ID: 45822
Comment by: krimpet at toolserver dot org
Reported By: matt at neimeyer dot org
Status: Verified
Bug Type: Date/time related
Operating System: *
PHP Version: 5.2CVS, 5.3CVS, 6CVS (2008-08-14)
New Comment:
I can confirm this bug, and it's not limited to Windows platforms. 'php
-r "strtotime('+1000000000000 days');"' crashes my Linux laptop, for
example.
This bug is particularly dire where user input is fed to directly to
strtotime(), as it poses a DoS risk - for example, we use strtotime() in
MediaWiki to format times specified by the user. (See
<https://bugzilla.wikimedia.org/show_bug.cgi?id=14898>.)
Previous Comments:
------------------------------------------------------------------------
[2008-08-14 17:50:50] [EMAIL PROTECTED]
It hangs in this loop:
#1 0x00000000004a7f5b in do_normalize (time=0x7bf1ed0) at
/home/jani/php-5.3CVS/ext/date/lib/tm2unixtime.c:166
166 do {} while (do_range_limit_days(&time->y, &time->m,
&time->d));
------------------------------------------------------------------------
[2008-08-14 17:41:19] amelek32 at gmail dot com
<?
echo strtotime('-24 0720080000Thu');
This is enought to this bug. It doesn't really crash, it rather goes to
endless loop.
Tested on Apache + PHP 5.2.6 on Windows XP x64
------------------------------------------------------------------------
[2008-08-14 16:04:22] matt at neimeyer dot org
Description:
------------
Using a stock installation of PHP 5.2.6 (or 5.2.5 or 5.2.3) as an ISAPI
module on Windows 2003 Standard Edition x32 (fully updated using Windows
Update), if you pass a "wacky" value to strtotime the w3wp.exe (IIS
Worker Pool) spikes to 99% and crashes the web server.
We accidentally used date("-24 hours") instead of strtotime("-24
hours") and then passed that (via some intermediary function calls) to
strtotime.
It does not crash on Win2003 SE x64 (or any other operating system that
we run this application on).
I am aware of other w3wp.exe bugs being reported but those do not seem
to match this specific cause. Similarly, strtotime bugs don't seem to
match.
Reproduce code:
---------------
echo strtotime(date("-24 hours"));
Expected result:
----------------
Return false or -1
(with the caveat that I know it's "bad code" on my part)
Actual result:
--------------
w3wp.exe crashes as soon as the page starts to load.
Watching in task manager on the web server, you can see w3wp.exe spike
to 99% then stay there. If you kill the task the web server behaves
oddly, generating "Service Unavailable" results to the end browser until
the "World Wide Web Publishing Service" is restarted.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=45822&edit=1
