On 9/15/16 2:48 PM, Scott Arciszewski wrote:
Would the Internals team be open to discussing mitigating HashDoS in a
future version of PHP? i.e. everywhere, even for json_decode() and friends,
by fixing the problem rather than capping the maximum number of input
parameters and hoping it's good en
On 30 November 2015 at 13:58, Pascal KISSIAN
wrote:
> >De : Nikita Popov [mailto:nikita@gmail.com]
> >Envoyé : dimanche 29 novembre 2015 12:45
> >À : Pascal KISSIAN
> >Cc : PHP internals
> >Objet : Re: HashDos protection
>
> >Collisions in DJBX33A are (integer overflow notwithstanding) comple
>De : Nikita Popov [mailto:nikita@gmail.com]
>Envoyé : dimanche 29 novembre 2015 12:45
>À : Pascal KISSIAN
>Cc : PHP internals
>Objet : Re: HashDos protection
>Collisions in DJBX33A are (integer overflow notwithstanding) completely
>independent of the starting value, so randomizing it wouldn
On 28 November 2015 at 01:00, Pascal KISSIAN
wrote:
> -Message d'origine-
> De : Nikita Popov [mailto:nikita@gmail.com]
> Envoyé : jeudi 26 novembre 2015 18:25
> À : PHP internals; Anatol Belski; Remi Collet
> Objet : HashDos protection
>
> >Hi internals!
> >his mail turned out to be
On Sat, Nov 28, 2015 at 12:02 PM, Pascal KISSIAN
wrote:
> Sorry Nikita,
>
>
>
> I didn’t fully read your 1st message because it was speaking on changing
> hash algo…, and I’ve been a bit lazy on that…
>
>
>
> However, I only have thought about a minor change introducing a salt.
>
> In the zend_in
De : Nikita Popov [mailto:nikita@gmail.com]
Envoyé : samedi 28 novembre 2015 11:35
À : Pascal KISSIAN
Cc : PHP internals
Objet : Re: HashDos protection
On Sat, Nov 28, 2015 at 2:00 AM, Pascal KISSIAN
wrote:
-Message d'origine-
De : Nikita Popov [mailto:nikita@gmail.com
On Sat, Nov 28, 2015 at 2:00 AM, Pascal KISSIAN
wrote:
> -Message d'origine-
> De : Nikita Popov [mailto:nikita@gmail.com]
> Envoyé : jeudi 26 novembre 2015 18:25
> À : PHP internals; Anatol Belski; Remi Collet
> Objet : HashDos protection
>
> >Hi internals!
> >his mail turned out to
-Message d'origine-
De : Nikita Popov [mailto:nikita@gmail.com]
Envoyé : jeudi 26 novembre 2015 18:25
À : PHP internals; Anatol Belski; Remi Collet
Objet : HashDos protection
>Hi internals!
>his mail turned out to be rather long, so I'll start with a TL;DR:
>To fix the HashDos vulner
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Le 26/11/2015 18:24, Nikita Popov a écrit :
> Here is an implementation of this mechanism for PHP:
> https://github.com/php/php-src/pull/1565
>
> This is the approach I would recommend for PHP. The patch for this
> change is small and non-intrusive
