Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:96113 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 51742 invoked from network); 23 Sep 2016 19:17:02 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 23 Sep 2016 19:17:02 -0000 Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.50 as permitted sender) X-PHP-List-Original-Sender: smalyshev@gmail.com X-Host-Fingerprint: 209.85.220.50 mail-pa0-f50.google.com Received: from [209.85.220.50] ([209.85.220.50:36620] helo=mail-pa0-f50.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 8B/00-51000-DAF75E75 for ; Fri, 23 Sep 2016 15:17:02 -0400 Received: by mail-pa0-f50.google.com with SMTP id qn7so25399398pac.3 for ; Fri, 23 Sep 2016 12:17:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=WbowbyCgwSeI0DCENau2XYF7XH2Ex8qJxtkuBflh2B8=; b=YlvtAEB7uHR433ItRgtOQeaH8yH+aHVKHSWmOKL9fP8hWbBgHes5cEHlN2OGRcgUjC bBQhSQJRuxlrVGo7zQOq8fWLrP8bQ0s+mdQl9IygKZTgmHIS1IG7DjZOky2C7V9Ze1Z6 9L+Xx8JeP0sMWwBlT4s8Vo8axQh43rjqQpLCAQymBrrWv4pQlLEdHNIq9xs8jNpXiumw Hi2GPpJz5Jzn5DFXEPe5DYgVxGaJLDXbZQZqJ0lt9Q6yviFJvjzQPTck0sJezh7SvnOX bxnnSv9SKmkKjEJXb+ulRgT49MkHN8izB0wC55Ud+oXqO2DozSbNaWnD3+fuco6y1HPw uOEQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=WbowbyCgwSeI0DCENau2XYF7XH2Ex8qJxtkuBflh2B8=; b=hqwzq+/FGHvSPVkAJCrQJo/OLLKZdrLng7hWBknxYzGHuo1gBLXpGI8glTnxuzgS7C RVYt4N6GTshfL9dO7wM3klNzxGB3hOHCH1fxdU4/EO2Zkt1TCOxvUeKgv5tMbJ5aWJ79 TCjDqzpGOe94bkfG28vAs68x1Kof9gDUvK9OVyEoavSWpBbQ2rDTRXRbhm7MWqSV6HcA kiJQdYQpzRZt4Toqq4/LMrbTz5svx8uOf7w48nHQu16P3WiyhcWks5vEbdCb8Yiu3UHi rNzcMtey/goQMUGoSiXoTKIE8T5wK/iKZOVt7+6nu4X8BfsvITxB0TzWOkIBsB2Or7bu ptbw== X-Gm-Message-State: AE9vXwPVVvGkV+cQkKGW0NfNuQ3bX+ifqZdO/AjfDEYkED9e+oHNSFfKTAL4UgdWCzrKSQ== X-Received: by 10.66.134.51 with SMTP id ph19mr15248219pab.30.1474658219187; Fri, 23 Sep 2016 12:16:59 -0700 (PDT) Received: from [192.168.2.102] (108-233-206-104.lightspeed.sntcca.sbcglobal.net. [108.233.206.104]) by smtp.gmail.com with ESMTPSA id i68sm13332100pfc.25.2016.09.23.12.16.58 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 23 Sep 2016 12:16:58 -0700 (PDT) To: Bob Weinand References: <40868951-8BDA-4860-884C-B8252C1839E3@gmail.com> <9ce33625-2737-9933-7dd1-4f7930bccfac@gmail.com> <9b0fcfa7-f4f8-bac3-5e1e-7e974f217a94@gmail.com> <5acaa405-8b76-ce00-1380-614f2f83b549@gmail.com> Cc: PHP internals list Message-ID: Date: Fri, 23 Sep 2016 12:16:57 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] HashDoS From: smalyshev@gmail.com (Stanislav Malyshev) Hi! > We could patch zend_hash.c in two ways: SipHash (sloooow) or only fatals > (very bad for e.g. servers written in PHP. When they have to decode some Why very bad? > JSON, it's trivial for an attacker to crash them very easily). As that's Fatal error is not crash. It's a normal ending of the request, of the server can not tolerate it, how can it deal with memory limits, string overflows, etc.? There's a lot of things right now that can cause fatal error. -- Stas Malyshev smalyshev@gmail.com