unread
Hey,
some time ago we had a discussion about HashDos protection initiated by Nikita. There just was one major flaw that it still allowed to crash (fatal error) background processes with no chance to intercept these.
Hence, an exception is thrown instead in array functions respectively (parse_str and json_decode) the function is properly failed.
There still is a path reaching the fatal error, but it should never be reached under normal operation via external input, and if it does, then it should be fixed too.
The pull request is found at https://github.com/php/php-src/pull/1706
This hopefully should eliminate this DoS vector completely.
Bob