8764-3879-0c5a-d047d75c9b45@gmail.com> <CAGa2bXYad=5CNKUR4GTR-uB8L1Gb-2CJk5Fiperz5D_CTL+rxw@mail.gmail.com>
 <9522ebc9-8d8b-045e-b701-02f1166063e6@gmail.com> <CAGa2bXYNZwKrT=Ei8r1DghGjqOGiMUVPEGY31wYK9Hpt+C9XMQ@mail.gmail.com>
 <CANUQDCjcnFdPyG133z6g0DdRLZjUG=+BRhcv4Es9Z+WeoU-Prg@mail.gmail.com>
 <CAFGtT7Zd3+iRuaJtwpML3hO6Kbdu7YtnNOE14zvA78E=QiNprg@mail.gmail.com>
 <40868951-8BDA-4860-884C-B8252C1839E3@gmail.com> <d2080444-9a17-b3db-89fa-c383155a5756@thefsb.org>
 <CAF+90c-uFg9A2f1SVYTNgjQuFX5PkenrtXd8kf37cYoG0EfgEw@mail.gmail.com>
 <edeb9734-a3d4-bd96-f57c-fa1687473e1b@gmail.com> <CAF+90c9HTpxtY8zeKoOfjdQXTkrVQSw8fb9Ws0-Qs_xmJtttZw@mail.gmail.com>
 <9ce33625-2737-9933-7dd1-4f7930bccfac@gmail.com>
Date: Thu, 22 Sep 2016 08:52:08 +0100
X-Google-Sender-Auth: J9p-MkcRBLh46rsUwBXYWmnT_QE
Message-ID: <CAEKnhAGg829gi7uEBimZqdd-cTvAn4a1HmjDfEoYeLO93_L2wQ@mail.gmail.com>
To: Stanislav Malyshev <smalyshev@gmail.com>
Cc: Nikita Popov <nikita.ppv@gmail.com>, PHP internals list <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a114db14257c5bf053d13f06f
Subject: Re: [PHP-DEV] HashDoS
From: bukka@php.net (Jakub Zelenka)

--001a114db14257c5bf053d13f06f
Content-Type: text/plain; charset=UTF-8

On 22 Sep 2016 00:43, "Stanislav Malyshev" <smalyshev@gmail.com> wrote:
>
> Hi!
>
> > As linked in my first reply, there was a previous discussion on the
> > topic: http://markmail.org/message/ttbgcvdu4f7uymfb
> > The collision-counting approach that Yasuo references is linked at the
> > start of the first mail: https://github.com/php/php-src/pull/1565
> >
> > Collisions are counted during insertion operations. While we perform a
> > hashtable insertion, we first need to iterate over the existing buckets
> > for a certain hash to see if the insert is actually an update. The
> > implementation simply keeps track of how many buckets we inspect while
> > doing that. If the number is above a certain threshold, an error is
> > generated.
>
> So, count is per-lookup, then I think it's fine then. Sorry for
> misunderstanding it initially. Anything prevents us from merging it? If
> not, let's do it.
>

I don't like the initial version of the patch that was causing fatal error
for json_decode. That's not how json_decode should work. I think that Bob
came up later with a better version that was using json recursion error. It
might require a bit more work for 7.1 as I changed a json parser since then.

Cheers

Jakub

--001a114db14257c5bf053d13f06f--