> -----Original Message----- > From: Nikita Popov [mailto:nikita....@googlemail.com] > Sent: Monday, January 09, 2012 11:54 AM > To: Xinchen Hui > Cc: Pierre Joye; PHP internals; Johannes Schlüter; Laruence > Subject: Re: [PHP-DEV] Re: 5.3.9, Hash DoS, release > > On Mon, Jan 9, 2012 at 5:36 PM, Xinchen Hui <larue...@gmail.com> wrote: > > Hi: > > I have a new idea, which is simple and also works for Jason/serialized > > etc. > > > > That is Restricting a max length of a buckets list in a hash table. > > > > If a bucket's length exceed 1024, any insertion into this bucket > > will return failure and a warning will be generated. > > > > What do you think? > > That seems like a very good approach (until we have randomization). It would > fix the issue in a generic way so not all functions need to be patched one by > one. It also will not hurt legit uses of many POST variables (or large > serialized arrays). > > -- > PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: > http://www.php.net/unsub.php
Yuck. Bad idea. Collisions happen, and for most hash algorithms there are plenty of perfectly likely key sequences that will collide badly. There are two problems here: 1. Large data sets have the potential to behave poorly if things collide badly 2. An attacker may initiate a DoS attack by supplying a large set of data that is known to collide badly To mitigate the impact of collisions, how about using a dynamic bucket behavior? Use a flat list for small/medium buckets, switch to a second level of hashing if the bucket grows beyond a certain size. Something like md5 could be used as part of the hash key calculation at deeper levels to ensure that the buckets don't infinitely collide. This covers the basic performance implications. To prevent DoS, it has to be impossible for a malicious user to compute a problematic sequence of data. If the bucket level key computation includes an additional cryptographic transformation of any sort using a secret value unique to the machine (or unique to the process) that is handling the request, it would be impossible for an attacker to compute a problematic sequence of keys, which should close the door on DoS. John Crenshaw Priacta, Inc. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
