Ryan, On Thu, Apr 30, 2015 at 1:29 PM, Ryan Pallas <derokor...@gmail.com> wrote:
> On Wed, Apr 29, 2015 at 8:37 PM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > >> Hi Rowan, >> >> On Thu, Apr 30, 2015 at 11:17 AM, Yasuo Ohgaki <yohg...@ohgaki.net> >> wrote: >> >> > >> >> A fatal error wouldn't constitute a DoS vulnerability, would it? >> >>>> >> >>>> Attacker may inject huge ID value and/or they may simply access >> >>> web sites to reach 2 billion limit, for example. >> >>> >> >> >> >> That's not a DoS vector unless you've also done something else wrong, >> >> it's just an embarassing error like many others. A lot of the time, >> the DB >> >> will overflow first anyway, because an SQL "int" is signed 32-bit. >> Hell, >> >> YouTube had a 32-bit int for number of views until Gangnam Style >> overflowed >> >> it! >> >> >> > >> > Not really. Primary key is out of user control almost always. However, >> > suppose code allows to specify foreign key and code assumes that non >> > existing foreign key results in search query failure. >> > >> > Current PHP: Search query failure. >> > New PHP type hint: Fatal error because foreign key is out of PHP int >> range. >> > > How is this different than other languages with type hint? For example, > Java or C# - if you type hint int you are limited to 32bit. These languages > have long and bigint respectively to support 64bit, but type hinting int > means you cannot have arbitrarily large numbers. > > To me it sounds like you're trying to solve an application problem but > suggesting a change to the language. > > > >> > If user are using type hints everywhere, it may be limited to attackers >> > seeing fatal errors. If not, attacker can succeed system wide DoS >> attack by >> > simple operation. >> > >> >> I should have mentioned that I'm supposing DBMS like SQLite here. >> As we know, SQLite column accepts any value including value beyond 64 bit >> int. >> > https://www.sqlite.org/datatype3.html >> (Those who don't now "Type Affinity", please read the section) >> >> From your link " The value is a signed integer, stored in 1, 2, 3, 4, 6, > or 8 bytes depending on the magnitude of the value." And take a look at > http://jakegoulding.com/blog/2011/02/06/sqlite-64-bit-integers/ where > numbers larger than the max are converted to real on storage sometimes, > depending on the affinity of the storage type chosen but not on math. > As PHP int type hint does not accept huge float as int, it does not matter, does it? <?php function foo(int $v) { echo $v; } foo('1.0e+33'); ?> Fatal error: Argument 1 passed to foo() must be of the type integer, string given, called in - on line 6 and defined in - on line 2 SQLite is the most used RDBMS in the world. >> > I would love to see some empirical data that supports this claim. > You know number of mobile devices? All Android/iPhone have it. Use of SQLite is not limited to phone, but almost every embedded device. It's about PHP was and PHP currently is. PHP didn't have any issues with huge record ID at all, but it can result in DoS not limited to targeted, but including site wide. Bad news for me is these DoS could be triggered by upgrade of library/etc that supports PHP7 type hints, not the code that I've authored or supervised. Anyway, too strict "weak" type hint cases problems any external inputs. There should be a resolution. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
