php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #28568 known_post_content_types is not thread safe
Submitted: 2004-05-29 15:07 UTC Modified: 2005-02-21 16:17 UTC
Votes:3
Avg. Score:5.0 ± 0.0
Reproduced:3 of 3 (100.0%)
Same Version:3 (100.0%)
Same OS:3 (100.0%)
From: novicky at aarongroup dot cz Assigned: moriyoshi (profile)
Status: Closed Package: Reproducible crash
PHP Version: 4.3.7RC1 OS: win32
Private report: No CVE-ID: None
 [2004-05-29 15:07 UTC] novicky at aarongroup dot cz
Description:
------------
Variable known_post_content_types used in SAPI.c is declared as static which is not thread safe and can lead to crash under multithread webservers like IIS.

Here is a patch for SAPI.h and SAPI.c

--- php-4.3.7RC1.orig/main/SAPI.h	2003-04-09 22:27:55.000000000 +0200
+++ php-4.3.7RC1/main/SAPI.h	2004-05-26 10:08:34.000000000 +0200
@@ -120,6 +120,7 @@
 	long post_max_size;
 	int options;
 	zend_bool sapi_started;
+	HashTable known_post_content_types;
 } sapi_globals_struct;



--- php-4.3.7RC1.orig/main/SAPI.c	2004-03-27 02:45:44.000000000 +0100
+++ php-4.3.7RC1/main/SAPI.c	2004-05-29 14:34:47.000000000 +0200
@@ -48,7 +48,6 @@
 
 #include "php_content_types.h"
 
-static HashTable known_post_content_types;
 
 #ifdef ZTS
 SAPI_API int sapi_globals_id;
@@ -59,6 +58,11 @@
 static void sapi_globals_ctor(sapi_globals_struct *sapi_globals TSRMLS_DC)
 {
 	memset(sapi_globals, 0, sizeof(*sapi_globals));
+	zend_hash_init_ex(&SG(known_post_content_types), 5, NULL, NULL, 1, 0);
+}
+
+static void sapi_globals_dtor(sapi_globals_struct *sapi_globals TSRMLS_DC) {
+	zend_hash_destroy(&SG(known_post_content_types));
 }
 
 /* True globals (no need for thread safety) */
@@ -68,10 +72,9 @@
 SAPI_API void sapi_startup(sapi_module_struct *sf)
 {
 	sapi_module = *sf;
-	zend_hash_init_ex(&known_post_content_types, 5, NULL, NULL, 1, 0);
 
 #ifdef ZTS
-	ts_allocate_id(&sapi_globals_id, sizeof(sapi_globals_struct), (ts_allocate_ctor) sapi_globals_ctor, NULL);
+	ts_allocate_id(&sapi_globals_id, sizeof(sapi_globals_struct), (ts_allocate_ctor) sapi_globals_ctor, (ts_allocate_dtor)sapi_globals_dtor);
 #else
 	sapi_globals_ctor(&sapi_globals TSRMLS_CC);
 #endif
@@ -98,7 +101,6 @@
 	tsrm_win32_shutdown();
 #endif
 
-	zend_hash_destroy(&known_post_content_types);
 }
 
 
@@ -151,7 +153,7 @@
 	}
 
 	/* now try to find an appropriate POST content handler */
-	if (zend_hash_find(&known_post_content_types, content_type, content_type_length+1, (void **) &post_entry)==SUCCESS) {
+	if (zend_hash_find(&SG(known_post_content_types), content_type, content_type_length+1, (void **) &post_entry)==SUCCESS) {
 		/* found one, register it for use */
 		SG(request_info).post_entry = post_entry;
 		post_reader_func = post_entry->post_reader;
@@ -795,12 +797,14 @@
 
 SAPI_API int sapi_register_post_entry(sapi_post_entry *post_entry)
 {
-	return zend_hash_add(&known_post_content_types, post_entry->content_type, post_entry->content_type_len+1, (void *) post_entry, sizeof(sapi_post_entry), NULL);
+	TSRMLS_FETCH();
+	return zend_hash_add(&SG(known_post_content_types), post_entry->content_type, post_entry->content_type_len+1, (void *) post_entry, sizeof(sapi_post_entry), NULL);
 }
 
 SAPI_API void sapi_unregister_post_entry(sapi_post_entry *post_entry)
 {
-	zend_hash_del(&known_post_content_types, post_entry->content_type, post_entry->content_type_len+1);
+	TSRMLS_FETCH();
+	zend_hash_del(&SG(known_post_content_types), post_entry->content_type, post_entry->content_type_len+1);
 }
 




Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-05-30 19:47 UTC] iliaa@php.net
It is safe because it does not actually change. 
 [2004-05-31 07:57 UTC] novicky at aarongroup dot cz
It does change at least in MBSTRING module where post handlers are being registered.
We have debugged crash of PHP as IIS isapi module and there was a problem with different threads manipulates the same memory of known_post_content_types.
 [2004-05-31 12:21 UTC] derick@php.net
We can not add new globals in PHP 4 due to BC issues, but this can be fixed for  PHP 5. Assigning to the maintainer.
 [2004-07-12 18:56 UTC] moriyoshi@php.net
Verified. This needs to be fixed.
 [2005-02-21 16:17 UTC] moriyoshi@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

The fix will be in the upcoming release of PHP5.1.0
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Oct 12 01:01:27 2024 UTC