Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:96099
Return-Path: <jakub.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 64680 invoked from network); 22 Sep 2016 19:23:20 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 22 Sep 2016 19:23:20 -0000
Authentication-Results: pb1.pair.com smtp.mail=jakub.php@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=jakub.php@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.176 as permitted sender)
X-PHP-List-Original-Sender: jakub.php@gmail.com
X-Host-Fingerprint: 209.85.217.176 mail-ua0-f176.google.com  
Received: from [209.85.217.176] ([209.85.217.176:36819] helo=mail-ua0-f176.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id CA/A0-59356-7AF24E75 for <internals@lists.php.net>; Thu, 22 Sep 2016 15:23:20 -0400
Received: by mail-ua0-f176.google.com with SMTP id 15so9162591uai.3
        for <internals@lists.php.net>; Thu, 22 Sep 2016 12:23:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=1MdLhyPX1ax5CoLcTYvOGxQz1wxtE1HS6b/ZEt3Tebw=;
        b=P2tIKkOls2QmbzUxeXepeLv5azIZtRKS1Sxv++ZsTzPfifZ+awVN0STaGQLRn/ws94
         stQIghoF6vaZm8QAfTC97BU4+qsR6K6MfhO+EMhuITIuSCz4A7C2rDVe68hYOgbzwBxr
         agwOKsz3K4PgYWf0BmftBrlqhEBR5g4aOKtIC81anbJ5Ga5KWAc4O/HDwFA+kmHwCl9/
         pL3o1BiAj9taPZ8MJ7Cza5eC8h6rZOp5VnJr7hQnrisDRHxfO3o4r7dQAkApJ0rvzyOO
         usEToUuPScilAufdOPtaYKOMgOEpUhZQd3AohmNZoO1wo2hNDJgtzlDhPv6GMWMEmQIe
         J4vA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=1MdLhyPX1ax5CoLcTYvOGxQz1wxtE1HS6b/ZEt3Tebw=;
        b=Us9iSAspubvlXakGwwpirMdgwfJ8jbdavqy+qIsc5SmevadUrcjqq68MQQ7FRGU8i+
         MF3kiLTn8eQ1zX38SKSmx6gOYJVShoU/Jy6HCeHyS7FQNWBnkOrKM+sOydf8ZggAh/Ut
         dpd+dQK0gYJpx1e+LQfrlcGx5qIMqRDhLsVHXZkXbnCv0JCN9le9NgsyUSVzrpzywtjV
         IZYf3Qx68JdVoG5DJ2JGYQVtHtnlJATNBGCw00R0qCTpWbkcFl4ojIAknEUVteXtMBgB
         USFm8dCffjaNkvIdtVzz4+ntaaYHx9NIWQ/iuqLQqgSPxgS1kardmHdnVkdj0LlnnZLW
         VDeA==
X-Gm-Message-State: AE9vXwO+sMwNStnQ/VpqxW30xvJrtx7HldqNPuW3QAHccAoob+sHmUIQsiYM+jZyl7s3ykguAS+S9c78I8rNdA==
X-Received: by 10.176.2.168 with SMTP id 37mr1148796uah.38.1474572197406; Thu,
 22 Sep 2016 12:23:17 -0700 (PDT)
MIME-Version: 1.0
Sender: jakub.php@gmail.com
Received: by 10.31.174.151 with HTTP; Thu, 22 Sep 2016 12:23:16 -0700 (PDT)
In-Reply-To: <CANUQDCjccQd_D_k1STdKd+2=OOkSOwjhL-GBrra5Qt1N0rQLsg@mail.gmail.com>
References: <CAKws9z2EWkNNhM7tOMh-_pQ3iLjVj7hbXTB1Hh3a19utPzj-9A@mail.gmail.com>
 <ffc669b5-8764-3879-0c5a-d047d75c9b45@gmail.com> <CAGa2bXYad=5CNKUR4GTR-uB8L1Gb-2CJk5Fiperz5D_CTL+rxw@mail.gmail.com>
 <9522ebc9-8d8b-045e-b701-02f1166063e6@gmail.com> <CAGa2bXYNZwKrT=Ei8r1DghGjqOGiMUVPEGY31wYK9Hpt+C9XMQ@mail.gmail.com>
 <CANUQDCjcnFdPyG133z6g0DdRLZjUG=+BRhcv4Es9Z+WeoU-Prg@mail.gmail.com>
 <CAFGtT7Zd3+iRuaJtwpML3hO6Kbdu7YtnNOE14zvA78E=QiNprg@mail.gmail.com>
 <40868951-8BDA-4860-884C-B8252C1839E3@gmail.com> <d2080444-9a17-b3db-89fa-c383155a5756@thefsb.org>
 <CAF+90c-uFg9A2f1SVYTNgjQuFX5PkenrtXd8kf37cYoG0EfgEw@mail.gmail.com>
 <edeb9734-a3d4-bd96-f57c-fa1687473e1b@gmail.com> <CAF+90c9HTpxtY8zeKoOfjdQXTkrVQSw8fb9Ws0-Qs_xmJtttZw@mail.gmail.com>
 <9ce33625-2737-9933-7dd1-4f7930bccfac@gmail.com> <CAEKnhAGg829gi7uEBimZqdd-cTvAn4a1HmjDfEoYeLO93_L2wQ@mail.gmail.com>
 <9b0fcfa7-f4f8-bac3-5e1e-7e974f217a94@gmail.com> <CAEKnhAF9XGsLqHU5H9aKDA=jWA5iD1ou8UwOX0=OpAC8tnzXdQ@mail.gmail.com>
 <5acaa405-8b76-ce00-1380-614f2f83b549@gmail.com> <CAEKnhAG50eG4RQSRjoZGFkSF_as1DZN5OrBWadyQG-chHDuVhw@mail.gmail.com>
 <CANUQDCjccQd_D_k1STdKd+2=OOkSOwjhL-GBrra5Qt1N0rQLsg@mail.gmail.com>
Date: Thu, 22 Sep 2016 20:23:16 +0100
X-Google-Sender-Auth: zcKB4hjwKt8P6Ll1-7RHFpAbOQ8
Message-ID: <CAEKnhAG6prXHspzOMpOcddXwrJ2stR2+9qYhZHyTKOU+7KOO6A@mail.gmail.com>
To: Niklas Keller <me@kelunik.com>
Cc: Rowan Collins <rowan.collins@gmail.com>, PHP internals list <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a113cda4a05adca053d1d98da
Subject: Re: [PHP-DEV] HashDoS
From: bukka@php.net (Jakub Zelenka)

--001a113cda4a05adca053d1d98da
Content-Type: text/plain; charset=UTF-8

On Thu, Sep 22, 2016 at 8:13 PM, Niklas Keller <me@kelunik.com> wrote:

> 2016-09-22 20:10 GMT+02:00 Jakub Zelenka <bukka@php.net>:
>
>> On Thu, Sep 22, 2016 at 10:54 AM, Rowan Collins <rowan.collins@gmail.com>
>> wrote:
>>
>> > On 22/09/2016 10:48, Jakub Zelenka wrote:
>> >
>> >>
>> >> Nope the point of the Bob's patch is to use graceful handling with
>> >> exception that can be easily checked by the json parser for example!
>> See
>> >> https://github.com/php/php-src/pull/1706
>> >>
>> >
>> > Ah, I stand corrected, I hadn't seen that version referenced before.
>> >
>> > Am I right in thinking that the idea here is that if the context is
>> > exception-safe it can opt in to a more graceful handling mechanism? And
>> > that if not, it will go ahead and bail out as in Niki's patch?
>> >
>> >
>> Yeah it introduces new functions for updating hash which is used by json
>> for updating array and it's also in std object handler which is used when
>> updating json object. For some other bits like updating array, it will
>> stay
>> with fatal. The thing is that json parser can then easily check if there
>> was an exception and if so, it will set JSON_ERROR_DEPTH and clear it. It
>> seems much better though.
>
>
> But why JSON_ERROR_DEPTH and not a new constant?
>
>
Yeah I agree and I already suggested it in the PR an hour ago. ;)

https://github.com/php/php-src/pull/1706#discussion_r80102953

Cheers

Jakub

--001a113cda4a05adca053d1d98da--