Jason Greene wrote: > >> while(1) fopen(rand(), "w"); >> >> After a few seconds depending on system speed system will run out of file >> pointers. I am sure you can see how that would be BAD. > > You are _extremely_ incorrect. The previously mentioned code would open > 1 file descriptor repeatedly until the script hit max execution time. > > This occurs because the garbage collector closes the unused file > descriptor with every iteration. > > You could gain the desired effect of abusing file descriptors by using > the following code > > while (1) $vars[]=fopen(rand(), "w"); > > However, quite frankly, this is a lame attack, because all it will do is > consume file descriptors for only the CHILD process the script is > running in. The script will then hit the fd limit of the child process > (most systems around 255 is the default) This will not hurt the process, > because all needed file descriptors were opened before the script was > executed. The beauty of this is that the kernel will the reject all > future calls beyond the limit, which halts i/o usage, and causes the > process to consume more user time, which cause the process to hit max > execution limit.
That is, of course on a forked web server like apache 1.x, but consider what would happen on threaded webserver like IIS, or even a hybrid like apache 2.x? You'd be out of FDs quite fast. On such a web server this attack becomes quite deadly, consider: while ( fopen(rand(), "w") ); while(1) sleep(10); and now this process just ate up your entire allowed FDs, and is going to go to sleep. So, it will not timeout by cpu time. > The argument you make to remove safe mode because it is not perfect is > unfounded. By the same argument you could say we shouldn't use locks on > our doors, because hey "they can be picked". No, the argument that is being made is a bit different, it's more akin to giving a loaded gun to a 3 year old and expecting him not to shoot himself or someone else. > -Jason > >> Ilia -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
