hi, On Wed, Dec 24, 2014 at 7:37 PM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > Hi Pierre, > > On Wed, Dec 24, 2014 at 4:23 PM, Pierre Joye <pierre....@gmail.com> wrote: >> >> Please keep in mind that this problem is: >> >> . not json specific >> . not specific at runtime but could also happen before a script get the >> hand >> >> A randomized hash only postpone the issue but won't solve it. >> >> I fear that a fix is way more work that what we may think. A discussion is >> going on security, let hope to get something in a reasonable time. I also >> wonder what we could provide right now to at least prevent script kiddies >> attacks during this holiday season.. > > I only read Zend code on occasion, so it might not be feasible. > > Anyway, when collision happens, Engine detects collision. > Limited number of collision should happen under normal circumstances. > Simply limiting number of collisions for a specific hash bucket would > prevent DoS. The limit may be INI setting, so that users may set higher > limit when they need. > > We may use more secure hash like half MD4 or CityHash (I'm not sure if > CityHash is secure enough, though), but it would be much slower than now. > > Limiting number of collision would be the best solution. We never worry > about > intensional collision attack again.
I do not see how it solves the problem. It only reduces it, slightly. Having a couple of medium instances generating crafted requests will just have the same effect. So far the more realistic suggestions are about having collision safe implementation, not implementation with limited collisions. > P.S. Did we decide to have 64 bit array keys? 64 bit array key is much more > stronger against collisions. I would not say "much stronger", slightly stronger, but as long as the same implementation is used, it does not really solve anything on this area. -- Pierre @pierrejoye | http://www.libgd.org -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
