Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:96093 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 30248 invoked from network); 22 Sep 2016 09:08:32 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 22 Sep 2016 09:08:32 -0000 Authentication-Results: pb1.pair.com header.from=rowan.collins@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=rowan.collins@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.175 as permitted sender) X-PHP-List-Original-Sender: rowan.collins@gmail.com X-Host-Fingerprint: 209.85.192.175 mail-pf0-f175.google.com Received: from [209.85.192.175] ([209.85.192.175:35927] helo=mail-pf0-f175.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 48/83-01233-F8F93E75 for ; Thu, 22 Sep 2016 05:08:31 -0400 Received: by mail-pf0-f175.google.com with SMTP id q2so28627023pfj.3 for ; Thu, 22 Sep 2016 02:08:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding; bh=IMkuzvhkzUxEGZxkHNkkg6ShNa9XCJvJ7Achf8mQldA=; b=xsiVld5zfNO/8ZTy4K6Hub8Rx0vU/lP1aCBStVJbS27ab7INzP/QaOLUGNeunL+NYs 5kUaoKwncIONGWc15RiHWVn8gJsOm9+qiHq3mTvHg3HseRHng/O0v9e2p2PVeI25tJxe UoYk56ZCqYc9KTVSNXkdtrmvUNKbIC1cfRHlqHeAijMzR8MryGwjj+GagkxIOv8a1FBM InmG5W2bz3htbrQEMkmlRv8Z/ptHpnxZ85Ti2KtLfPc6h28bA2309uXU3VKa4Mkj95XN mgc+7lK/+Agt9USeZajBz5Bxwf3EyHqAScPBmrYor4NgIQ4Y0RvQsK5PkIhuj75YzbUx kC+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=IMkuzvhkzUxEGZxkHNkkg6ShNa9XCJvJ7Achf8mQldA=; b=VycZITXb1TxC8fV2USerpWgGTioXv5uqk3WHX5U9cL+eB9nqe0LCZM5oRUT9R8RwmM mIY3WoJW908NTV4DRlNsa8SrqRoXZORIywKREGlqHExLcQ69+Wu6dbmTzi22Wd+YIO5M zPY7c5R/jGMMWTzpPgHoX17RxzFs+gySakcek6QfKPMpotp4/kKEHr8UKSeezcBHr4yN QN4S6walIMTQkuBSVSEqtueheOkosvbGL8qdhnzpBfzb6Av5YWXJwkAA2XV6n2tqcyHu gcY0LiyP3s/aGjj1GHZKUJ5cK+COTUD57YpJohwKa2XyCtfqnrSC+DlA0lzHoSdVw/xT 8kGQ== X-Gm-Message-State: AE9vXwPWTZBPyETK7q9SlDMXkswq3fdSip8GKPo2Y/Ggsg4kG9MoP50rZBahWQqBOP/zvg== X-Received: by 10.98.158.90 with SMTP id s87mr1486691pfd.117.1474535308392; Thu, 22 Sep 2016 02:08:28 -0700 (PDT) Received: from [192.168.0.98] ([93.188.182.58]) by smtp.gmail.com with ESMTPSA id xv9sm2249512pab.36.2016.09.22.02.08.25 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 22 Sep 2016 02:08:27 -0700 (PDT) To: internals@lists.php.net References: <7d5727ba-da33-e3c5-1d1f-318c45d81616@cubiclesoft.com> <9522ebc9-8d8b-045e-b701-02f1166063e6@gmail.com> <40868951-8BDA-4860-884C-B8252C1839E3@gmail.com> <9ce33625-2737-9933-7dd1-4f7930bccfac@gmail.com> Message-ID: <9b0fcfa7-f4f8-bac3-5e1e-7e974f217a94@gmail.com> Date: Thu, 22 Sep 2016 10:06:16 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] HashDoS From: rowan.collins@gmail.com (Rowan Collins) On 22/09/2016 08:52, Jakub Zelenka wrote: > I don't like the initial version of the patch that was causing fatal error > for json_decode. That's not how json_decode should work. I think that Bob > came up later with a better version that was using json recursion error. It > might require a bit more work for 7.1 as I changed a json parser since then. The point of the proposed patch is that it causes fatal error *anywhere* that a hash is attacked (and, as discussed, it really is only going to trigger on a crafted attack). Adding mitigations elsewhere such as in the JSON parser can be done *on top of* that, since they'll presumably catch the problem before the hash is inserted into. It's the same as if the attack caused an exponential amount of memory usage: the engine will bail out as soon as the hard memory limit is reached, but extensions can and should detect and avoid scenarios likely to cause that. Regards, -- Rowan Collins [IMSoP]