Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:96114
Return-Path: <jakub.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 54264 invoked from network); 23 Sep 2016 19:33:35 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 23 Sep 2016 19:33:35 -0000
Authentication-Results: pb1.pair.com header.from=jakub.php@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=jakub.php@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.49 as permitted sender)
X-PHP-List-Original-Sender: jakub.php@gmail.com
X-Host-Fingerprint: 209.85.213.49 mail-vk0-f49.google.com  
Received: from [209.85.213.49] ([209.85.213.49:33213] helo=mail-vk0-f49.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 7B/80-51000-E8385E75 for <internals@lists.php.net>; Fri, 23 Sep 2016 15:33:34 -0400
Received: by mail-vk0-f49.google.com with SMTP id z126so397746vkd.0
        for <internals@lists.php.net>; Fri, 23 Sep 2016 12:33:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=W+etGKVrJPx+OLeJ22OguyIFDMaPzNcrsj3jR2/4ze4=;
        b=kB7FbnooGkPVMonldIDcUu+B8voU3tHYbtS37rbYvEkHVbbJBerM1jtBw2eC9PSKw2
         nAtvMfVds7yF3Bs3Sc+mdpWKCovqChp77Comr45ucj5or2a6ReSobGyTSEITdtfyP0VQ
         aYUgS2Gu6qDqqIXSD7RKzJSGGi+Zg0wlRqG7KUhC6nLp/bQni2q9Tq9rqRZBRJ2KmsYH
         o28P3eZQN92hfbGlmMVM5cxhlUnTG1IgawTOTr9OnCaf5XYuZnkKSVZqV0EtZkVewl6I
         6hz9dfdBXReDlUzOesUWtMpJX/c/uSvhZypmNQWtXQqJMPl3cesdKgYGeU3VMTAMUpOb
         DXXg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=W+etGKVrJPx+OLeJ22OguyIFDMaPzNcrsj3jR2/4ze4=;
        b=ejejaSUWBWOAQBZbNFu2YDqwMEGsYQBHFWeDSyUewCNjjAQoVeEjZxoGATIAt2LURT
         veMze0UP96FuL/1jKTKECZaIfvbTqQM6tmsK9tNLJRsNB22LvISVLhodYQA4Tz6W2dNW
         Qt15lbS1t0G1ozRB2Ye8YPJVwohG8EPnxeblUf+1Rr7ef+i5Fa/3V1uWKQo5F0qjadwo
         Hv9+yXKuU8s5h+rISD4QL3mxbAgNDq77jatcRUrSJKnN/VE9Oby3myZ2kiIb8LGjeToX
         8WguqmGX3XAcB2Gb7OfMOLlGx1UuoLRVUQuanigYIBqyC+grQxD4iGMLD5+vJLNToKb8
         MO1Q==
X-Gm-Message-State: AA6/9RmT1dtfrQ+/cg4LcrQ3GqXgvY1M1jVJckm0EIkNlJ9lcK1FuufqefqRhdP67Oct3X4uX0xY3ex/bMaYfw==
X-Received: by 10.31.3.104 with SMTP id 101mr58186vkd.116.1474659211684; Fri,
 23 Sep 2016 12:33:31 -0700 (PDT)
MIME-Version: 1.0
Sender: jakub.php@gmail.com
Received: by 10.31.174.151 with HTTP; Fri, 23 Sep 2016 12:33:30 -0700 (PDT)
In-Reply-To: <b653d6cd-1c3a-f531-4e4f-ccebeefbd3c3@gmail.com>
References: <CAKws9z2EWkNNhM7tOMh-_pQ3iLjVj7hbXTB1Hh3a19utPzj-9A@mail.gmail.com>
 <CAFGtT7Zd3+iRuaJtwpML3hO6Kbdu7YtnNOE14zvA78E=QiNprg@mail.gmail.com>
 <40868951-8BDA-4860-884C-B8252C1839E3@gmail.com> <d2080444-9a17-b3db-89fa-c383155a5756@thefsb.org>
 <CAF+90c-uFg9A2f1SVYTNgjQuFX5PkenrtXd8kf37cYoG0EfgEw@mail.gmail.com>
 <edeb9734-a3d4-bd96-f57c-fa1687473e1b@gmail.com> <CAF+90c9HTpxtY8zeKoOfjdQXTkrVQSw8fb9Ws0-Qs_xmJtttZw@mail.gmail.com>
 <9ce33625-2737-9933-7dd1-4f7930bccfac@gmail.com> <CAEKnhAGg829gi7uEBimZqdd-cTvAn4a1HmjDfEoYeLO93_L2wQ@mail.gmail.com>
 <9b0fcfa7-f4f8-bac3-5e1e-7e974f217a94@gmail.com> <CAEKnhAF9XGsLqHU5H9aKDA=jWA5iD1ou8UwOX0=OpAC8tnzXdQ@mail.gmail.com>
 <5acaa405-8b76-ce00-1380-614f2f83b549@gmail.com> <CAEKnhAG50eG4RQSRjoZGFkSF_as1DZN5OrBWadyQG-chHDuVhw@mail.gmail.com>
 <d430f3ce-38fe-bfd8-95a0-d78132f9985d@gmail.com> <BLU437-SMTP86FE3BC2E445E56074B889E2C90@phx.gbl>
 <e176001f-0ab7-6d6c-adfe-8d4a31f1337b@gmail.com> <BLU437-SMTP5652D9C5B9D2AC92E4505DE2C80@phx.gbl>
 <b653d6cd-1c3a-f531-4e4f-ccebeefbd3c3@gmail.com>
Date: Fri, 23 Sep 2016 20:33:30 +0100
X-Google-Sender-Auth: mcdRgO0kyLjTq1DB4vxQf0uEL2o
Message-ID: <CAEKnhAHM4k4w2g0cxiNM-RH=_mvWjm8a-m7jdCL63SEvjRYQsg@mail.gmail.com>
To: Stanislav Malyshev <smalyshev@gmail.com>
Cc: Bob Weinand <bobwei9@hotmail.com>, PHP internals list <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11426c5e7a30ed053d31da67
Subject: Re: [PHP-DEV] HashDoS
From: bukka@php.net (Jakub Zelenka)

--001a11426c5e7a30ed053d31da67
Content-Type: text/plain; charset=UTF-8

Hi,

On Fri, Sep 23, 2016 at 8:16 PM, Stanislav Malyshev <smalyshev@gmail.com>
wrote:

> Hi!
>
> > We could patch zend_hash.c in two ways: SipHash (sloooow) or only fatals
> > (very bad for e.g. servers written in PHP. When they have to decode some
>
> Why very bad?
>
> > JSON, it's trivial for an attacker to crash them very easily). As that's
>
> Fatal error is not crash. It's a normal ending of the request, of the
> server can not tolerate it, how can it deal with memory limits, string
> overflows, etc.? There's a lot of things right now that can cause fatal
> error.
>
>
That's exactly what we don't want - let the attacker to end our request.
All other things like string overflows and memory limits are under our
control (e.g. we can set limit on the server and reject such requests) but
this isn't.

Cheers

Jakub

--001a11426c5e7a30ed053d31da67--