Hi! On 9/15/16 11:48 AM, Scott Arciszewski wrote: > Would the Internals team be open to discussing mitigating HashDoS in a > future version of PHP? i.e. everywhere, even for json_decode() and friends, > by fixing the problem rather than capping the maximum number of input > parameters and hoping it's good enough. > > I'd propose SipHash (and/or a derivative): https://www.131002.net/siphash/
I am worries about performance. Base hash structure has to be *very* fast. I have doubts that cryptographic function can perform at these levels. Did you test what is performance of this function compared to existing hash function? > > (Look at all the other languages that already adopted SipHash.) Adopted as base data structure in the engine? Which ones? What were the performance costs? -- Stas Malyshev smalys...@gmail.com -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
