On Thu, Sep 15, 2016 at 8:48 PM, Scott Arciszewski <sc...@paragonie.com> wrote:
> Would the Internals team be open to discussing mitigating HashDoS in a > future version of PHP? i.e. everywhere, even for json_decode() and friends, > by fixing the problem rather than capping the maximum number of input > parameters and hoping it's good enough. > > I'd propose SipHash (and/or a derivative): https://www.131002.net/siphash/ > > (Look at all the other languages that already adopted SipHash.) > > https://medium.freecodecamp.com/hash-table-attack-8e4371fc5261#.s5r5j42x3 > Previous discussion on the topic: http://markmail.org/message/ttbgcvdu4f7uymfb Nikita