|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #16064 array_merge_recursive() can be used for DoS
Submitted: 2002-03-14 09:15 UTC Modified: 2002-09-10 13:36 UTC
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: ahristov at icygen dot com Assigned: andrei
Status: Closed Package: Arrays related
PHP Version: 4.0CVS-2002-03-1 OS: RH 7.1
Private report: No CVE-ID:
 [2002-03-14 09:15 UTC] ahristov at icygen dot com
On the test server all consoles hanged. 100%.CPU load. 98%
system - kswapd started to swap as a beast.

No problems with this.



Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2002-03-14 09:23 UTC]
I'm sure you can come up with a load of nasty things you can do with $GLOBALS, but what do you want us to do about it? Disable $GLOBALS for use with array_* functions (it that's even possible)? Disable $GLOBALS at all?
 [2002-03-14 09:30 UTC] ahristov at icygen dot com
I have talked to Zeev about this issues. Asked them may I have to fill bug report and he said:
"They should either use hash_apply(), which automatically protects against 
recursion, or implement the recursion protection themselves (like print_r() 
does).  You can/should open bug reports about them..."
In the start Zeev talks about some functions that have problems with $GLOBALS and arrays that holds elements pointing ot itself.
 [2002-03-14 09:31 UTC] ahristov at icygen dot com
 [2002-03-14 09:33 UTC]
OK. status -> open
 [2002-05-16 16:24 UTC] tomat at lenderlabdot dot com
Your second example isn't like the first.  $a[0] is a reference to itself.  The first bonks because $GLOBALS['GLOBALS'] is a reference to $GLOBALS.  An equivalent is:


which will produce the same results.  I'm submitting a feature request for array_recurse_safe($array) which returns an array with no infinite loops.
 [2002-05-16 18:11 UTC] tomat at lenderlabdot dot com
Oops, forgot to include the link:
 [2002-09-10 13:36 UTC]
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at
In case this was a documentation problem, the fix will show up soon at

In case this was a website problem, the change will show
up on the site and on the mirror sites in short time.
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Thu Nov 26 17:01:32 2015 UTC