On 22/09/2016 08:52, Jakub Zelenka wrote:
I don't like the initial version of the patch that was causing fatal error
for json_decode. That's not how json_decode should work. I think that Bob
came up later with a better version that was using json recursion error. It
might require a bit more work for 7.1 as I changed a json parser since then.

The point of the proposed patch is that it causes fatal error *anywhere* that a hash is attacked (and, as discussed, it really is only going to trigger on a crafted attack).

Adding mitigations elsewhere such as in the JSON parser can be done *on top of* that, since they'll presumably catch the problem before the hash is inserted into.

It's the same as if the attack caused an exponential amount of memory usage: the engine will bail out as soon as the hard memory limit is reached, but extensions can and should detect and avoid scenarios likely to cause that.

Rowan Collins

PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to