Not all json_decode()s will operate on user-supplied data. Why not add a DoS-resistant variant?
I propose the addition of json_safe_decode() to use a randomized hash. I'm not trolling about the bin2hex() -> ts_bin2hex() when I say this. Well, not entirely. On Tue, Dec 23, 2014 at 3:16 PM, Andrea Faulds <a...@ajf.me> wrote: > > > On 23 Dec 2014, at 20:12, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > > > > Hi, > > > > On Wed, Dec 24, 2014 at 4:51 AM, Pierre Joye <pierre....@gmail.com> > wrote: > > > >> This issue has been reported earlier on secur...@php.net and is being > >> discussed and analyzed. It is not a simple task. > >> > > > > If we are not going to use other hash (i.e. half MD4 like other langs), > how > > about > > add max allowed collisions? It would be simple and fast enough. I'm not > > looking > > at the code, so I could be wrong. > > Hey, > > We could implement a special JSONObject class with custom __get/__set > handlers and that’s Traversable, which implements a randomised hashing > algorithm rather than using zend_hash. That could be overkill though. > > Thanks. > -- > Andrea Faulds > http://ajf.me/ > > > > >
