Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:96092 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 26338 invoked from network); 22 Sep 2016 07:52:13 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 22 Sep 2016 07:52:13 -0000 Authentication-Results: pb1.pair.com header.from=jakub.php@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=jakub.php@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.47 as permitted sender) X-PHP-List-Original-Sender: jakub.php@gmail.com X-Host-Fingerprint: 209.85.213.47 mail-vk0-f47.google.com Received: from [209.85.213.47] ([209.85.213.47:35036] helo=mail-vk0-f47.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id C5/03-01233-CAD83E75 for ; Thu, 22 Sep 2016 03:52:12 -0400 Received: by mail-vk0-f47.google.com with SMTP id o139so13427068vka.2 for ; Thu, 22 Sep 2016 00:52:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=rz+aENI7AlMB3/Ni7F/eBFIZBRf7o09C+oRsa3H2VFQ=; b=jMsb4oKEhzBSM2AhVDZHPZGb41r/hP9S3MxAgtpzqfKoj9/oI/AuWIZZukd+Cwes2P fsarrDSdV8Mb2Xgs4twPo+IVcrtt0BQjjpgv04K1FFZZY/srMUGYOtB8u3W+2rAh1btQ yYwicf1hFZrCYrKNsf+on/HVnuonz5B0lPooA4KQMIRanXER4an4PKwui73cztqpFCPd lVw2U4PsYPV9Yg/rKJvguR1U656S6mAYTRFOy9szl3xCIK/xMDY5fx1UQLt6aaE0DVdw McOARVLHUGchr7oEl6+cXqYMLofXJcMAB8SleuoMlNgUAf4PaPpqKWTKYKdFE24V23Ek Z01g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=rz+aENI7AlMB3/Ni7F/eBFIZBRf7o09C+oRsa3H2VFQ=; b=Bl0Ub7D7f3mL5byY6L7u2tloSPNmg/unRaqJCoWWvft6GDlcRmsOqJmqx6r3iqUcne PiJ8m7rPX6txGo5e5gDXHENenLQzxXP1pzrgQ9vFSIm1pSvC92UcSeWAJ93v8JBYSaS8 CepWU3fD3nRxF8Li0MWMX7dkguGxI41Vo2o8LiUjIQ8/tDx7gaole5PM/nII/nrED62i D3qbkU6ECWYRvKC15WEVQX+yzkBUH1n8OaowF7+8sR/EvwuPw4JIKK/nNWP27XlspV47 9ivBdcLlbhvM7rb5cge1cJWNXycD8VEEdSvqlD+jNci8HiTzlrAcHJl11MJpYd7dS2qk SqTg== X-Gm-Message-State: AE9vXwMuudjI4XSP8xSqfWPnHkohc/45Elt+bhOkHKp97aZl002kx2fStTP3KnuK/XzgQGm46VRGF5xY+3c/Mw== X-Received: by 10.31.77.132 with SMTP id a126mr429527vkb.1.1474530729509; Thu, 22 Sep 2016 00:52:09 -0700 (PDT) MIME-Version: 1.0 Sender: jakub.php@gmail.com Received: by 10.31.174.151 with HTTP; Thu, 22 Sep 2016 00:52:08 -0700 (PDT) Received: by 10.31.174.151 with HTTP; Thu, 22 Sep 2016 00:52:08 -0700 (PDT) In-Reply-To: <9ce33625-2737-9933-7dd1-4f7930bccfac@gmail.com> References: <7d5727ba-da33-e3c5-1d1f-318c45d81616@cubiclesoft.com> <9522ebc9-8d8b-045e-b701-02f1166063e6@gmail.com> <40868951-8BDA-4860-884C-B8252C1839E3@gmail.com> <9ce33625-2737-9933-7dd1-4f7930bccfac@gmail.com> Date: Thu, 22 Sep 2016 08:52:08 +0100 X-Google-Sender-Auth: J9p-MkcRBLh46rsUwBXYWmnT_QE Message-ID: To: Stanislav Malyshev Cc: Nikita Popov , PHP internals list Content-Type: multipart/alternative; boundary=001a114db14257c5bf053d13f06f Subject: Re: [PHP-DEV] HashDoS From: bukka@php.net (Jakub Zelenka) --001a114db14257c5bf053d13f06f Content-Type: text/plain; charset=UTF-8 On 22 Sep 2016 00:43, "Stanislav Malyshev" wrote: > > Hi! > > > As linked in my first reply, there was a previous discussion on the > > topic: http://markmail.org/message/ttbgcvdu4f7uymfb > > The collision-counting approach that Yasuo references is linked at the > > start of the first mail: https://github.com/php/php-src/pull/1565 > > > > Collisions are counted during insertion operations. While we perform a > > hashtable insertion, we first need to iterate over the existing buckets > > for a certain hash to see if the insert is actually an update. The > > implementation simply keeps track of how many buckets we inspect while > > doing that. If the number is above a certain threshold, an error is > > generated. > > So, count is per-lookup, then I think it's fine then. Sorry for > misunderstanding it initially. Anything prevents us from merging it? If > not, let's do it. > I don't like the initial version of the patch that was causing fatal error for json_decode. That's not how json_decode should work. I think that Bob came up later with a better version that was using json recursion error. It might require a bit more work for 7.1 as I changed a json parser since then. Cheers Jakub --001a114db14257c5bf053d13f06f--