Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:96107 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 14515 invoked from network); 23 Sep 2016 09:58:35 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 23 Sep 2016 09:58:35 -0000 Authentication-Results: pb1.pair.com smtp.mail=bobwei9@hotmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=bobwei9@hotmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain hotmail.com designates 65.55.111.85 as permitted sender) X-PHP-List-Original-Sender: bobwei9@hotmail.com X-Host-Fingerprint: 65.55.111.85 blu004-omc2s10.hotmail.com Received: from [65.55.111.85] ([65.55.111.85:65361] helo=BLU004-OMC2S10.hotmail.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 24/D6-59356-9CCF4E75 for ; Fri, 23 Sep 2016 05:58:34 -0400 Received: from BLU437-SMTP56 ([65.55.111.73]) by BLU004-OMC2S10.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Fri, 23 Sep 2016 02:58:31 -0700 X-TMN: [Tx5A4IiiC7BZKd5+hob2Abk8Hc1bpOfA] X-Originating-Email: [bobwei9@hotmail.com] Message-ID: Content-Type: multipart/alternative; boundary="Apple-Mail=_983CCD65-0675-48B6-BFD0-42A5C6AC87FB" MIME-Version: 1.0 (Mac OS X Mail 10.0 \(3226\)) Date: Fri, 23 Sep 2016 11:58:26 +0200 In-Reply-To: CC: PHP internals list To: Stanislav Malyshev References: <40868951-8BDA-4860-884C-B8252C1839E3@gmail.com> <9ce33625-2737-9933-7dd1-4f7930bccfac@gmail.com> <9b0fcfa7-f4f8-bac3-5e1e-7e974f217a94@gmail.com> <5acaa405-8b76-ce00-1380-614f2f83b549@gmail.com> X-Mailer: Apple Mail (2.3226) X-OriginalArrivalTime: 23 Sep 2016 09:58:28.0989 (UTC) FILETIME=[08CEA2D0:01D21581] Subject: Re: [PHP-DEV] HashDoS From: bobwei9@hotmail.com (Bob Weinand) --Apple-Mail=_983CCD65-0675-48B6-BFD0-42A5C6AC87FB Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="us-ascii" > Am 23.09.2016 um 03:16 schrieb Stanislav Malyshev = : >=20 > Hi! >=20 >> The patch is not only targeting JSON. He just used JSON as an = example. >>=20 >> Every function generating arrays with keys based on user-defined = input >> needs to be updated. >=20 > That looks like a very good way to make a lot of mistakes, miss a lot = of > cases and end up playing whack-a-mole with covering all functions. Why > not just patch zend_hash.c and be done with it? >=20 > --=20 > Stas Malyshev > smalyshev@gmail.com Hey, Note that the implementation is going to fallback to a fatal error if = even more collisions are reached. (in the current patch: 1100 instead of = 1000) So, even if we miss some cases with the exceptions, there still will be = a safety net for us. We could patch zend_hash.c in two ways: SipHash (sloooow) or only fatals = (very bad for e.g. servers written in PHP. When they have to decode some = JSON, it's trivial for an attacker to crash them very easily). As that's = not an option, we need to use exceptions. Bob= --Apple-Mail=_983CCD65-0675-48B6-BFD0-42A5C6AC87FB--