On 22/09/2016 08:52, Jakub Zelenka wrote:
I don't like the initial version of the patch that was causing fatal error
for json_decode. That's not how json_decode should work. I think that Bob
came up later with a better version that was using json recursion error. It
might require a bit more work for 7.1 as I changed a json parser since then.


The point of the proposed patch is that it causes fatal error *anywhere* that a hash is attacked (and, as discussed, it really is only going to trigger on a crafted attack).

Adding mitigations elsewhere such as in the JSON parser can be done *on top of* that, since they'll presumably catch the problem before the hash is inserted into.

It's the same as if the attack caused an exponential amount of memory usage: the engine will bail out as soon as the hard memory limit is reached, but extensions can and should detect and avoid scenarios likely to cause that.

Regards,
--
Rowan Collins
[IMSoP]

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to