php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #41809 Provide option to limit number of logfile entries per script invocation
Submitted: 2007-06-26 09:25 UTC Modified: 2007-06-27 11:37 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: bugs-php at misc dot lka dot org dot lu Assigned:
Status: Open Package: Feature/Change Request
PHP Version: 5.2.3 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: bugs-php at misc dot lka dot org dot lu
New email:
PHP Version: OS:

 

 [2007-06-26 09:25 UTC] bugs-php at misc dot lka dot org dot lu
Description:
------------
Right now, an untrusted user can write a PHP script that seriously impacts a server by filling up its log file.

Even the ignore_repeated_errors settings doesn't help here, if the script alternates between two messges.

We had this happen here accidentally, using a construct such as follows:
$fp=fopen($website,"r");
while (!feof($fp))
        {
        ....
        }

where the test whether $fp was a valid file handle was forgotten...

And log_errors_max_len didn't help either; apparently this covers the length of an individual log entry, rather than multiple log entries  issued by the same script invocation.

In order to solve this issue, would it be possible to have one of the following solutions:
 1. A max_log_lines quota which would just stop logging if reached.
 2. A max_log_lines_kill quota, which would kill the script if reached
 3. Some mandatory wait after each log line, to slow down the filling up of the log

Reproduce code:
---------------
<?php
$website="http://www.ruthe.de/strip/strip.pl";
$fp=fopen($website,"r");
//      or die ("Cannot open url");
$bild="null";
while (!feof($fp))
        {
        $a = ereg("img/strip_[0-9]+.jpg",fgets($fp,1024),$bild);
        }
$url="http://www.ruthe.de/strip/".$bild[0];
//print "ruthe.de=$url";
fclose($fp);
?>


Expected result:
----------------
Script fails, but machine stays up

Actual result:
--------------
Apache error_log file fills up /var partition until machine crashes and burns...

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-06-26 12:59 UTC] sniper@php.net
Something like "quota" you should be doing on the filesystem level.
Especially if you're running some hosting company or such.
 [2007-06-26 13:13 UTC] bugs-php at misc dot lka dot org dot lu
In practice, how would one implement this?
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 08:01:28 2024 UTC