On Mon, Jan 9, 2012 at 5:18 PM, Stefan Esser <ste...@nopiracy.de> wrote: > Dear Pierre and others, > >> I'd strongly suggest to release 5.3.9 (RC5 has been tested now) final >> this week using the max_input_vars fix, with the modification from >> Laruence (but with a larger limit). Laruence addition also fixes >> serialize or json, which are parts that need this fix as well as it is >> impossible to valid a string manually (length check only is not enough >> or cannot work in all cases). > > Why do you advocate a patch from Laruence that randomizes the size of the > HashTable, which does not fix the HashDOS security problem at all?
I do not, I refer to his other patch which does exactly what Dmitry's one does and uses the same limit for json and serialize. I'm actually against the randomize version of the fix as we have not yet enough clue about how good (or bad) it is. Cheers, -- Pierre @pierrejoye | http://blog.thepimp.net | http://www.libgd.org -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
