Hi Pierre, On Wed, Dec 24, 2014 at 4:23 PM, Pierre Joye <pierre....@gmail.com> wrote:
> Please keep in mind that this problem is: > > . not json specific > . not specific at runtime but could also happen before a script get the > hand > > A randomized hash only postpone the issue but won't solve it. > > I fear that a fix is way more work that what we may think. A discussion is > going on security, let hope to get something in a reasonable time. I also > wonder what we could provide right now to at least prevent script kiddies > attacks during this holiday season.. > I only read Zend code on occasion, so it might not be feasible. Anyway, when collision happens, Engine detects collision. Limited number of collision should happen under normal circumstances. Simply limiting number of collisions for a specific hash bucket would prevent DoS. The limit may be INI setting, so that users may set higher limit when they need. We may use more secure hash like half MD4 or CityHash (I'm not sure if CityHash is secure enough, though), but it would be much slower than now. Limiting number of collision would be the best solution. We never worry about intensional collision attack again. Regards, P.S. Did we decide to have 64 bit array keys? 64 bit array key is much more stronger against collisions. -- Yasuo Ohgaki yohg...@ohgaki.net
