2012/1/10 Xinchen Hui <larue...@gmail.com> > On Tue, Jan 10, 2012 at 12:57 AM, Pierre Joye <pierre....@gmail.com> > wrote: > > hi, > > > > No time for new ideas yet. We cannot afford to implement, test and > > valid new propositions and provide a fix as soon as possible (read: in > > the next days). > > > > What's the status of your patch? The max input var one, not the random > > (or derived version), can you post it in this thread again for the > > record please? > Hi, FYI > > thanks > > > > If not, we will go final with the current fix in 5.3. > > > > On Mon, Jan 9, 2012 at 5:36 PM, Xinchen Hui <larue...@gmail.com> wrote: > >> Hi: > >> I have a new idea, which is simple and also works for > Jason/serialized etc. > >> > >> That is Restricting a max length of a buckets list in a hash table. > >> > >> If a bucket's length exceed 1024, any insertion into this bucket > >> will return failure and a warning will be generated. > >> > >> What do you think? > >> > >> Sent from my iPhone > >> > >> 在 2012-1-9,23:42,Pierre Joye <pierre....@gmail.com> 写道: > >> > >>> hi, > >>> > >>> Moving this discussion here as it makes little to non sense to discuss > >>> that any longer on security@ > >>> > >>> We are now very late behind an acceptable delay to provide a fix for > >>> the hash DoS, to say it nicely. > >>> > >>> I'd strongly suggest to release 5.3.9 (RC5 has been tested now) final > >>> this week using the max_input_vars fix, with the modification from > >>> Laruence (but with a larger limit). Laruence addition also fixes > >>> serialize or json, which are parts that need this fix as well as it is > >>> impossible to valid a string manually (length check only is not enough > >>> or cannot work in all cases). > >>> > >>> But 1st of all, the fix addition has to be applied and fully tested. > >>> But if the addition is not desired yet, then we must at least release > >>> 5.3.9 with Dmitry's fix only and we can fix json&serialize later, > >>> ideally within 2 weeks max. > >>> > >>> Cheers, > >>> -- > >>> Pierre > >>> > >>> @pierrejoye | http://blog.thepimp.net | http://www.libgd.org > > > > > > > > -- > > Pierre > > > > @pierrejoye | http://blog.thepimp.net | http://www.libgd.org > > > > -- > 惠新宸 laruence > Senior PHP Engineer > http://www.laruence.com > > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php >
Why not double hashing (http://en.wikipedia.org/wiki/Double_hashing) somelike John Crenshaw proposed ? Julien
