On 17/03/12 23:17, Simon Schick wrote:
Hi, All
I just came around that talk a couple of days ago ..
http://www.youtube.com/watch?v=R2Cq3CLI6H8
I don't know much about hash-maps and internal php-stuff at all, but
they say that the fix provided in 5.3.9 (and 5.4.0) is more a
work-around than a fix ...
Would it be an option to provide a real fix in PHP 6.0? They got the
feedback that this will take some time and is not trivial, but we have
a good time before PHP6 and can also break backwards compatibility for
php-plugins if really necessary.
As they said in the movie, PHP seems to have the algorithm DJBX33A
implemented as Ruby. So as they're so proud of the fix provided by the
Ruby-Team, may we can use that for PHP as well :)
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4815
This is not much because some attacker can do something, but what if
you have a real-world-application that (for some reason) build up an
array that just will blow up because of that? I haven't experienced
that until now, but it's possible ...
Bye
Simon
Hi,
Fairly new to this list so go easy :P..
Anyway I was looking at the hash function in PHP the other week, and was
playing around with some different implementations. DJBX33A is fast,
which I guess is why PHP uses it as it is hit so many times in the
execution.
However I tried and benchmarked a few different algorithms, I didn't try
the patch you mentioned, however the only algorithm that came anywhere
close to matching the DJBX33A method is Paul Hseih's Super Fast Hash
algorithm: http://www.azillionmonkeys.com/qed/hash.html
I benchmarked the DJBX33A against Hseih's algorithm and compared the
results using an Intel x86 architecture and an AMD 64 machine and both
algorithms performed similarly. The benchmarks weren't robust as they
were only quick, 'let's hack and see' tests. Would be interesting if
anyone else has had a go.
If I can find it I'll post a patch so you could?
Cheers
Sam
