> Am 23.09.2016 um 03:16 schrieb Stanislav Malyshev <smalys...@gmail.com>: > > Hi! > >> The patch is not only targeting JSON. He just used JSON as an example. >> >> Every function generating arrays with keys based on user-defined input >> needs to be updated. > > That looks like a very good way to make a lot of mistakes, miss a lot of > cases and end up playing whack-a-mole with covering all functions. Why > not just patch zend_hash.c and be done with it? > > -- > Stas Malyshev > smalys...@gmail.com <mailto:smalys...@gmail.com>
Hey, Note that the implementation is going to fallback to a fatal error if even more collisions are reached. (in the current patch: 1100 instead of 1000) So, even if we miss some cases with the exceptions, there still will be a safety net for us. We could patch zend_hash.c in two ways: SipHash (sloooow) or only fatals (very bad for e.g. servers written in PHP. When they have to decode some JSON, it's trivial for an attacker to crash them very easily). As that's not an option, we need to use exceptions. Bob
