Hi all,
Am 24.12.2014 10:47 schrieb "Yasuo Ohgaki" :
>
> On Wed, Dec 24, 2014 at 6:29 PM, Pierre Joye wrote:
>
> > I do not see how it solves the problem. It only reduces it, slightly.
> > Having a couple of medium instances generating crafted requests will
> > just have the same effect. So far t
Hi,
On Wed, Dec 24, 2014 at 6:29 PM, Pierre Joye wrote:
> I do not see how it solves the problem. It only reduces it, slightly.
> Having a couple of medium instances generating crafted requests will
> just have the same effect. So far the more realistic suggestions are
> about having collision s
hi,
On Wed, Dec 24, 2014 at 7:37 PM, Yasuo Ohgaki wrote:
> Hi Pierre,
>
> On Wed, Dec 24, 2014 at 4:23 PM, Pierre Joye wrote:
>>
>> Please keep in mind that this problem is:
>>
>> . not json specific
>> . not specific at runtime but could also happen before a script get the
>> hand
>>
>> A rando
Hi Pierre,
On Wed, Dec 24, 2014 at 4:23 PM, Pierre Joye wrote:
> Please keep in mind that this problem is:
>
> . not json specific
> . not specific at runtime but could also happen before a script get the
> hand
>
> A randomized hash only postpone the issue but won't solve it.
>
> I fear that a
On Dec 24, 2014 3:17 AM, "Andrea Faulds" wrote:
>
>
> > On 23 Dec 2014, at 20:12, Yasuo Ohgaki wrote:
> >
> > Hi,
> >
> > On Wed, Dec 24, 2014 at 4:51 AM, Pierre Joye
wrote:
> >
> >> This issue has been reported earlier on secur...@php.net and is being
> >> discussed and analyzed. It is not a si
On Tue, Dec 23, 2014 at 9:12 PM, Yasuo Ohgaki wrote:
> Hi,
>
> On Wed, Dec 24, 2014 at 4:51 AM, Pierre Joye wrote:
>
> > This issue has been reported earlier on secur...@php.net and is being
> > discussed and analyzed. It is not a simple task.
> >
>
> If we are not going to use other hash (i.e.
Not all json_decode()s will operate on user-supplied data. Why not add a
DoS-resistant variant?
I propose the addition of json_safe_decode() to use a randomized hash.
I'm not trolling about the bin2hex() -> ts_bin2hex() when I say this. Well,
not entirely.
On Tue, Dec 23, 2014 at 3:16 PM, Andrea
> On 23 Dec 2014, at 20:12, Yasuo Ohgaki wrote:
>
> Hi,
>
> On Wed, Dec 24, 2014 at 4:51 AM, Pierre Joye wrote:
>
>> This issue has been reported earlier on secur...@php.net and is being
>> discussed and analyzed. It is not a simple task.
>>
>
> If we are not going to use other hash (i.e. h
Hi,
On Wed, Dec 24, 2014 at 4:51 AM, Pierre Joye wrote:
> This issue has been reported earlier on secur...@php.net and is being
> discussed and analyzed. It is not a simple task.
>
If we are not going to use other hash (i.e. half MD4 like other langs), how
about
add max allowed collisions? It w
This issue has been reported earlier on secur...@php.net and is being
discussed and analyzed. It is not a simple task.
I have to thank the reporter to have it done the right way.
Maybe Lukas can learn from them for his next report.
Cheers,
Pierre
On Dec 23, 2014 11:20 PM, "Scott Arciszewski" wr
http://lukasmartinelli.ch/web/2014/11/17/php-dos-attack-revisited.html
Sigh
11 matches
Mail list logo
