php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #16064 array_merge_recursive() can be used for DoS
Submitted: 2002-03-14 09:15 UTC Modified: 2002-09-10 13:36 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: ahristov at icygen dot com Assigned: andrei
Status: Closed Package: Arrays related
PHP Version: 4.0CVS-2002-03-1 OS: RH 7.1
Private report: No CVE-ID:
 [2002-03-14 09:15 UTC] ahristov at icygen dot com
<?php
array_merge_recursively($GLOBALS,$GLOBALS) 
?>
On the test server all consoles hanged. 100%.CPU load. 98%
system - kswapd started to swap as a beast.

No problems with this.

<?php
$a=array(1);
$a[0]=&$a[0];
array_merge_recursive($a,$a);
var_dump($a);
?>

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-03-14 09:23 UTC] sander@php.net
I'm sure you can come up with a load of nasty things you can do with $GLOBALS, but what do you want us to do about it? Disable $GLOBALS for use with array_* functions (it that's even possible)? Disable $GLOBALS at all?
 [2002-03-14 09:30 UTC] ahristov at icygen dot com
I have talked to Zeev about this issues. Asked them may I have to fill bug report and he said:
"They should either use hash_apply(), which automatically protects against 
recursion, or implement the recursion protection themselves (like print_r() 
does).  You can/should open bug reports about them..."
In the start Zeev talks about some functions that have problems with $GLOBALS and arrays that holds elements pointing ot itself.
 [2002-03-14 09:31 UTC] ahristov at icygen dot com
streplace('them','him',$previous_vote);
 [2002-03-14 09:33 UTC] sander@php.net
OK. status -> open
 [2002-05-16 16:24 UTC] tomat at lenderlabdot dot com
Your second example isn't like the first.  $a[0] is a reference to itself.  The first bonks because $GLOBALS['GLOBALS'] is a reference to $GLOBALS.  An equivalent is:

<?php
$a=array(1,2,3);
$a[3]=&$a;
array_merge_recursive($a,$a);
var_dump($a);
?>

which will produce the same results.  I'm submitting a feature request for array_recurse_safe($array) which returns an array with no infinite loops.
 [2002-05-16 18:11 UTC] tomat at lenderlabdot dot com
Oops, forgot to include the link:

http://bugs.php.net/bug.php?id=17279
 [2002-09-10 13:36 UTC] andrei@php.net
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 16 22:02:05 2014 UTC