Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:96094
Return-Path: <jakub.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 33373 invoked from network); 22 Sep 2016 09:48:37 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 22 Sep 2016 09:48:37 -0000
Authentication-Results: pb1.pair.com header.from=jakub.php@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=jakub.php@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.44 as permitted sender)
X-PHP-List-Original-Sender: jakub.php@gmail.com
X-Host-Fingerprint: 209.85.213.44 mail-vk0-f44.google.com  
Received: from [209.85.213.44] ([209.85.213.44:34042] helo=mail-vk0-f44.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id C2/04-01233-4F8A3E75 for <internals@lists.php.net>; Thu, 22 Sep 2016 05:48:36 -0400
Received: by mail-vk0-f44.google.com with SMTP id u196so16823432vkd.1
        for <internals@lists.php.net>; Thu, 22 Sep 2016 02:48:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=Ji8BbDO4ePx/inGB3h9IOWishfN6gSg0CPeZKcQDKiI=;
        b=FDrXRBKjsDBe1Ew4PU/apCxC8NWTyFnUPX0vekkAjtZa0bPnTjJ3W/JBhA612NeoAb
         ifV0CCE7AqmOAEAAIOLAt7AiCEAuV1E22Znlk4WZY+2z59H2+tdAOOnGSWwQ1KwUu+rZ
         ginMolaQxBIjuHcTnHqrAXY13dSaXMgz+6xp+l/oy8Wjh+3EnikHxQdoF09MePtTzdmE
         MuQKCrHRT0+Rd0IJa5ntuY8LjylwtEie9h4iqyQcjkrPyFIG6083Y4kG+18rkJenySwL
         gUcyD6VJzy4SUAm1pWXhgahBPdLmtrFUXMj/TN33RRvtce1vnHkAiB8lkLUHukYyZgqk
         V9SQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=Ji8BbDO4ePx/inGB3h9IOWishfN6gSg0CPeZKcQDKiI=;
        b=SZKZq9EZNXNSofp3s4/ufFMZmCf/rtHp5xHuuiiZN6TcUJIDDBGl1T5t2fUzke1USB
         SUDCt3LVA8NeUDKr0iiw65u9CAi8IPfNlbIy5zuoUi3IcVq3+Mia25vsrOMoL9v/moCA
         MtOq0qTWwwTYQBG9iY8udHL2OA0cT2MaP3+Nm6CTX9v2/RglrlHlIl/paAqR+S5UrupP
         2zXu3uBsQM/wbHrvRuDMfLsM0s2HMlztZ6e6R7N/X97S+rSGt+dCf53QNPNB0TewOygG
         2P25YGyYyxqatqxwbNQCkyyAKoayV7j0xKQBLJlA92HnTtG4RuEDL2AUVGCILckVdpdU
         pwAg==
X-Gm-Message-State: AE9vXwM4d5lzTYJ9DuUngnwlr+Fq0w5utZZpuv82KVYQ4yHv1LeQTwDHqHp3ojUlYVKPp+N15PXOpc1rkWP2DA==
X-Received: by 10.31.84.7 with SMTP id i7mr656563vkb.137.1474537713021; Thu,
 22 Sep 2016 02:48:33 -0700 (PDT)
MIME-Version: 1.0
Sender: jakub.php@gmail.com
Received: by 10.31.174.151 with HTTP; Thu, 22 Sep 2016 02:48:32 -0700 (PDT)
In-Reply-To: <9b0fcfa7-f4f8-bac3-5e1e-7e974f217a94@gmail.com>
References: <CAKws9z2EWkNNhM7tOMh-_pQ3iLjVj7hbXTB1Hh3a19utPzj-9A@mail.gmail.com>
 <7d5727ba-da33-e3c5-1d1f-318c45d81616@cubiclesoft.com> <CAKws9z38_QhH8rnshJu=SP1Aav7jhMnVR2H992+Lse7iMeQ3oA@mail.gmail.com>
 <ffc669b5-8764-3879-0c5a-d047d75c9b45@gmail.com> <CAGa2bXYad=5CNKUR4GTR-uB8L1Gb-2CJk5Fiperz5D_CTL+rxw@mail.gmail.com>
 <9522ebc9-8d8b-045e-b701-02f1166063e6@gmail.com> <CAGa2bXYNZwKrT=Ei8r1DghGjqOGiMUVPEGY31wYK9Hpt+C9XMQ@mail.gmail.com>
 <CANUQDCjcnFdPyG133z6g0DdRLZjUG=+BRhcv4Es9Z+WeoU-Prg@mail.gmail.com>
 <CAFGtT7Zd3+iRuaJtwpML3hO6Kbdu7YtnNOE14zvA78E=QiNprg@mail.gmail.com>
 <40868951-8BDA-4860-884C-B8252C1839E3@gmail.com> <d2080444-9a17-b3db-89fa-c383155a5756@thefsb.org>
 <CAF+90c-uFg9A2f1SVYTNgjQuFX5PkenrtXd8kf37cYoG0EfgEw@mail.gmail.com>
 <edeb9734-a3d4-bd96-f57c-fa1687473e1b@gmail.com> <CAF+90c9HTpxtY8zeKoOfjdQXTkrVQSw8fb9Ws0-Qs_xmJtttZw@mail.gmail.com>
 <9ce33625-2737-9933-7dd1-4f7930bccfac@gmail.com> <CAEKnhAGg829gi7uEBimZqdd-cTvAn4a1HmjDfEoYeLO93_L2wQ@mail.gmail.com>
 <9b0fcfa7-f4f8-bac3-5e1e-7e974f217a94@gmail.com>
Date: Thu, 22 Sep 2016 10:48:32 +0100
X-Google-Sender-Auth: okulIuEOka3PboIQbJsDe2zo0uo
Message-ID: <CAEKnhAF9XGsLqHU5H9aKDA=jWA5iD1ou8UwOX0=OpAC8tnzXdQ@mail.gmail.com>
To: Rowan Collins <rowan.collins@gmail.com>
Cc: PHP internals list <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a114e521e97bf64053d15900e
Subject: Re: [PHP-DEV] HashDoS
From: bukka@php.net (Jakub Zelenka)

--001a114e521e97bf64053d15900e
Content-Type: text/plain; charset=UTF-8

On Thu, Sep 22, 2016 at 10:06 AM, Rowan Collins <rowan.collins@gmail.com>
wrote:

> On 22/09/2016 08:52, Jakub Zelenka wrote:
>
>> I don't like the initial version of the patch that was causing fatal error
>> for json_decode. That's not how json_decode should work. I think that Bob
>> came up later with a better version that was using json recursion error.
>> It
>> might require a bit more work for 7.1 as I changed a json parser since
>> then.
>>
>
> The point of the proposed patch is that it causes fatal error *anywhere*
> that a hash is attacked (and, as discussed, it really is only going to
> trigger on a crafted attack).
>
> Adding mitigations elsewhere such as in the JSON parser can be done *on
> top of* that, since they'll presumably catch the problem before the hash is
> inserted into.
>
> It's the same as if the attack caused an exponential amount of memory
> usage: the engine will bail out as soon as the hard memory limit is
> reached, but extensions can and should detect and avoid scenarios likely to
> cause that.
>
>
Nope the point of the Bob's patch is to use graceful handling with
exception that can be easily checked by the json parser for example! See
https://github.com/php/php-src/pull/1706

From the quick look, it actually just requires regenerating parser from the
json ext point of view.

Cheers

Jakub

--001a114e521e97bf64053d15900e--