Hello, What if we had some sort of configuration limit on collision length? Would give most of us a viable way to prevent our apps from being attacked, and yet in the use cases where we require a higher limit we retain the ability to up the limit or disable it completely.
Regards, Glenn On Wed, Sep 21, 2016 at 4:06 AM, Niklas Keller <m...@kelunik.com> wrote: > 2016-09-21 8:54 GMT+02:00 Yasuo Ohgaki <yohg...@ohgaki.net>: > > > Hi Stas, > > > > On Wed, Sep 21, 2016 at 11:26 AM, Stanislav Malyshev > > <smalys...@gmail.com> wrote: > > > > > >> I think we are better to limit max collisions. > > >> I'm +1 for Nikita's proposal does this. > > > > > > Max collision per what? How much would be the limit? > > > > Collision by keys. > > > > It would be nice to have configurable limit like regex stack/backtrack > > limit. > > That said, wouldn't 1000 enough for almost all apps? > > > > Having a limit isn't a good idea for all use cases, but it works for some. > > > > Anyway, we have two choices > > - Simply limit the number of collisions. (Fast and has no impact to > code) > > > > It totally has impact to code. What happens if we have enough collisions? > Throw an exception? Might break code, any array insert operation might > suddenly fail. Simply fatal? Not suitable for long running applications > like Aerys (https://github.com/amphp/aerys) or PPM ( > https://github.com/php-pm/php-pm). > > I guess to support these use cases, we have to switch to a cryptographic > hash function here. But I guess it would be totally fine having such a > feature as compile flag, limiting the number of collisions usually and > provide a cryptographic hash function for long running apps to protect > them. > > I think such an option is fine for those running long running applications, > since they don't rely on setups like shared hosting and can usually compile > their own versions. > > > > - Use crypt safe hash and salt. (Slow and has impact to opcache/etc) > > > > Do we need a salt here? If not, how does it then impact opcache? > > > > Limiting something is good to have sometimes. > > Python even limits number of recursions to 1000 by default. > > > > Recursion is / should not be affected by user input and thus is a slightly > different topic. > > Regards, Niklas > > > > We have PCRE stack/backtrack limits. (We'll have mbregex stack limit > soon) > > Collision limit is good one also. > > > > Regards, > > > > -- > > Yasuo Ohgaki > > yohg...@ohgaki.net > > > > -- > > PHP Internals - PHP Runtime Development Mailing List > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > >
