There is a problem with PHP in the way it currently handles opening of connections to remote servers via php_streams. The problem can cause a PHP script to sit a virtually forever inside a select() waiting for a response from a remote server. This in turn causes an a webserver child, to become effectively dead and if it happens enough times cause a denial of service. This is particularly dangerous bug, since PHP scripts that open remote files/resources are very common and those scripts can allow an attacker to launch a trivially easy denial of service attack that would result in all of the web servers threads/forks sitting on selects waiting on data from a external source.
The solution to the problem is one line patch below, that sets the socket timeout from unlimited to 10 seconds, thus preventing the problem I've described above from happening. main/network.c 511c511 < sock->timeout.tv_sec = -1; --- > sock->timeout.tv_sec = 10; Ilia P.S. If some of you do not feel comfortable with setting a static value for a timeout, we can introduce a php.ini option allowing the admin to set a different timeout value for sockets. -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
