On Thu, Sep 22, 2016 at 10:06 AM, Rowan Collins <rowan.coll...@gmail.com> wrote:
> On 22/09/2016 08:52, Jakub Zelenka wrote: > >> I don't like the initial version of the patch that was causing fatal error >> for json_decode. That's not how json_decode should work. I think that Bob >> came up later with a better version that was using json recursion error. >> It >> might require a bit more work for 7.1 as I changed a json parser since >> then. >> > > The point of the proposed patch is that it causes fatal error *anywhere* > that a hash is attacked (and, as discussed, it really is only going to > trigger on a crafted attack). > > Adding mitigations elsewhere such as in the JSON parser can be done *on > top of* that, since they'll presumably catch the problem before the hash is > inserted into. > > It's the same as if the attack caused an exponential amount of memory > usage: the engine will bail out as soon as the hard memory limit is > reached, but extensions can and should detect and avoid scenarios likely to > cause that. > > Nope the point of the Bob's patch is to use graceful handling with exception that can be easily checked by the json parser for example! See https://github.com/php/php-src/pull/1706 >From the quick look, it actually just requires regenerating parser from the json ext point of view. Cheers Jakub