PHP :: Bug #16064 :: array_merge_recursive() can be used for DoS

Bug #16064

array_merge_recursive() can be used for DoS

Submitted:

2002-03-14 09:15 UTC

Modified:

2002-09-10 13:36 UTC

Votes:	1
Avg. Score:	4.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

ahristov at icygen dot com

Assigned:

andrei (profile)

Status:

Closed

Package:

Arrays related

PHP Version:

4.0CVS-2002-03-1

OS:

RH 7.1

Private report:

CVE-ID:

None

View Developer Edit

[2002-03-14 09:15 UTC] ahristov at icygen dot com

<?php
array_merge_recursively($GLOBALS,$GLOBALS) 
?>
On the test server all consoles hanged. 100%.CPU load. 98%
system - kswapd started to swap as a beast.

No problems with this.

<?php
$a=array(1);
$a[0]=&$a[0];
array_merge_recursive($a,$a);
var_dump($a);
?>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-03-14 09:23 UTC] sander@php.net

I'm sure you can come up with a load of nasty things you can do with $GLOBALS, but what do you want us to do about it? Disable $GLOBALS for use with array_* functions (it that's even possible)? Disable $GLOBALS at all?

[2002-03-14 09:30 UTC] ahristov at icygen dot com

I have talked to Zeev about this issues. Asked them may I have to fill bug report and he said:
"They should either use hash_apply(), which automatically protects against 
recursion, or implement the recursion protection themselves (like print_r() 
does).  You can/should open bug reports about them..."
In the start Zeev talks about some functions that have problems with $GLOBALS and arrays that holds elements pointing ot itself.

[2002-03-14 09:31 UTC] ahristov at icygen dot com

streplace('them','him',$previous_vote);

[2002-03-14 09:33 UTC] sander@php.net

OK. status -> open

[2002-05-16 16:24 UTC] tomat at lenderlabdot dot com

Your second example isn't like the first.  $a[0] is a reference to itself.  The first bonks because $GLOBALS['GLOBALS'] is a reference to $GLOBALS.  An equivalent is:

<?php
$a=array(1,2,3);
$a[3]=&$a;
array_merge_recursive($a,$a);
var_dump($a);
?>

which will produce the same results.  I'm submitting a feature request for array_recurse_safe($array) which returns an array with no infinite loops.

[2002-05-16 18:11 UTC] tomat at lenderlabdot dot com

Oops, forgot to include the link:

http://bugs.php.net/bug.php?id=17279

[2002-09-10 13:36 UTC] andrei@php.net

This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Feb 22 17:01:28 2025 UTC