php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #18675 aborting scripts when user hits "stop" in browser
Submitted: 2002-07-31 12:23 UTC Modified: 2013-07-12 12:55 UTC
Votes:5
Avg. Score:4.0 ± 1.3
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:2 (100.0%)
From: radu dot rendec at ines dot ro Assigned:
Status: Wont fix Package: *General Issues
PHP Version: 4.2.2 OS: any
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: radu dot rendec at ines dot ro
New email:
PHP Version: OS:

 

 [2002-07-31 12:23 UTC] radu dot rendec at ines dot ro
The default behavior, as reported in the documentation, is to abort scripts with the ABORTED flag on _when the script tries to output something_. This may lead to a security issue.

Suppose that a malicious (or dummy) user of a shared web hosting system makes a dead loop in a script and no output is produced inside that loop. Moreover, the script makes some system calls inside that loop so the time limit counter is slowly incremented (or even not incremented at all). So the time limit protection won't work, and neither the ABORTED flag protection (because no output is made inside the loop).

If a remote user tries to access the broken script via the browser and hits the stop button, the script will run on the server for ever, causing serious load. If more users try to access the broken script (or the same user tries to access it more times), the server will have a huge load and will soon be unusable.

I suggest the default behavior be to abort the execution of the script as soon as the connection is aborted.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-07-12 12:55 UTC] maarten@php.net
-Status: Open +Status: Wont fix -Package: Feature/Change Request +Package: *General Issues
 [2013-07-12 12:55 UTC] maarten@php.net
This is no safeguard against buggy code.

For instance, for your example: all I have to do to keep your server bussy is to keep open a few connections... B)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC