On 22/09/2016 08:52, Jakub Zelenka wrote:
I don't like the initial version of the patch that was causing fatal error
for json_decode. That's not how json_decode should work. I think that Bob
came up later with a better version that was using json recursion error. It
might require a bit more work for 7.1 as I changed a json parser since then.
The point of the proposed patch is that it causes fatal error *anywhere*
that a hash is attacked (and, as discussed, it really is only going to
trigger on a crafted attack).
Adding mitigations elsewhere such as in the JSON parser can be done *on
top of* that, since they'll presumably catch the problem before the hash
is inserted into.
It's the same as if the attack caused an exponential amount of memory
usage: the engine will bail out as soon as the hard memory limit is
reached, but extensions can and should detect and avoid scenarios likely
to cause that.
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php