Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:96103 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 77589 invoked from network); 22 Sep 2016 21:34:55 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 22 Sep 2016 21:34:55 -0000 Authentication-Results: pb1.pair.com smtp.mail=bobwei9@hotmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=bobwei9@hotmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain hotmail.com designates 65.55.111.109 as permitted sender) X-PHP-List-Original-Sender: bobwei9@hotmail.com X-Host-Fingerprint: 65.55.111.109 blu004-omc2s34.hotmail.com Received: from [65.55.111.109] ([65.55.111.109:54906] helo=BLU004-OMC2S34.hotmail.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id DB/B2-59356-D7E44E75 for ; Thu, 22 Sep 2016 17:34:55 -0400 Received: from BLU437-SMTP86 ([65.55.111.71]) by BLU004-OMC2S34.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Thu, 22 Sep 2016 14:34:51 -0700 X-TMN: [Ud9y2ksyDnkEYSEbnGqSnEOe9weuSJhN] X-Originating-Email: [bobwei9@hotmail.com] Message-ID: Content-Type: multipart/alternative; boundary="Apple-Mail=_5A47884F-A847-4734-9D29-E12F83FE26FF" MIME-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\)) In-Reply-To: Date: Thu, 22 Sep 2016 23:34:45 +0200 CC: PHP internals list References: <9522ebc9-8d8b-045e-b701-02f1166063e6@gmail.com> <40868951-8BDA-4860-884C-B8252C1839E3@gmail.com> <9ce33625-2737-9933-7dd1-4f7930bccfac@gmail.com> <9b0fcfa7-f4f8-bac3-5e1e-7e974f217a94@gmail.com> <5acaa405-8b76-ce00-1380-614f2f83b549@gmail.com> To: Stanislav Malyshev X-Mailer: Apple Mail (2.2070.6) X-OriginalArrivalTime: 22 Sep 2016 21:34:49.0067 (UTC) FILETIME=[2542DBB0:01D21519] Subject: Re: [PHP-DEV] HashDoS From: bobwei9@hotmail.com (Bob Weinand) --Apple-Mail=_5A47884F-A847-4734-9D29-E12F83FE26FF Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" > Am 22.9.2016 um 22:08 schrieb Stanislav Malyshev = : >=20 > Hi! >=20 >> Yeah it introduces new functions for updating hash which is used by = json >> for updating array and it's also in std object handler which is used = when >> updating json object. For some other bits like updating array, it = will stay >> with fatal. The thing is that json parser can then easily check if = there >> was an exception and if so, it will set JSON_ERROR_DEPTH and clear = it. It >> seems much better though. >=20 > I'm not sure why special handling for JSON? JSON is certainly not the > only way user data can be ingested and the problem of hash collision = is > common to all these ways. >=20 > --=20 > Stas Malyshev > smalyshev@gmail.com The patch is not only targeting JSON. He just used JSON as an example. Every function generating arrays with keys based on user-defined input = needs to be updated. I=E2=80=99m going to update the patch soon and will notify you then. Bob --Apple-Mail=_5A47884F-A847-4734-9D29-E12F83FE26FF--