Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

guess why it's called 'dcom' :)

there's no way to disable com beside compiling php without the com extension, but there's also no reason to do so because you can always handle this via acls.

The problem is simple : there are a lot of COM calls that are able to hang inetinfo and even the entire server.

That's why i'm looking for a way to disable COM calls.

I'm using the php.exe version instead of the isapi one.

That's an example code that is able to kill inetinfo :

<?php
$message = new COM('CDO.Message');
$message->To = 'test';
$message->From = 'me@me.com';
$message->Subject = 'test';
$message->HTMLBody = '<html><body>test</body></html>';
$message->AddAttachment('test');
$message->Send();
?>

It's very difficult to disable COM using os permissions without disabling it for other languages too. I need to disable COM calls for php only, because this support is very dangerous for server stability. On a web hosting server always will be someone using wrong or dangerous code.

I think it's better to add the choice in the php.ini instead of ask people to recompile php.exe without COM support.

Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions. 

Thank you for your interest in PHP.

simply deny your IUSR_ access to your components, i don't see this as an issue. there are easier ways to bring down a server than that.

was: disabling com calls

after a short discussion on irc we came to the conclusion that adding a disable_functions like disable_classes ini entry would propably the best solution for everone.

bringing this to php-dev

I'm very happy to hear something like that :)

>deny your IUSR_ access to your components,
>i don't see this as an issue.

We host about 160.000 web sites, we have hundreds of servers : i simply can't disable IUSR_ access to COM or other functions without disabling them for other languages too or without creating a lot of unforseeable issues.

I'm happy to see that you consider needs of web hosters too.

By the way i'd like to advise you to looking for the cause of the "unable to read memory" given by php.exe using this kind of COM calls. You can use my example code to reproduce the php.exe error and crash. I'm not asking you to investigate the consequent inetinfo.exe crash, just the php.exe one.

Thank you.

This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.

This has been fixed in CVS with the addition of the 
disable_functions ini parameter.

I guess phanto@php.net meant 'disable_classes' option was added..