Hi Nikita, > -----Original Message----- > From: Nikita Popov [mailto:nikita....@gmail.com] > Sent: Thursday, November 26, 2015 6:25 PM > To: PHP internals <internals@lists.php.net>; Anatol Belski > <anatol....@belski.net>; Remi Collet <r...@php.net> > Subject: [PHP-DEV] HashDos protection > > Hi internals! > > This mail turned out to be rather long, so I'll start with a TL;DR: > > To fix the HashDos vulnerability for *all* cases (rather than just GET/POST > parsing), I propose to introduce collision counting during hashtable insertion > operations. This will throw a fatal error if the number of collisions during > an > insertion operation exceed a certain threshold. > > Implementation: https://github.com/php/php-src/pull/1565 > > From my testing the change has no negative performance impact. The change is > small and does not break ABI. > > Tracking bug (with various implementations): > https://bugs.php.net/bug.php?id=70644 > > What are your thoughts on this? > Responding to the short version as well :)
I was checking your patch and I think it is great. Currently I see no ABI breach (please correct me if I err). So IMHO after sufficient discussion, corrections and testing, given there's still no ABI incompatibility, it should be backported to 7.0 as early as possible. Regards Anatol -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
