php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #64014 10 second delay in returning file_get_contents('php://input')
Submitted: 2013-01-17 23:29 UTC Modified: 2013-01-24 13:03 UTC
From: dagan at digitalconversations dot tv Assigned:
Status: Not a bug Package: Apache2 related
PHP Version: 5.3.21 OS: ubuntu 12+
Private report: No CVE-ID: None
 [2013-01-17 23:29 UTC] dagan at digitalconversations dot tv
Description:
------------
If an invalid Content-Length header is sent with a request, attempting to read the 
request body via file_get_contents('php://input') results in a delay of 10 seconds  
while, I assume, a timeout is waited on.


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-01-24 13:03 UTC] krakjoe@php.net
This is not a bug in PHP, it's a bug in the client that sent the incorrect 
Content-Length header.
 [2013-01-24 13:03 UTC] krakjoe@php.net
-Status: Open +Status: Not a bug
 [2015-09-02 19:48 UTC] mike dot sherov at gmail dot com
> This is not a bug in PHP, it's a bug in the client that sent the incorrect 
Content-Length header.

I would imagine this to be a security vulnerability akin to a slowloris attack. The "client" sending the incorrect header can be malicious.

How do we address this bug? 

See here for more info / PoC code http://stackoverflow.com/questions/14295901/php-file-get-contentsphp-input-very-slow
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 07 12:01:29 2024 UTC