Hi, On Fri, Sep 23, 2016 at 8:16 PM, Stanislav Malyshev <smalys...@gmail.com> wrote:
> Hi! > > > We could patch zend_hash.c in two ways: SipHash (sloooow) or only fatals > > (very bad for e.g. servers written in PHP. When they have to decode some > > Why very bad? > > > JSON, it's trivial for an attacker to crash them very easily). As that's > > Fatal error is not crash. It's a normal ending of the request, of the > server can not tolerate it, how can it deal with memory limits, string > overflows, etc.? There's a lot of things right now that can cause fatal > error. > > That's exactly what we don't want - let the attacker to end our request. All other things like string overflows and memory limits are under our control (e.g. we can set limit on the server and reject such requests) but this isn't. Cheers Jakub
