Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:96101 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 69996 invoked from network); 22 Sep 2016 20:08:41 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 22 Sep 2016 20:08:41 -0000 Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.179 as permitted sender) X-PHP-List-Original-Sender: smalyshev@gmail.com X-Host-Fingerprint: 209.85.192.179 mail-pf0-f179.google.com Received: from [209.85.192.179] ([209.85.192.179:36323] helo=mail-pf0-f179.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id B0/81-59356-74A34E75 for ; Thu, 22 Sep 2016 16:08:40 -0400 Received: by mail-pf0-f179.google.com with SMTP id q2so33752574pfj.3 for ; Thu, 22 Sep 2016 13:08:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=sJGH5dhM4WVRcKfgeT8mAotmQjPNpg1v5pxdlJ4lXkY=; b=hTja0E2qDBNSmoZk75jGhsWaZxWpk9GhR0bXG8tvpyv0nVOmZGuBqHUjadyVGuBl09 aRFrO18pITpRHTS7w6bsLCoeB6frwu4ksgEJfaRd+pp8sRqcPd26yB+0FhsaqrtdSnin BDYb3uUxNCDQoJvv1cWLRJIBhXNTKGnqBSuqgsITZw5DzfV/LDTQqd2oCIJpSicPxN1d HQhGrm1xd2V1OAECIzZpU/kVbzz9mqVDfcvH2b/n68FlrS5zu+D8gznxga2NHHeSTzvP 5POBs0FlkYD+uAQqSwq3KWhVmRFhIJSYiNfX0Tlbv+JPwBdsK/RMXhi74F7K4wDjtEy0 Sw1A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=sJGH5dhM4WVRcKfgeT8mAotmQjPNpg1v5pxdlJ4lXkY=; b=bJrytI5DqIqSckgZe4Sp1JVhOt40iPAKVXC4XaAsx1zvjwF5/BTRna2MgQcalKF616 0/UyqiCXVuxt0DuQUal+KXOV26aHOsRkNvDGx5SwaagHKd9w5Icwl2zidMnReEhMFPUN fLggbGRth39zbwNXZtHHov7D/fmfIcHMLMnSkKFcCp9AbTFu+V+EkJqs4o7nj5knQp51 Vn2j0sRwnoTk+X19Bd3Jqf0TPq9ZNPRdgqYUgOxfMDquTm6wktZl8N3NBSO2hph6pMKO tP+D9pn2TLEY4BAf2q0wVcgc/NLqqcjNfstaKy/GzIaIHj+K0te9yOjw/xoEmukYYBK5 5Xvw== X-Gm-Message-State: AE9vXwOFOW86Wsv09G/xcCNFtPCLNXcTWmvkhfx+We7vX3rAiyq7g/1tyfc+Kz3XqX2pxw== X-Received: by 10.98.206.139 with SMTP id y133mr6355456pfg.7.1474574917183; Thu, 22 Sep 2016 13:08:37 -0700 (PDT) Received: from Stas-Air.local (108-233-206-104.lightspeed.sntcca.sbcglobal.net. [108.233.206.104]) by smtp.gmail.com with ESMTPSA id sy4sm677036pac.48.2016.09.22.13.08.36 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 22 Sep 2016 13:08:36 -0700 (PDT) To: Jakub Zelenka , Rowan Collins References: <9522ebc9-8d8b-045e-b701-02f1166063e6@gmail.com> <40868951-8BDA-4860-884C-B8252C1839E3@gmail.com> <9ce33625-2737-9933-7dd1-4f7930bccfac@gmail.com> <9b0fcfa7-f4f8-bac3-5e1e-7e974f217a94@gmail.com> <5acaa405-8b76-ce00-1380-614f2f83b549@gmail.com> Cc: PHP internals list Message-ID: Date: Thu, 22 Sep 2016 13:08:35 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] HashDoS From: smalyshev@gmail.com (Stanislav Malyshev) Hi! > Yeah it introduces new functions for updating hash which is used by json > for updating array and it's also in std object handler which is used when > updating json object. For some other bits like updating array, it will stay > with fatal. The thing is that json parser can then easily check if there > was an exception and if so, it will set JSON_ERROR_DEPTH and clear it. It > seems much better though. I'm not sure why special handling for JSON? JSON is certainly not the only way user data can be ingested and the problem of hash collision is common to all these ways. -- Stas Malyshev smalyshev@gmail.com