Patch method of php5.2.x to prevent hash conflict denial of service attack

Last week, when Dmitry suddenly launched the 5.4 release, a new configuration entry was introduced:

Added max_input_vars directive to prevent attacks the on hash based this preventive attack is "implementing a denial of service attack vulnerability in various languages by invoking a hash conflict" (collision Implementations Denial-of-service via hash algorithm collision).

The principle of the attack is very simple, in many languages, using hash to store k-v data, including commonly used post data from the user, the attacker can construct the request header, along with the post a large number of special "K" VALUES (according to the hash algorithm for each language customization), The hash table that saves post data at the bottom of the language is degraded to a linked list because of "conflict" (collision).

In this way, if the amount of data is large enough, then the language can be computed, found, inserted, causing a large amount of CPU footprint, thereby implementing a denial-of-service attack.

PHP5.4 is to try to avoid being affected by such attacks by adding a limit:

-Max_input_vars-specifies How many Get/post/cookie input variables may is accepted. Default Value 1000

If you use 5.2, if the threat of such attacks, you can play the following patch, PHP5.3, you can consider upgrading to 5.3 9, has included this patch (because 5.3.9 is currently RC state, so if you do not want to upgrade, You can also refer to this patch yourself for 5.3 write one):

Preventive measures

1. Cd into the PHP src RUN:PATCH-P1 < Php-5.2.*-max-input-vars.patch
2. Since the latest PHP 5.3.9-RC4 has fixed this issue, so for 5.3 you can upgrade to 5.3.9RC4
Of course if you don ' t want to upgrade to a RC version, you can simply tweak this patch into a 5.3 suitable.

You can download the package to Https://github.com/laruence/laruence.github.com/tree/master/php-5.2-max-input-vars