Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:96100 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 66691 invoked from network); 22 Sep 2016 19:33:18 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 22 Sep 2016 19:33:18 -0000 Authentication-Results: pb1.pair.com header.from=geggleto@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=geggleto@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.45 as permitted sender) X-PHP-List-Original-Sender: geggleto@gmail.com X-Host-Fingerprint: 209.85.215.45 mail-lf0-f45.google.com Received: from [209.85.215.45] ([209.85.215.45:34147] helo=mail-lf0-f45.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id E9/01-59356-DF134E75 for ; Thu, 22 Sep 2016 15:33:18 -0400 Received: by mail-lf0-f45.google.com with SMTP id y6so77243962lff.1 for ; Thu, 22 Sep 2016 12:33:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=3wwYcPaKY5uOeKMC7KUPOCcOlodh7AePFGdW4pUM76A=; b=rmGHQzzO9DdHjfZ5QlbfUNyOzwBMx0+Ok4API0sgS1GbtmSUNhBe71mczNZoc+yK6D 1IaYuDfNc4Vtu+Ho4aDV5WvN3BTuEF+pWfrRuwUumqjmUMpW4AjF11b7mfe74/HSsih3 oY6BZcb+oEWfwJ1GZZVa7ldW2tNcXuE1KwbIIOF9flh9DTXjGSaULTKjnYg16TB5q5Su 1nGiYYHAaYKJNrMGFw1eJWeGyYkRqoDn1vz07ZOfyy2jgipLzrCdPvuPVq/VFYmi0cIu SbfZX1kmsDePdML+VAFy/bwfP8OOcspxBQElj5ufoCGvsNwJxgfR1CVfCje7TFusbSNr DQYw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=3wwYcPaKY5uOeKMC7KUPOCcOlodh7AePFGdW4pUM76A=; b=AISXyGfG4RC8x8IqfJKYPhInz8Tys2UZW0dMkDYyZjNq/gcmBGGj1qEfxjx5suTHRQ 91uOWmyHj6Yn60yoJRLymoshxoIwUfGXcZGUv2YYm2uxtCLwyHGbSTj6iKuWNXi/ZABi rg09/4LMZx8VknhYaneOPEjsmpW9ey5vqxI0j6pKlIJ3j0p2C1PfuKDnsLy/ZcFL/30m uNDyaQFt21pTqyKy9AgGKyDA28PCctpvB3WwDeg1HULf49Nmn16oN1ui3O1uHUnKaRpc VJ84cPhOtx4d7zi6m+CEKuBhFGeReDS2OIOhEqHWb7Ohn896ULTWYZJ6VG3PVwe0vO9m C/iQ== X-Gm-Message-State: AE9vXwOx4J9lAg7Rmyi5irBV9krkEN89C+qsSod7jRIOIBuLGl9d2poNdsXuqazpNjDlf5cqE5t7d4RrbMNZuQ== X-Received: by 10.46.32.158 with SMTP id g30mr1420716lji.31.1474572794475; Thu, 22 Sep 2016 12:33:14 -0700 (PDT) MIME-Version: 1.0 Received: by 10.25.158.2 with HTTP; Thu, 22 Sep 2016 12:33:13 -0700 (PDT) In-Reply-To: References: <9522ebc9-8d8b-045e-b701-02f1166063e6@gmail.com> <40868951-8BDA-4860-884C-B8252C1839E3@gmail.com> <9ce33625-2737-9933-7dd1-4f7930bccfac@gmail.com> <9b0fcfa7-f4f8-bac3-5e1e-7e974f217a94@gmail.com> <5acaa405-8b76-ce00-1380-614f2f83b549@gmail.com> Date: Thu, 22 Sep 2016 15:33:13 -0400 Message-ID: To: Jakub Zelenka Cc: Niklas Keller , Rowan Collins , PHP internals list Content-Type: multipart/alternative; boundary=001a1142aaa89c394b053d1dbba6 Subject: Re: [PHP-DEV] HashDoS From: geggleto@gmail.com (Glenn Eggleton) --001a1142aaa89c394b053d1dbba6 Content-Type: text/plain; charset=UTF-8 Is the XML api also affected by hashdos? cheers, glenn On Thursday, 22 September 2016, Jakub Zelenka wrote: > On Thu, Sep 22, 2016 at 8:13 PM, Niklas Keller > wrote: > > > 2016-09-22 20:10 GMT+02:00 Jakub Zelenka >: > > > >> On Thu, Sep 22, 2016 at 10:54 AM, Rowan Collins < > rowan.collins@gmail.com > > >> wrote: > >> > >> > On 22/09/2016 10:48, Jakub Zelenka wrote: > >> > > >> >> > >> >> Nope the point of the Bob's patch is to use graceful handling with > >> >> exception that can be easily checked by the json parser for example! > >> See > >> >> https://github.com/php/php-src/pull/1706 > >> >> > >> > > >> > Ah, I stand corrected, I hadn't seen that version referenced before. > >> > > >> > Am I right in thinking that the idea here is that if the context is > >> > exception-safe it can opt in to a more graceful handling mechanism? > And > >> > that if not, it will go ahead and bail out as in Niki's patch? > >> > > >> > > >> Yeah it introduces new functions for updating hash which is used by json > >> for updating array and it's also in std object handler which is used > when > >> updating json object. For some other bits like updating array, it will > >> stay > >> with fatal. The thing is that json parser can then easily check if there > >> was an exception and if so, it will set JSON_ERROR_DEPTH and clear it. > It > >> seems much better though. > > > > > > But why JSON_ERROR_DEPTH and not a new constant? > > > > > Yeah I agree and I already suggested it in the PR an hour ago. ;) > > https://github.com/php/php-src/pull/1706#discussion_r80102953 > > Cheers > > Jakub > --001a1142aaa89c394b053d1dbba6--