On 9/15/16 2:48 PM, Scott Arciszewski wrote:
Would the Internals team be open to discussing mitigating HashDoS in a
future version of PHP? i.e. everywhere, even for json_decode() and friends,
by fixing the problem rather than capping the maximum number of input
parameters and hoping it's good enough.
I'd propose SipHash (and/or a derivative): https://www.131002.net/siphash/
(Look at all the other languages that already adopted SipHash.)
I briefly looked through the "Users" list and didn't find anything
equivalent to using it as PHP's internal base hash.
Python and Rust have an implementation available to users. Ruby is using
it internally but I think it's focused on JSON.
There's some good info on the situation in Perl 5. While SipHash is
available it requires a non-default compile-time option.
Correct me if I'm not reading the situation right.
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php