|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #58934 Sandboxes should inherit parent's INI settings.
Submitted: 2009-11-05 03:07 UTC Modified: 2021-05-10 15:08 UTC
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: darrin dot nix at gmail dot com Assigned: cmb (profile)
Status: Closed Package: runkit (PECL)
PHP Version: All OS: All
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
38 - 15 = ?
Subscribe to this entry?

 [2009-11-05 03:07 UTC] darrin dot nix at gmail dot com
It is easy for a malicious user to put the sandbox into an 
infinite loop that will consume all system resources.  

Typically, max_execution_time and set_time_limit can keep 
these loops from taking down the server.  However, runkit 
ignores these settings.

Reproduce code:

// Infinite loop.  Run at your own risk

for($x=0; $x>0; $x++){
    $$x = rand() * rand();


Expected result:
Die with error after 5 seconds: time limit exceeded.

Actual result:
Continuous execution that consumes max resources.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2013-02-23 14:09 UTC]
There's no use of runkit in your repro code, so I'm going to assume from your 
description that you intended to imply something like:


$php = new Runkit_Sandbox();
$php->eval("for($x=0; $x>0; $x++){
    $$x = rand() * rand();

In which case the behavior is as-expected since the time limit was set in the 
parent context and the parent context isn't the one which is executing.  I 
realize this is a little non-intuitive, so I'll consider adding a loop to 
inherit all current INI settings from the parent's context.
 [2013-02-23 14:10 UTC]
-Summary: Ignores timeout settings +Summary: Sandboxes should inherit parent's INI settings. -Type: Bug +Type: Feature/Change Request -Operating System: Windows +Operating System: All -PHP Version: 5.3.0 +PHP Version: All -Assigned To: +Assigned To: pollita
 [2017-10-24 06:23 UTC]
-Status: Assigned +Status: Open -Assigned To: pollita +Assigned To:
 [2021-05-10 15:08 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb
 [2021-05-10 15:08 UTC]
I'm closing this ticket, since the proper place to report runkit
related issues is <>.
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Sat Dec 02 21:01:27 2023 UTC