On 9/15/16 2:48 PM, Scott Arciszewski wrote:

Would the Internals team be open to discussing mitigating HashDoS in a
future version of PHP? i.e. everywhere, even for json_decode() and friends,
by fixing the problem rather than capping the maximum number of input
parameters and hoping it's good enough.

I'd propose SipHash (and/or a derivative): https://www.131002.net/siphash/

(Look at all the other languages that already adopted SipHash.)

I briefly looked through the "Users" list and didn't find anything equivalent to using it as PHP's internal base hash.

Python and Rust have an implementation available to users. Ruby is using it internally but I think it's focused on JSON.

There's some good info[1] on the situation in Perl 5. While SipHash is available it requires a non-default compile-time option.

Correct me if I'm not reading the situation right.


[1] http://news.perlfoundation.org/2012/12/improving-perl-5-grant-report-11.html

PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to