Re: [PHP] bug in SLEEP() function...

[Rasmus Lerdorf]

This is well-documented.  Right out of the set_time_limit() docs:

 Note:  The set_time_limit() function and the configuration directive
 max_execution_time only affect the execution time of the script itself.
 Any time spent on activity that happens outside the execution of the
 script such as system calls using system(), the sleep() function,
 database queries, etc. is not included when determining the maximum time
 that the script has been running.

Like anything else, you need to check user input.  There are all sorts of
malicious things that can happen if you use user-data incorrectly.

-Rasmus

On Sat, 18 May 2002, Jason Caldwell wrote:

 Dunno if this has been mentioned or fixed in the latest release (I'm using
 PHP version 4.1.1) -- but, a script will not timeout until the sleep()
 function has finished it's duration -- for example:

 In my script, if I set set_time_limit(30) -- then later in the script I
 call a sleep(45) -- the script will not timeout until 45 seconds later,
 from the point at which the sleep() function was called.

 Now, being a conscious programmer -- I'd probably never set my sleep()
 function to exceed my default or defined timeout setting.  However, the
 sleep value can be set via a $var -- and depending on what functions are
 performed -- I can see how, when a programmer wants his script to timeout
 within a certain amount of time and then it doesn't; can cause a problem --
 in-fact, I can foree some sort of sleep-attack whereby a malicious hacker
 figures out that a particular script on a particular website has a dynamic
 $var for the sleep() function -- then s/he writes a script which calls the
 page many times --- injecting the $var (say for example:
 http://www.whateverweb.goo/home.php?t=65536, where $t is the time $var in
 the script; sleep($t);

 Effectively; in this case, the scripts won't timeout for 18 some hours.
 Filling up memory fast.

 Just FYI.
 Jason




 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] bug in SLEEP() function...

[Jason Caldwell]

Dunno if this has been mentioned or fixed in the latest release (I'm using
PHP version 4.1.1) -- but, a script will not timeout until the sleep()
function has finished it's duration -- for example:

In my script, if I set set_time_limit(30) -- then later in the script I
call a sleep(45) -- the script will not timeout until 45 seconds later,
from the point at which the sleep() function was called.

Now, being a conscious programmer -- I'd probably never set my sleep()
function to exceed my default or defined timeout setting.  However, the
sleep value can be set via a $var -- and depending on what functions are
performed -- I can see how, when a programmer wants his script to timeout
within a certain amount of time and then it doesn't; can cause a problem --
in-fact, I can foree some sort of sleep-attack whereby a malicious hacker
figures out that a particular script on a particular website has a dynamic
$var for the sleep() function -- then s/he writes a script which calls the
page many times --- injecting the $var (say for example:
http://www.whateverweb.goo/home.php?t=65536, where $t is the time $var in
the script; sleep($t);

Effectively; in this case, the scripts won't timeout for 18 some hours.
Filling up memory fast.

Just FYI.
Jason




-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php