Re: little request :)

From: Date: Fri, 07 Feb 2014 23:56:29 +0000
Subject: Re: little request :)
References: 1 2 3 4 5 6 7 8 9 10 11 12  Groups: php.internals 
Request: Send a blank email to [email protected] to get a copy of this message
> The Firebird developers basically say that there is no possibility of 
> exploitation on their own hash comparisons

If you wanted to pin them down, I would ask that they certify that
their MatchesMatcher::matches method doesn't short-circuit, because if
my C++ memory serves (iffy) it does. (Please note that this is not a
bug report and not a cause for alarm, simply a recommendation for
further looking.)

Also keep in mind that "their own hash comparisons" suggests areas of
their code that specially treats hash data. But when dealing with a
database, a VAR/CHAR field can be used for hash storage, and in turn
hash comparison, without the db having any idea of the purpose. 

-- S.



Thread (42 messages)

« previous php.internals (#72393) next »