php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #18675 aborting scripts when user hits "stop" in browser
Submitted: 2002-07-31 12:23 UTC Modified: 2013-07-12 12:55 UTC
Votes:5
Avg. Score:4.0 ± 1.3
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:2 (100.0%)
From: radu dot rendec at ines dot ro Assigned:
Status: Wont fix Package: *General Issues
PHP Version: 4.2.2 OS: any
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: radu dot rendec at ines dot ro
New email:
PHP Version: OS:

 

 [2002-07-31 12:23 UTC] radu dot rendec at ines dot ro
The default behavior, as reported in the documentation, is to abort scripts with the ABORTED flag on _when the script tries to output something_. This may lead to a security issue.

Suppose that a malicious (or dummy) user of a shared web hosting system makes a dead loop in a script and no output is produced inside that loop. Moreover, the script makes some system calls inside that loop so the time limit counter is slowly incremented (or even not incremented at all). So the time limit protection won't work, and neither the ABORTED flag protection (because no output is made inside the loop).

If a remote user tries to access the broken script via the browser and hits the stop button, the script will run on the server for ever, causing serious load. If more users try to access the broken script (or the same user tries to access it more times), the server will have a huge load and will soon be unusable.

I suggest the default behavior be to abort the execution of the script as soon as the connection is aborted.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-07-12 12:55 UTC] maarten@php.net
-Status: Open +Status: Wont fix -Package: Feature/Change Request +Package: *General Issues
 [2013-07-12 12:55 UTC] maarten@php.net
This is no safeguard against buggy code.

For instance, for your example: all I have to do to keep your server bussy is to keep open a few connections... B)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Dec 22 01:01:30 2024 UTC