2016/11/03 PHPカンファレンス2016
ɹ!shin1x12016//03 PHPΧϯϑΝϨϯεਖ਼نදݱ࠶ೖ
View Slide
ৄࡉਖ਼نදݱ ਖ਼نදݱٕज़ೖ
D.BTBTIJ4IJOCBSB!TIJOY"HFOEBw1)1ͷਖ਼نදݱwϚονϯάwόοΫτϥοΫw3F%P4
1)1ͷਖ਼نදݱ
1)1ͷਖ਼نදݱD.BTBTIJ4IJOCBSB!TIJOYw1$3& QSFHܥw104*9ਖ਼نදݱ FSFHܥʢ1)1ͰඇਪɺͰഇࢭʣwَं [email protected]ܥ
ਖ਼نදݱͷओͳར༻༻్D.BTBTIJ4IJOCBSB!TIJOYwจࣈྻ͕Ϛον͢Δ͔Ͳ͏͔ͷผwจࣈྻ͔ΒϚονͨ͠ՕॴͷऔಘwจࣈྻͷϚονͨ͠ՕॴΛஔwϚονͨ͠ՕॴͰจࣈྻΛׂ
ਖ਼نදݱͷओͳར༻༻్D.BTBTIJ4IJOCBSB!TIJOYwϚον͢Δ͔Ͳ͏͔ͷผwϚονͨ͠Օॴͷऔಘ [email protected] [email protected]@BMM [email protected] wϚονͨ͠Օॴͷஔ [email protected] [email protected] wϚονͨ͠ՕॴͰจࣈྻΛׂ [email protected]
Ϛονϯά
ϚονϯάͷಛD.BTBTIJ4IJOCBSB!TIJOYwਖ਼نදݱؤுΓw࠷ॳʹϚονͨ͠ͷ͕༏ઌwඪ४ͷྔࢦఆࢠཉுΓʢHSFFEZʣ
ϚονϯάͷಛD.BTBTIJ4IJOCBSB!TIJOYwਖ਼نදݱؤுΓw࠷ॳʹϚονͨ͠ͷ͕༏ઌwඪ४ͷྔࢦఆࢠཉுΓʢHSFFEZʣ࠷࠷ࠨϚονϯά
ਖ਼نදݱؤுΓD.BTBTIJ4IJOCBSB!TIJOYwϚον͢Δ·ͰऔΓಘΔશͯͷύλʔϯΛࢼߦ Ϛον͢ΕऴྃwऔΓಘΔશͯͷύλʔϯ͕Ϛον͠ͳ͍ ϚονࣦഊwϚονࣦഊͷ߹ɺॲཧྔ͕େʹͳΔՄೳੑ
BaE
BaEaEΛͰϚον
BaEͱBϚον͠ͳ͍
BaEaEΛͰϚονόοΫτϥοΫ
BaEͱϚον͠ͳ͍
BaEจࣈྻΛਐΊͯ aEΛͰϚον
BaEจࣈྻΛਐΊΔͱ aE͕Ϛον͢Δͷ͕ແ͍Ϛονࣦഊ
࠷ॳʹϚονͨ͠ͷ͕༏ઌD.BTBTIJ4IJOCBSB!TIJOYwจࣈྻͰ࠷ࠨʹ͋ΔϚον͕༏ઌ ʢ࠷ॳʹϚονͨ͠Օॴʣwਖ਼نදݱʢબʣͷฒͼͰͳ͍
1FO1JOFBQQMF"QQMF1FO
1FO1JOFBQQMF"QQMF1FO?1FOϚον͢Δ
1FO1JOFBQQMF"QQMF1FO1FO1FO1JOFBQQMF"QQMF1FO
1FO1JOFBQQMF"QQMF1FO1FOจࣈྻͷࠨଆͰϚονͨ͠ͷ͕༏ઌʢ্ͷύλʔϯͰऴྃʣ1FO1JOFBQQMF"QQMF1FO
1FO1JOFBQQMF"QQMF1FO"QQMFc1FO
1FO1JOFBQQMF"QQMF1FO"QQMFc1FO1FO1JOFBQQMF"QQMF1FO1FO1JOFBQQMF"QQMF1FO
1FO1JOFBQQMF"QQMF1FO"QQMFc1FO1FO1JOFBQQMF"QQMF1FO1FO1JOFBQQMF"QQMF1FOจࣈྻͷࠨଆͰϚονͨ͠ͷ͕༏ઌ
ඪ४ͷྔࢦఆࢠཉுΓD.BTBTIJ4IJOCBSB!TIJOYwඪ४ͷྔࢦఆࢠɺ࠷ʹϚονwσϑΥϧτͰ࠷େྔࢦఆࢠͱͯ͠ಈ͘
ྔࢦఆࢠD.BTBTIJ4IJOCBSB!TIJOYwલͷύλʔϯͷ܁Γฦ͠Λࣔ͢wɺɺ ɺ\O N^wBͳΒʮBʯʮBBCʯʮDBBBBCʯͳͲʹϚον
1FO1JOFBQQMF"QQMF1FO1OճҎ্
1FO1JOFBQQMF"QQMF1FO1O1FO1JOFBQQMF"QQMF1FO1FO1JOFBQQMF"QQMF1FO1FO1JOFBQQMF"QQMF1FO1FO1JOFBQQMF"QQMF1FO1FO1JOFBQQMF"QQMF1FO
1FO1JOFBQQMF"QQMF1FO1Oඪ४ͷྔࢦఆࢠ࠷ͰϚον
1FO1JOFBQQMF"QQMF1FO1 O͘͠ճ1FO1JOFBQQMF"QQMF1FO1FO1JOFBQQMF"QQMF1FO
1\ ^OճҎ্ճҎԼ1FO1JOFBQQMF"QQMF1FO1FO1JOFBQQMF"QQMF1FO1FO1JOFBQQMF"QQMF1FO1FO1JOFBQQMF"QQMF1FO
1\ ^O1FO1JOFBQQMF"QQMF1FO1FO1JOFBQQMF"QQMF1FO1FO1JOFBQQMF"QQMF1FO1FO1JOFBQQMF"QQMF1FOճҎ্ճҎԼ
ྔࢦఆࢠͷϚονϯάύλʔϯD.BTBTIJ4IJOCBSB!TIJOYw࠷େྔࢦఆࢠʢσϑΥϧτʣw࠷খྔࢦఆࢠwઈର࠷େྔࢦఆࢠ
࠷େྔࢦఆࢠD.BTBTIJ4IJOCBSB!TIJOYwྔࢦఆࢠσϑΥϧτͷಈ͖w \O N^w࠷ʹϚονɺཉுΓͳϚον
࠷খྔࢦఆࢠD.BTBTIJ4IJOCBSB!TIJOYwྔࢦఆࢠʹ Λ͚ͯࢦఆw ɺ ɺ ɺ\O N^ w࠷খͷϚονɺ߇͑ΊͳϚον
1FO1JOFBQQMF"QQMF1FO1O࠷ͰϚον
1FO1JOFBQQMF"QQMF1FO1 O࠷ͰϚον
GPPBOECBSGPPΛϚον͍ͨ͠
࠷େྔࢦఆࢠGPPBOECBS
>Ҏ֎ͷ܁Γฦ͠GPPBOECBS
࠷খྔࢦఆࢠGPPBOECBS
࠷େྔࢦఆࢠͱ࠷খྔࢦఆࢠD.BTBTIJ4IJOCBSB!TIJOYw࠷େྔࢦఆࢠ࠷Ұக͔Βࢼߦ͍ͯ͘͠w࠷খྔࢦఆࢠ࠷Ұக͔Βࢼߦ͍ͯ͘͠wϚον͠ͳ͍߹ͲͪΒಉ͡ࢼߦΛߦ͏
ઈର࠷େྔࢦఆࢠD.BTBTIJ4IJOCBSB!TIJOYwྔࢦఆࢠʹΛ͚ͯࢦఆwɺɺ ɺ\O N^wڧཉͳϚονɺఘΊͳ͍Ϛον
1FO1JOFBQQMF"QQMF1FO1OϚονࣦഊ
όοΫτϥοΫ
όοΫτϥοΫD.BTBTIJ4IJOCBSB!TIJOYwϚον͕ࣦഊͨ͠߹ʹ લͷਖ਼نදݱʹΓɺผͷϚονΛߦ͏wਖ਼͍͠ղΛಘΔ·ͰՄೳͳΈ߹ΘͤΛ ޮతʹࢼ͍ͯ͘͠https://ja.wikipedia.org/wiki/όοΫτϥοΩϯά
1FO1JOFBQQMF"QQMF1FO1OϚον͢Δ
1FO1JOFBQQMF"QQMF1FO1OOͱߦͳͷͰϚον͠ͳ͍
1FO1JOFBQQMF"QQMF1FO1Oจࣈͯ͘͠ϚονόοΫτϥοΫ
1FO1JOFBQQMF"QQMF1FO1OϚονޭ
1FO1JOFBQQMF"QQMF1FO1OϚον͢ΔϚονͨ͠ൣғΛΞτϛοΫʹѻ͏
1FO1JOFBQQMF"QQMF1FO1OͰϚονͨ͠Օॴͷ࠶୳ࠪߦΘͣɺਖ਼نදݱΛ1͔ΒϚον͢͠
ઈର࠷େྔࢦఆࢠD.BTBTIJ4IJOCBSB!TIJOYwҰϚονϯάͨ͠ൣғΛΞτϛοΫʹѻ͍ɺ όοΫτϥοΫͰख์͞ͳ͍wΞτϛοΫάϧʔϓͰಉ༷ͷޮՌ Ͱಉ༷ͷޮՌwόοΫτϥοΫൃੜΛ͑Δ
SFHVMBSFYQSFTTJPOTD.BTBTIJ4IJOCBSB!TIJOYhttps://regex101.com/
όοΫτϥοΫʹΑΔ%P4
http://stackstatus.net/post/147710624694/outage-postmortem-july-20-2016
w4UBDL0WFSqPXͰؒΞΫηεෆೳwจࣈྻલޙͷۭനΛআ͢Δਖ਼نදݱw?
ݕূD.BTBTIJ4IJOCBSB!TIJOY[email protected] 1)1w୯७Խͯ͠ɺaTͱaTͰݕূw/ݸͷۭന`B`ʹରͯ͠ॲཧ
/TQBDFTB 1)1 1)1 NT NT NT NT NT NT NT NT[email protected] aT
/TQBDFTB 1)1 1)1 NT NT NT NT NT NT NT aTൺ NTaTൺ[email protected] aT
ରԠࡦD.BTBTIJ4IJOCBSB!TIJOYwઈର࠷େྔࢦఆࢠͰόοΫτϥοΫΛ੍wจࣈྻΛόϦσʔγϣϯͰ੍ݶwਖ਼نදݱΛΘͳ͍ 4UBDL0WFSqPXͰͷରԠ จࣈྻؔͰஔ͑
3F%P4
3F%P4D.BTBTIJ4IJOCBSB!TIJOYwਖ਼نදݱΛѱ༻ͨ͠%P4w͔Βఏى͞Ε͍ͯͨwϚον͠ͳ͍ύλʔϯͰ߈ܸhttps://www.checkmarx.com/wp-content/uploads/2015/03/ReDoS-Attacks.pdf
https://www.checkmarx.com/wp-content/uploads/2015/03/ReDoS-Attacks.pdf
&WJM3FHFY1BUUFSOTD.BTBTIJ4IJOCBSB!TIJOYw Bw
BBBBBBBBBBBBBBBBBBB9 B
TUFQT ࢀߟյ໓తͳόοΫτϥοΫ BBBBBBBBBBBBBBBBBBBB9
&WJM3FHFY1BUUFSOTD.BTBTIJ4IJOCBSB!TIJOYwΘ͔ͣจࣈͷจࣈྻͰ Έ߹Θͤരൃ͕ى͜ΔwྔࢦఆࢠͷೖΕࢠɺબͱྔࢦఆࢠͷೖΕࢠ
1)1Ͱ࣮ߦD.BTBTIJ4IJOCBSB!TIJOYpreg_match('/(a+)+$/', 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaX');1)1 1)1[email protected] NT NT͍ʂʂʂ
όοΫτϥοΫ੍ݶD.BTBTIJ4IJOCBSB!TIJOYwઃఆʹΑΔόοΫτϥοΫ੍ݶ [email protected]ʢσϑΥϧτ ʣw্ݶʹୡ͢ΔͱΤϥʔͰऴྃ[email protected] ͷΓ͕GBMTF ΤϥʔΛࣔ͢[email protected]@FSSPS ͰΤϥʔίʔυऔಘ
1)1Ͱ࣮ߦD.BTBTIJ4IJOCBSB!TIJOYpreg_match('/(a+)+$/', 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaX', $m); $error = preg_last_error(); if ($error === PREG_BACKTRACK_LIMIT_ERROR) { echo 'backtrack limit error', PHP_EOL; } else if ($error > 0) { echo 'other error', PHP_EOL; }$ php redos.phpbacktrack limit error
1)1Ͱ࣮ߦʢ੍ݶ֎͠ʣD.BTBTIJ4IJOCBSB!TIJOYini_set('pcre.backtrack_limit', 10000000000);preg_match('/(a+)+$/', 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaX');1)1 1)1[email protected] NT NT͕͔͔࣌ؒΔ
$47ͷύʔεD.BTBTIJ4IJOCBSB!TIJOYwਖ਼نදݱͰ࣮w1P$ͳ$47Λύʔε͢Δͱ 4FHNFOUBUJPO'BVMUʢ1)1ʣwHPPECZDTWͰॻ͖ͯ͠ରԠ
·ͱΊ
·ͱΊD.BTBTIJ4IJOCBSB!TIJOYwϚονϯάͷྲྀΕwύϑΥʔϚϯεͷӨڹwਖ਼نදݱΛ͋͑ͯΘͳ͍બࢶ
ࢀߟD.BTBTIJ4IJOCBSB!TIJOYw4UBDL&YDIBOHF͕߈ܸ͞Εͨ3F%P4ͷޮՌcZPIHBLJTCMPH IUUQTCMPHPIHBLJOFUTUBDLFYDIBOHFSFEPTBUUBDLw3F%P4ͷճආcZPIHBLJTCMPH IUUQTCMPHPIHBLJOFUBWPJEJOHSFEPT
D.BTBTIJ4IJOCBSB!TIJOY!TIJOY!TIJOYD.BTBTIJ4IJOCBSB!TIJOY
shin1x1
dosukoi_android
oliver_diary
microcms
mthiroshi00excite
tonkotsuboy_com
yamatcha
yamish123
johanjanssens
tomotaka_yamasaki
haman29
masayaaoyama
sasakendayo
keathley
holman
thoeni
swwweet
schacon
tanoku
jakevdp
robhawkes
chriscoyier
addyosmani
marcelosomers
denniskardys