Hi: I have a new idea, which is simple and also works for Jason/serialized etc.
That is Restricting a max length of a buckets list in a hash table. If a bucket's length exceed 1024, any insertion into this bucket will return failure and a warning will be generated. What do you think? Sent from my iPhone 在 2012-1-9,23:42,Pierre Joye <pierre....@gmail.com> 写道: > hi, > > Moving this discussion here as it makes little to non sense to discuss > that any longer on security@ > > We are now very late behind an acceptable delay to provide a fix for > the hash DoS, to say it nicely. > > I'd strongly suggest to release 5.3.9 (RC5 has been tested now) final > this week using the max_input_vars fix, with the modification from > Laruence (but with a larger limit). Laruence addition also fixes > serialize or json, which are parts that need this fix as well as it is > impossible to valid a string manually (length check only is not enough > or cannot work in all cases). > > But 1st of all, the fix addition has to be applied and fully tested. > But if the addition is not desired yet, then we must at least release > 5.3.9 with Dmitry's fix only and we can fix json&serialize later, > ideally within 2 weeks max. > > Cheers, > -- > Pierre > > @pierrejoye | http://blog.thepimp.net | http://www.libgd.org -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php