On Tue, Jan 10, 2012 at 12:57 AM, Pierre Joye <pierre....@gmail.com> wrote: > hi, > > No time for new ideas yet. We cannot afford to implement, test and > valid new propositions and provide a fix as soon as possible (read: in > the next days). > > What's the status of your patch? The max input var one, not the random > (or derived version), can you post it in this thread again for the > record please? Hi, FYI
thanks > > If not, we will go final with the current fix in 5.3. > > On Mon, Jan 9, 2012 at 5:36 PM, Xinchen Hui <larue...@gmail.com> wrote: >> Hi: >> I have a new idea, which is simple and also works for Jason/serialized etc. >> >> That is Restricting a max length of a buckets list in a hash table. >> >> If a bucket's length exceed 1024, any insertion into this bucket >> will return failure and a warning will be generated. >> >> What do you think? >> >> Sent from my iPhone >> >> 在 2012-1-9,23:42,Pierre Joye <pierre....@gmail.com> 写道: >> >>> hi, >>> >>> Moving this discussion here as it makes little to non sense to discuss >>> that any longer on security@ >>> >>> We are now very late behind an acceptable delay to provide a fix for >>> the hash DoS, to say it nicely. >>> >>> I'd strongly suggest to release 5.3.9 (RC5 has been tested now) final >>> this week using the max_input_vars fix, with the modification from >>> Laruence (but with a larger limit). Laruence addition also fixes >>> serialize or json, which are parts that need this fix as well as it is >>> impossible to valid a string manually (length check only is not enough >>> or cannot work in all cases). >>> >>> But 1st of all, the fix addition has to be applied and fully tested. >>> But if the addition is not desired yet, then we must at least release >>> 5.3.9 with Dmitry's fix only and we can fix json&serialize later, >>> ideally within 2 weeks max. >>> >>> Cheers, >>> -- >>> Pierre >>> >>> @pierrejoye | http://blog.thepimp.net | http://www.libgd.org > > > > -- > Pierre > > @pierrejoye | http://blog.thepimp.net | http://www.libgd.org -- 惠新宸 laruence Senior PHP Engineer http://www.laruence.com
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
