Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:96097 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 57960 invoked from network); 22 Sep 2016 18:10:34 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 22 Sep 2016 18:10:34 -0000 Authentication-Results: pb1.pair.com smtp.mail=jakub.php@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=jakub.php@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.178 as permitted sender) X-PHP-List-Original-Sender: jakub.php@gmail.com X-Host-Fingerprint: 209.85.217.178 mail-ua0-f178.google.com Received: from [209.85.217.178] ([209.85.217.178:34031] helo=mail-ua0-f178.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 5F/E6-01233-69E14E75 for ; Thu, 22 Sep 2016 14:10:31 -0400 Received: by mail-ua0-f178.google.com with SMTP id q42so6270281uaq.1 for ; Thu, 22 Sep 2016 11:10:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=sf03eKyTGbPMF0IYn8sOJ6O3djsVZXRBRR9U0XOs5EQ=; b=pjEnk4kSMyHoyXsJnQHIJOqNDyMBv/XYXzvWI5WCrTT5otPzhRwCcaea48AiC1xtPR y1+M8pgG3wO95+eVUrutUxQ3imFl1nd6pnhlm9i93A95UCVuRfgCu2WuQZ58K64EL498 VSFGIUSBZvs9ZWuGK+6vcmQdp3/2ywrqqMxRKSU+RyMhkR3aVgd4WaM0RDB+RLiOwHPg pP2kF9cNz0YX8GT4NlOqwfkirrtUP/BmA5cWnV7EZCQxlouSn2RL/tWmp3WChczQ6DdZ geKpI6rBW6PEUf72zFa1aqSZdXYSRjk09bc4KK4g+S81CQ36rdPjCZ+EOe0D/uUjhn1r QalQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=sf03eKyTGbPMF0IYn8sOJ6O3djsVZXRBRR9U0XOs5EQ=; b=l5i+asXsVwmOFVHEwmvLZXD//OaIP+nZQSiAcin5lR/zL8AcyujETiE6rkj5iyc9r5 HjUchk7WirDnqXviid7dt0a9g16rtZwZMqW9b9RWiNwNSjHMjmNdCLRMBlCh1qlxasi6 aEHOAdK5kXpkwurwu+1LhRIJxRTsSdsoTqOYUz6/PL8DuwnU3CKUMbjaTS5wELEprCoi hNitbxCrA91J6LCXE//Dnfq7asa2qPKVWEPco9ekqQim8CFbktmq5XLfu/09FeFt1L5g QzRYiLVcCbnVL62qihf/uPB1nNdSxkFIwga2Ys3BNeVUMEtu6t7IAtVO0qt9qpo1snXZ p/0Q== X-Gm-Message-State: AE9vXwN00DflUkukwTagpjTeljTZoqafOK/feRg+TNcjyDQ2ScWagj4PO/I9850DbdY9HBNnR1foxmMUNkarOg== X-Received: by 10.176.2.13 with SMTP id 13mr838957uas.13.1474567827007; Thu, 22 Sep 2016 11:10:27 -0700 (PDT) MIME-Version: 1.0 Sender: jakub.php@gmail.com Received: by 10.31.174.151 with HTTP; Thu, 22 Sep 2016 11:10:26 -0700 (PDT) In-Reply-To: <5acaa405-8b76-ce00-1380-614f2f83b549@gmail.com> References: <9522ebc9-8d8b-045e-b701-02f1166063e6@gmail.com> <40868951-8BDA-4860-884C-B8252C1839E3@gmail.com> <9ce33625-2737-9933-7dd1-4f7930bccfac@gmail.com> <9b0fcfa7-f4f8-bac3-5e1e-7e974f217a94@gmail.com> <5acaa405-8b76-ce00-1380-614f2f83b549@gmail.com> Date: Thu, 22 Sep 2016 19:10:26 +0100 X-Google-Sender-Auth: abnuQnYOXcXkDr26AvpmHD3G7aE Message-ID: To: Rowan Collins Cc: PHP internals list Content-Type: multipart/alternative; boundary=001a113e011e86bd2d053d1c93c5 Subject: Re: [PHP-DEV] HashDoS From: bukka@php.net (Jakub Zelenka) --001a113e011e86bd2d053d1c93c5 Content-Type: text/plain; charset=UTF-8 On Thu, Sep 22, 2016 at 10:54 AM, Rowan Collins wrote: > On 22/09/2016 10:48, Jakub Zelenka wrote: > >> >> Nope the point of the Bob's patch is to use graceful handling with >> exception that can be easily checked by the json parser for example! See >> https://github.com/php/php-src/pull/1706 >> > > Ah, I stand corrected, I hadn't seen that version referenced before. > > Am I right in thinking that the idea here is that if the context is > exception-safe it can opt in to a more graceful handling mechanism? And > that if not, it will go ahead and bail out as in Niki's patch? > > Yeah it introduces new functions for updating hash which is used by json for updating array and it's also in std object handler which is used when updating json object. For some other bits like updating array, it will stay with fatal. The thing is that json parser can then easily check if there was an exception and if so, it will set JSON_ERROR_DEPTH and clear it. It seems much better though. Cheers Jakub --001a113e011e86bd2d053d1c93c5--