Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:96116 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 57513 invoked from network); 23 Sep 2016 19:47:55 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 23 Sep 2016 19:47:55 -0000 Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.174 as permitted sender) X-PHP-List-Original-Sender: smalyshev@gmail.com X-Host-Fingerprint: 209.85.192.174 mail-pf0-f174.google.com Received: from [209.85.192.174] ([209.85.192.174:36335] helo=mail-pf0-f174.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 4F/31-51000-AE685E75 for ; Fri, 23 Sep 2016 15:47:54 -0400 Received: by mail-pf0-f174.google.com with SMTP id q2so44926106pfj.3 for ; Fri, 23 Sep 2016 12:47:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=opwR/4U5F4vE+JRJk35XYmd3F1VjEVMz89CXdpgplVE=; b=BfXdaa1GokCJ29KbkYd+tG3l8tY076+rofQ6mWt6jq1w2nTmOg1FJ3gAnbP4XIHX9l FLaxJ2CXBDWfE0zTHc21pODY/0iXw5777obif4oN4Ck44CxWJzXsDfZD8X3W1eWN8hD+ fipfA0jJTA82xxh88h5Hp5jFjYuEQiRpBgyTgkmRRSg59FAKsa7DFMHMN9Lnh2z8pE5x Ykb1P03+0kXrDIDICEcwIR9SmrT8ZmMiVAwVufU1km4pCzKknFiJob0f7VgNkFnFhEzF U9denlYavyf/rd0TExkse1bFkKxdaheeymyZfiotgdNA9xo0ogJaOtSPSoWbgwucmDzK 6xNA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=opwR/4U5F4vE+JRJk35XYmd3F1VjEVMz89CXdpgplVE=; b=TFFnJnN4Dd2t9tNhMipbmnoP9svqdOX9bZtwVTWhCatVROKcy6nsY5v8N6NeVxst00 CtlcpOXdwW4PhGIgUeArSqp66uB3WGnHl/m5UVLUAlJuJGhsw895YYywXsjRrufvXEVs eWL7zQdSljMjvCm5/INDRofQCxSoeZWabVmJWMd/CMA1Kzj7DMysMLnH+DrIAFOfcAUe K3iGXpnSaunm12MJUX8Sr4qi9m72Hp0upsx9RZl7rAuEoBi29cePG9Z2dHUdPaOdw8Ja NgNBIj6zGpDWNSllhOvXnEwzRuukuaHcVUXwpIwHeoWRLMFGT5splRrnkPYAqLoT/G5I 6gug== X-Gm-Message-State: AE9vXwOzTibjfKz95/fCTK0tT1ycgIDPxSQdMCgxz2ycmhttI6QSxLEfayEfA139cFdVtw== X-Received: by 10.98.15.210 with SMTP id 79mr15339512pfp.183.1474660072171; Fri, 23 Sep 2016 12:47:52 -0700 (PDT) Received: from [192.168.2.102] (108-233-206-104.lightspeed.sntcca.sbcglobal.net. [108.233.206.104]) by smtp.gmail.com with ESMTPSA id y190sm7196955pfg.39.2016.09.23.12.47.51 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 23 Sep 2016 12:47:51 -0700 (PDT) To: Jakub Zelenka References: <9ce33625-2737-9933-7dd1-4f7930bccfac@gmail.com> <9b0fcfa7-f4f8-bac3-5e1e-7e974f217a94@gmail.com> <5acaa405-8b76-ce00-1380-614f2f83b549@gmail.com> Cc: Bob Weinand , PHP internals list Message-ID: <67e0478d-534a-1f8a-6b4c-a95573784001@gmail.com> Date: Fri, 23 Sep 2016 12:47:50 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] HashDoS From: smalyshev@gmail.com (Stanislav Malyshev) Hi! > That's exactly what we don't want - let the attacker to end our request. Why not? What else you can do with this request that has clearly bad and maliciously constructed data? > All other things like string overflows and memory limits are under our > control (e.g. we can set limit on the server and reject such requests) Not sure I understand what you mean. How exactly memory limits are under your control? If somebody sends a request that blows up your memory limit, how you control it? In fact, if somebody sends, say, a POST that goes above your post limit - how you handle it without terminating the request? -- Stas Malyshev smalyshev@gmail.com