Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:96114 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 54264 invoked from network); 23 Sep 2016 19:33:35 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 23 Sep 2016 19:33:35 -0000 Authentication-Results: pb1.pair.com header.from=jakub.php@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=jakub.php@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.49 as permitted sender) X-PHP-List-Original-Sender: jakub.php@gmail.com X-Host-Fingerprint: 209.85.213.49 mail-vk0-f49.google.com Received: from [209.85.213.49] ([209.85.213.49:33213] helo=mail-vk0-f49.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 7B/80-51000-E8385E75 for ; Fri, 23 Sep 2016 15:33:34 -0400 Received: by mail-vk0-f49.google.com with SMTP id z126so397746vkd.0 for ; Fri, 23 Sep 2016 12:33:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=W+etGKVrJPx+OLeJ22OguyIFDMaPzNcrsj3jR2/4ze4=; b=kB7FbnooGkPVMonldIDcUu+B8voU3tHYbtS37rbYvEkHVbbJBerM1jtBw2eC9PSKw2 nAtvMfVds7yF3Bs3Sc+mdpWKCovqChp77Comr45ucj5or2a6ReSobGyTSEITdtfyP0VQ aYUgS2Gu6qDqqIXSD7RKzJSGGi+Zg0wlRqG7KUhC6nLp/bQni2q9Tq9rqRZBRJ2KmsYH o28P3eZQN92hfbGlmMVM5cxhlUnTG1IgawTOTr9OnCaf5XYuZnkKSVZqV0EtZkVewl6I 6hz9dfdBXReDlUzOesUWtMpJX/c/uSvhZypmNQWtXQqJMPl3cesdKgYGeU3VMTAMUpOb DXXg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=W+etGKVrJPx+OLeJ22OguyIFDMaPzNcrsj3jR2/4ze4=; b=ejejaSUWBWOAQBZbNFu2YDqwMEGsYQBHFWeDSyUewCNjjAQoVeEjZxoGATIAt2LURT veMze0UP96FuL/1jKTKECZaIfvbTqQM6tmsK9tNLJRsNB22LvISVLhodYQA4Tz6W2dNW Qt15lbS1t0G1ozRB2Ye8YPJVwohG8EPnxeblUf+1Rr7ef+i5Fa/3V1uWKQo5F0qjadwo Hv9+yXKuU8s5h+rISD4QL3mxbAgNDq77jatcRUrSJKnN/VE9Oby3myZ2kiIb8LGjeToX 8WguqmGX3XAcB2Gb7OfMOLlGx1UuoLRVUQuanigYIBqyC+grQxD4iGMLD5+vJLNToKb8 MO1Q== X-Gm-Message-State: AA6/9RmT1dtfrQ+/cg4LcrQ3GqXgvY1M1jVJckm0EIkNlJ9lcK1FuufqefqRhdP67Oct3X4uX0xY3ex/bMaYfw== X-Received: by 10.31.3.104 with SMTP id 101mr58186vkd.116.1474659211684; Fri, 23 Sep 2016 12:33:31 -0700 (PDT) MIME-Version: 1.0 Sender: jakub.php@gmail.com Received: by 10.31.174.151 with HTTP; Fri, 23 Sep 2016 12:33:30 -0700 (PDT) In-Reply-To: References: <40868951-8BDA-4860-884C-B8252C1839E3@gmail.com> <9ce33625-2737-9933-7dd1-4f7930bccfac@gmail.com> <9b0fcfa7-f4f8-bac3-5e1e-7e974f217a94@gmail.com> <5acaa405-8b76-ce00-1380-614f2f83b549@gmail.com> Date: Fri, 23 Sep 2016 20:33:30 +0100 X-Google-Sender-Auth: mcdRgO0kyLjTq1DB4vxQf0uEL2o Message-ID: To: Stanislav Malyshev Cc: Bob Weinand , PHP internals list Content-Type: multipart/alternative; boundary=001a11426c5e7a30ed053d31da67 Subject: Re: [PHP-DEV] HashDoS From: bukka@php.net (Jakub Zelenka) --001a11426c5e7a30ed053d31da67 Content-Type: text/plain; charset=UTF-8 Hi, On Fri, Sep 23, 2016 at 8:16 PM, Stanislav Malyshev wrote: > Hi! > > > We could patch zend_hash.c in two ways: SipHash (sloooow) or only fatals > > (very bad for e.g. servers written in PHP. When they have to decode some > > Why very bad? > > > JSON, it's trivial for an attacker to crash them very easily). As that's > > Fatal error is not crash. It's a normal ending of the request, of the > server can not tolerate it, how can it deal with memory limits, string > overflows, etc.? There's a lot of things right now that can cause fatal > error. > > That's exactly what we don't want - let the attacker to end our request. All other things like string overflows and memory limits are under our control (e.g. we can set limit on the server and reject such requests) but this isn't. Cheers Jakub --001a11426c5e7a30ed053d31da67--