On 22/09/2016 08:52, Jakub Zelenka wrote:
I don't like the initial version of the patch that was causing fatal error for json_decode. That's not how json_decode should work. I think that Bob came up later with a better version that was using json recursion error. It might require a bit more work for 7.1 as I changed a json parser since then.
The point of the proposed patch is that it causes fatal error *anywhere* that a hash is attacked (and, as discussed, it really is only going to trigger on a crafted attack).
Adding mitigations elsewhere such as in the JSON parser can be done *on top of* that, since they'll presumably catch the problem before the hash is inserted into.
It's the same as if the attack caused an exponential amount of memory usage: the engine will bail out as soon as the hard memory limit is reached, but extensions can and should detect and avoid scenarios likely to cause that.
Regards, -- Rowan Collins [IMSoP] -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php