Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:96128 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 82644 invoked from network); 23 Sep 2016 23:08:20 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 23 Sep 2016 23:08:20 -0000 Authentication-Results: pb1.pair.com header.from=me@kelunik.com; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=me@kelunik.com; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain kelunik.com from 81.169.146.220 cause and error) X-PHP-List-Original-Sender: me@kelunik.com X-Host-Fingerprint: 81.169.146.220 mo4-p00-ob.smtp.rzone.de Received: from [81.169.146.220] ([81.169.146.220:40233] helo=mo4-p00-ob.smtp.rzone.de) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 67/26-51000-3E5B5E75 for ; Fri, 23 Sep 2016 19:08:20 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1474672096; l=6504; s=domk; d=kelunik.com; h=Content-Type:Cc:To:Subject:Date:From:References:In-Reply-To: MIME-Version; bh=4CAIXFassCdrEAaSyMBPFLr1AwI6ZIwfSgUjqZcz9Gg=; b=eT918fgrTFA8ySEkIoLZ3/zK/GhTPIVUM5w2KVP0XOa6z8KJJ4f+FSqaJjjhHhZKbzu ny/FEjs372x0l/bohDxb+tmGwZIO6OvZeuTzQe5jEFZuL6d+LdPS4CU54WGgrT0sFc87e uSCn1xKP7g2z2DgvBJCe9lmoU6SIU/4bA/k= X-RZG-AUTH: :IWkkfkWkbvHsXQGmRYmUo9mls2vWuiu+7SLGvomb4bl9EfHtOnI6 X-RZG-CLASS-ID: mo00 Received: from mail-wm0-f51.google.com ([74.125.82.51]) by smtp.strato.de (RZmta 39.3 AUTH) with ESMTPSA id m09fa8s8NN8GAzh (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp384r1 with 384 ECDH bits, eq. 7680 bits RSA)) (Client did not present a certificate) for ; Sat, 24 Sep 2016 01:08:16 +0200 (CEST) Received: by mail-wm0-f51.google.com with SMTP id l132so54288123wmf.1 for ; Fri, 23 Sep 2016 16:08:16 -0700 (PDT) X-Gm-Message-State: AE9vXwMpgaaBxONNWHGVuJzOiUi3CGZpj80W3cRUdQgeUiin1kDJaZcFDv5aNaMLLkqZQbGqjVB5vouqeHClQw== X-Received: by 10.194.228.98 with SMTP id sh2mr8703598wjc.127.1474672095907; Fri, 23 Sep 2016 16:08:15 -0700 (PDT) MIME-Version: 1.0 Received: by 10.28.125.132 with HTTP; Fri, 23 Sep 2016 16:08:14 -0700 (PDT) In-Reply-To: <7426fb32-2eb7-2c65-3cc2-140e16187bb1@gmail.com> References: <9ce33625-2737-9933-7dd1-4f7930bccfac@gmail.com> <9b0fcfa7-f4f8-bac3-5e1e-7e974f217a94@gmail.com> <5acaa405-8b76-ce00-1380-614f2f83b549@gmail.com> <67e0478d-534a-1f8a-6b4c-a95573784001@gmail.com> <7426fb32-2eb7-2c65-3cc2-140e16187bb1@gmail.com> Date: Sat, 24 Sep 2016 01:08:14 +0200 X-Gmail-Original-Message-ID: Message-ID: To: Stanislav Malyshev Cc: Jakub Zelenka , Bob Weinand , PHP internals list Content-Type: multipart/alternative; boundary=001a113466306fdb29053d34da14 Subject: Re: [PHP-DEV] HashDoS From: me@kelunik.com (Niklas Keller) --001a113466306fdb29053d34da14 Content-Type: text/plain; charset=UTF-8 2016-09-24 0:21 GMT+02:00 Stanislav Malyshev : > Hi! > > > I think there is a confusion about the "servers written in PHP". Those > > applications serves more requests in a single (main) PHP request using > > the even loop. Good examples of that are Aerys or ReactPHP. So we don't > > want to kill that main request if one of the handled requests is > > malicious (ideally we just ignore that malicious request and server > others). > > That can't work well. It works really well. > PHP makes a lot of assumptions in short-lived > requests, and assuming the same request lives forever is bound to cause > a lot of issues - from stale objects sitting around to unoptimal memory > use to eventual overflows in all kinds of counters, etc. It's not long running requests. They're just CLI apps. > Why not use > real servers for server work? > Performance. Bootstrapping everything on every request is very, very resource aggressive. > You yourself say you'll have it behind nginx or so - so why not let > nginx do the server part? > You don't have to run it behind Nginx at all. Most often you do it, because you have other (traditional) apps on the same server. > We have several hundred places in PHP where fatal error (E_ERROR or > E_CORE_ERROR) can be produced. None of these should be triggerable by user input if you do it right. > Of course, some of them are compile-time > but not all of them. E.g., various string overflow scenarios can be > triggered by combining or processing strings (such as uncompressing or > decoding various formats). Uncompressing files shouldn't be done in web requests anyway. It's best pushed to a queue and processed by workers then. > If you server relies on proxy to filter out > all fatal error scenarios, I'm afraid it's much harder than it seems. > We don't. > I of course do not propose to make nginx filter JSON data. On the > contrary, I propose when we have clearly malicious DoS attempt (like > string overflow or hash collision overflow) to fail fast instead of > trying to make right and playing whack-a-mole. We have enough fails in > this are already. Again, user input shouldn't be able to trigger unrecoverable fatal errors. Regards, Niklas --001a113466306fdb29053d34da14--