ID: 27004
User updated by: kmb at deam dot org
Reported By: kmb at deam dot org
Status: Bogus
Bug Type: Apache related
Operating System: Debian-Linux (Woody), MacOS X.3
PHP Version: Irrelevant
New Comment:
ok, there are more things like file() for this and i of course wrote
something without a new aspect, but i find this problematic:
"Basically, we need to trust that users aren't going to DOS
themselves."
its not about DOSing themselves. think of a shared server and the
impact for all on the server if one is going to go crazy.
i think you are doing a good job in securing basic strctures with php.
like having specific timeouts, safe_mode and other tings.
maybe its possible to go with that a bit further.
Previous Comments:
------------------------------------------------------------------------
[2004-01-22 10:24:30] [EMAIL PROTECTED]
There are lots of ways that you can DOS yourself, and
using file() recursively in a script on itself is one of
them. It can't really be fixed, though, much like going
through an infinitely recursive function call or infintely
forking until memory is exhausted. There are several other
bug reports dealing with this sort of thing that explain
things further. (Search for 'recursive', for instance.)
Basically, we need to trust that users aren't going to DOS
themselves.
J
------------------------------------------------------------------------
[2004-01-22 06:07:02] kmb at deam dot org
Description:
------------
Calling somith within a PHP-Script recursively can result into one of
these results:
1. general PHP-error and stop
2. max_execution_time and stop
3. max_input_time and stop
4. memory_limit and stop
If you use the file()-function to call yourself, one of the upper
limits will occure, but it won't stop with that.
You can overload the Apache with a lot of reqeusts so that there will
be no more response. Your initial request will timeout, but the Apache
won't come back if you do not restart it.
The trouble is, that there is currently no way to suppress this
behaviour or at least leave some resources open....
Reproduce code:
---------------
$in = file("http://local.dom/myself.php";, "r");
Expected result:
----------------
some sort of "filter" to slow down the request of resource-usage.
Actual result:
--------------
It uses up all Apache-processes up to MaxClient-Limit and ends in a
total DOS of the Apache.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=27004&edit=1
