On Dec 24, 2014 3:17 AM, "Andrea Faulds" <a...@ajf.me> wrote: > > > > On 23 Dec 2014, at 20:12, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > > > > Hi, > > > > On Wed, Dec 24, 2014 at 4:51 AM, Pierre Joye <pierre....@gmail.com> wrote: > > > >> This issue has been reported earlier on secur...@php.net and is being > >> discussed and analyzed. It is not a simple task. > >> > > > > If we are not going to use other hash (i.e. half MD4 like other langs), how > > about > > add max allowed collisions? It would be simple and fast enough. I'm not > > looking > > at the code, so I could be wrong. > > Hey, > > We could implement a special JSONObject class with custom __get/__set handlers and that’s Traversable, which implements a randomised hashing algorithm rather than using zend_hash. That could be overkill though.
Please keep in mind that this problem is: . not json specific . not specific at runtime but could also happen before a script get the hand A randomized hash only postpone the issue but won't solve it. I fear that a fix is way more work that what we may think. A discussion is going on security, let hope to get something in a reasonable time. I also wonder what we could provide right now to at least prevent script kiddies attacks during this holiday season...
