php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #40079 php_get_current_user() not thread safe
Submitted: 2007-01-09 17:58 UTC Modified: 2007-01-09 23:27 UTC
From: wharmby at uk dot ibm dot com Assigned: iliaa (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 5CVS-2007-01-09 (snap) OS: Linux RHEL4
Private report: No CVE-ID: None
 [2007-01-09 17:58 UTC] wharmby at uk dot ibm dot com
Description:
------------
The current implementation of php_get_current_user() uses 
the non-reentrant getpwuid() rather than the reentrant 
getpwuid_r(). Therefore issuing on Linux in a ZTS enabled 
build could lead to unpredictable/undesirable results. the code should use the re-entrant version if it is available.

The following patch which were built against the latest 
snapshot (Jan 9 2007, 1330 GMT)  modifies the code in 
main/safe_mode.c to use the re-entrant getpwuid_r if its 
available:

    http://pastebin.ca/311144

Following makes necessary associated change to configure.in:

    http://pastebin.ca/311140

Fix tested on Linux RHEL with mysql extension enabled and 
sql.safe_mode=On in php.ini. The modified code can then easily be invoked by issuing mysql_connect().



Reproduce code:
---------------
Problem found by code inspection. As with most thread safety
issues difficult to produce a simple testcase which will show a reproducible crash but current Linux executable is clearly not reentrant.

Expected result:
----------------
N/A

Actual result:
--------------
N/A

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-01-09 23:27 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 10:01:29 2024 UTC