PHP :: Request #18675 :: aborting scripts when user hits "stop" in browser

aborting scripts when user hits "stop" in browser

Submitted:

2002-07-31 12:23 UTC

Modified:

2013-07-12 12:55 UTC

Votes:	5
Avg. Score:	4.0 ± 1.3
Reproduced:	2 of 2 (100.0%)
Same Version:	1 (50.0%)
Same OS:	2 (100.0%)

From:

radu dot rendec at ines dot ro

Assigned:

Status:

Wont fix

Package:

*General Issues

PHP Version:

4.2.2

OS:

any

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	radu dot rendec at ines dot ro
New email:
PHP Version:		OS:

New Comment:

[2002-07-31 12:23 UTC] radu dot rendec at ines dot ro

The default behavior, as reported in the documentation, is to abort scripts with the ABORTED flag on _when the script tries to output something_. This may lead to a security issue.

Suppose that a malicious (or dummy) user of a shared web hosting system makes a dead loop in a script and no output is produced inside that loop. Moreover, the script makes some system calls inside that loop so the time limit counter is slowly incremented (or even not incremented at all). So the time limit protection won't work, and neither the ABORTED flag protection (because no output is made inside the loop).

If a remote user tries to access the broken script via the browser and hits the stop button, the script will run on the server for ever, causing serious load. If more users try to access the broken script (or the same user tries to access it more times), the server will have a huge load and will soon be unusable.

I suggest the default behavior be to abort the execution of the script as soon as the connection is aborted.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-07-12 12:55 UTC] maarten@php.net

-Status: Open +Status: Wont fix -Package: Feature/Change Request +Package: *General Issues

[2013-07-12 12:55 UTC] maarten@php.net

This is no safeguard against buggy code.

For instance, for your example: all I have to do to keep your server bussy is to keep open a few connections... B)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 15:01:28 2024 UTC