Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:96100
Return-Path: <geggleto@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 66691 invoked from network); 22 Sep 2016 19:33:18 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 22 Sep 2016 19:33:18 -0000
Authentication-Results: pb1.pair.com header.from=geggleto@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=geggleto@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.45 as permitted sender)
X-PHP-List-Original-Sender: geggleto@gmail.com
X-Host-Fingerprint: 209.85.215.45 mail-lf0-f45.google.com  
Received: from [209.85.215.45] ([209.85.215.45:34147] helo=mail-lf0-f45.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id E9/01-59356-DF134E75 for <internals@lists.php.net>; Thu, 22 Sep 2016 15:33:18 -0400
Received: by mail-lf0-f45.google.com with SMTP id y6so77243962lff.1
        for <internals@lists.php.net>; Thu, 22 Sep 2016 12:33:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=3wwYcPaKY5uOeKMC7KUPOCcOlodh7AePFGdW4pUM76A=;
        b=rmGHQzzO9DdHjfZ5QlbfUNyOzwBMx0+Ok4API0sgS1GbtmSUNhBe71mczNZoc+yK6D
         1IaYuDfNc4Vtu+Ho4aDV5WvN3BTuEF+pWfrRuwUumqjmUMpW4AjF11b7mfe74/HSsih3
         oY6BZcb+oEWfwJ1GZZVa7ldW2tNcXuE1KwbIIOF9flh9DTXjGSaULTKjnYg16TB5q5Su
         1nGiYYHAaYKJNrMGFw1eJWeGyYkRqoDn1vz07ZOfyy2jgipLzrCdPvuPVq/VFYmi0cIu
         SbfZX1kmsDePdML+VAFy/bwfP8OOcspxBQElj5ufoCGvsNwJxgfR1CVfCje7TFusbSNr
         DQYw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=3wwYcPaKY5uOeKMC7KUPOCcOlodh7AePFGdW4pUM76A=;
        b=AISXyGfG4RC8x8IqfJKYPhInz8Tys2UZW0dMkDYyZjNq/gcmBGGj1qEfxjx5suTHRQ
         91uOWmyHj6Yn60yoJRLymoshxoIwUfGXcZGUv2YYm2uxtCLwyHGbSTj6iKuWNXi/ZABi
         rg09/4LMZx8VknhYaneOPEjsmpW9ey5vqxI0j6pKlIJ3j0p2C1PfuKDnsLy/ZcFL/30m
         uNDyaQFt21pTqyKy9AgGKyDA28PCctpvB3WwDeg1HULf49Nmn16oN1ui3O1uHUnKaRpc
         VJ84cPhOtx4d7zi6m+CEKuBhFGeReDS2OIOhEqHWb7Ohn896ULTWYZJ6VG3PVwe0vO9m
         C/iQ==
X-Gm-Message-State: AE9vXwOx4J9lAg7Rmyi5irBV9krkEN89C+qsSod7jRIOIBuLGl9d2poNdsXuqazpNjDlf5cqE5t7d4RrbMNZuQ==
X-Received: by 10.46.32.158 with SMTP id g30mr1420716lji.31.1474572794475;
 Thu, 22 Sep 2016 12:33:14 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.25.158.2 with HTTP; Thu, 22 Sep 2016 12:33:13 -0700 (PDT)
In-Reply-To: <CAEKnhAG6prXHspzOMpOcddXwrJ2stR2+9qYhZHyTKOU+7KOO6A@mail.gmail.com>
References: <CAKws9z2EWkNNhM7tOMh-_pQ3iLjVj7hbXTB1Hh3a19utPzj-9A@mail.gmail.com>
 <ffc669b5-8764-3879-0c5a-d047d75c9b45@gmail.com> <CAGa2bXYad=5CNKUR4GTR-uB8L1Gb-2CJk5Fiperz5D_CTL+rxw@mail.gmail.com>
 <9522ebc9-8d8b-045e-b701-02f1166063e6@gmail.com> <CAGa2bXYNZwKrT=Ei8r1DghGjqOGiMUVPEGY31wYK9Hpt+C9XMQ@mail.gmail.com>
 <CANUQDCjcnFdPyG133z6g0DdRLZjUG=+BRhcv4Es9Z+WeoU-Prg@mail.gmail.com>
 <CAFGtT7Zd3+iRuaJtwpML3hO6Kbdu7YtnNOE14zvA78E=QiNprg@mail.gmail.com>
 <40868951-8BDA-4860-884C-B8252C1839E3@gmail.com> <d2080444-9a17-b3db-89fa-c383155a5756@thefsb.org>
 <CAF+90c-uFg9A2f1SVYTNgjQuFX5PkenrtXd8kf37cYoG0EfgEw@mail.gmail.com>
 <edeb9734-a3d4-bd96-f57c-fa1687473e1b@gmail.com> <CAF+90c9HTpxtY8zeKoOfjdQXTkrVQSw8fb9Ws0-Qs_xmJtttZw@mail.gmail.com>
 <9ce33625-2737-9933-7dd1-4f7930bccfac@gmail.com> <CAEKnhAGg829gi7uEBimZqdd-cTvAn4a1HmjDfEoYeLO93_L2wQ@mail.gmail.com>
 <9b0fcfa7-f4f8-bac3-5e1e-7e974f217a94@gmail.com> <CAEKnhAF9XGsLqHU5H9aKDA=jWA5iD1ou8UwOX0=OpAC8tnzXdQ@mail.gmail.com>
 <5acaa405-8b76-ce00-1380-614f2f83b549@gmail.com> <CAEKnhAG50eG4RQSRjoZGFkSF_as1DZN5OrBWadyQG-chHDuVhw@mail.gmail.com>
 <CANUQDCjccQd_D_k1STdKd+2=OOkSOwjhL-GBrra5Qt1N0rQLsg@mail.gmail.com> <CAEKnhAG6prXHspzOMpOcddXwrJ2stR2+9qYhZHyTKOU+7KOO6A@mail.gmail.com>
Date: Thu, 22 Sep 2016 15:33:13 -0400
Message-ID: <CAFGtT7bWK_9p5veP8BKoj_==UjRijrgiJ3BAO8u5R9BLdJE_9A@mail.gmail.com>
To: Jakub Zelenka <bukka@php.net>
Cc: Niklas Keller <me@kelunik.com>, Rowan Collins <rowan.collins@gmail.com>, 
	PHP internals list <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a1142aaa89c394b053d1dbba6
Subject: Re: [PHP-DEV] HashDoS
From: geggleto@gmail.com (Glenn Eggleton)

--001a1142aaa89c394b053d1dbba6
Content-Type: text/plain; charset=UTF-8

Is the XML api also affected by hashdos?

cheers, glenn

On Thursday, 22 September 2016, Jakub Zelenka <bukka@php.net> wrote:

> On Thu, Sep 22, 2016 at 8:13 PM, Niklas Keller <me@kelunik.com
> <javascript:;>> wrote:
>
> > 2016-09-22 20:10 GMT+02:00 Jakub Zelenka <bukka@php.net <javascript:;>>:
> >
> >> On Thu, Sep 22, 2016 at 10:54 AM, Rowan Collins <
> rowan.collins@gmail.com <javascript:;>>
> >> wrote:
> >>
> >> > On 22/09/2016 10:48, Jakub Zelenka wrote:
> >> >
> >> >>
> >> >> Nope the point of the Bob's patch is to use graceful handling with
> >> >> exception that can be easily checked by the json parser for example!
> >> See
> >> >> https://github.com/php/php-src/pull/1706
> >> >>
> >> >
> >> > Ah, I stand corrected, I hadn't seen that version referenced before.
> >> >
> >> > Am I right in thinking that the idea here is that if the context is
> >> > exception-safe it can opt in to a more graceful handling mechanism?
> And
> >> > that if not, it will go ahead and bail out as in Niki's patch?
> >> >
> >> >
> >> Yeah it introduces new functions for updating hash which is used by json
> >> for updating array and it's also in std object handler which is used
> when
> >> updating json object. For some other bits like updating array, it will
> >> stay
> >> with fatal. The thing is that json parser can then easily check if there
> >> was an exception and if so, it will set JSON_ERROR_DEPTH and clear it.
> It
> >> seems much better though.
> >
> >
> > But why JSON_ERROR_DEPTH and not a new constant?
> >
> >
> Yeah I agree and I already suggested it in the PR an hour ago. ;)
>
> https://github.com/php/php-src/pull/1706#discussion_r80102953
>
> Cheers
>
> Jakub
>

--001a1142aaa89c394b053d1dbba6--