php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #18675 aborting scripts when user hits "stop" in browser
Submitted: 2002-07-31 12:23 UTC Modified: 2013-07-12 12:55 UTC
Votes:5
Avg. Score:4.0 ± 1.3
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:2 (100.0%)
From: radu dot rendec at ines dot ro Assigned:
Status: Wont fix Package: *General Issues
PHP Version: 4.2.2 OS: any
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2002-07-31 12:23 UTC] radu dot rendec at ines dot ro
The default behavior, as reported in the documentation, is to abort scripts with the ABORTED flag on _when the script tries to output something_. This may lead to a security issue.

Suppose that a malicious (or dummy) user of a shared web hosting system makes a dead loop in a script and no output is produced inside that loop. Moreover, the script makes some system calls inside that loop so the time limit counter is slowly incremented (or even not incremented at all). So the time limit protection won't work, and neither the ABORTED flag protection (because no output is made inside the loop).

If a remote user tries to access the broken script via the browser and hits the stop button, the script will run on the server for ever, causing serious load. If more users try to access the broken script (or the same user tries to access it more times), the server will have a huge load and will soon be unusable.

I suggest the default behavior be to abort the execution of the script as soon as the connection is aborted.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-07-12 12:55 UTC] maarten@php.net
-Status: Open +Status: Wont fix -Package: Feature/Change Request +Package: *General Issues
 [2013-07-12 12:55 UTC] maarten@php.net
This is no safeguard against buggy code.

For instance, for your example: all I have to do to keep your server bussy is to keep open a few connections... B)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 14:01:28 2024 UTC