ID: 49286 User updated by: jost_boekemeier at users dot sf dot net Reported By: jost_boekemeier at users dot sf dot net -Status: Feedback +Status: Open Bug Type: Filesystem function related Operating System: * PHP Version: 5.2.5 New Comment:
I cannot provide one. This bug has been reported by someone else. I have only looked at the PHP code, noticed a bug in the php://input function and reported it along with a patch to fix it. You can see the bug by looking at the source code: If you post 10 bytes, the post handler will consume these bytes and set the global "read_post_bytes" to 10. On shutdown some sapi (cgi, fastcgi) try to consume the difference between read_post_bytes and CONTENT_LENGTH . As. Php://input consumes bytes from an internal buffer but incorrectly increments read_post_bytes in any case, pushing it over the CONTENT_LENGTH limit. sapi shutdown tries to read (unsigned)10-20 = 2^32-10 bytes. This results in an unnecessary read() kernel call. This causes a short delay but it is not fatal unless someone uses a persistent connection and cannot signal an explicit EOF. Any SAPI which requires that PHP reads no more content than CONTENT_LENGTH will crash or hang when php://input is used. Others are slow, but they will not crash. Previous Comments: ------------------------------------------------------------------------ [2009-08-19 11:44:53] [email protected] First of all: Not all people follow all the mailing lists in the world. You need to provide a test case before we start applying any patches. So far you haven't shown any bug here. ------------------------------------------------------------------------ [2009-08-19 06:39:49] jost_boekemeier at users dot sf dot net diff -u /home/jost/php-5.2.5/ext/standard/php_fopen_wrapper.c\~ /home/jost/php- 5.2.5/ext/standard/php_fopen_wrapper.c --- /home/jost/php-5.2.5/ext/standard/php_fopen_wrapper.c~ 2007-10-04 15:31:11.000000000 +0200 +++ /home/jost/php-5.2.5/ext/standard/php_fopen_wrapper.c 2009-08-19 08:26:01.000000000 +0200 @@ -78,7 +78,7 @@ if(!stream->eof) { if(SG(request_info).raw_post_data) { /* data has already been read by a post handler */ - read_bytes = SG(request_info).raw_post_data_length - *position; + size_t read_bytes = SG(request_info).raw_post_data_length - *position; if(read_bytes <= count) { stream->eof = 1; } else { @@ -86,7 +86,9 @@ } if(read_bytes) { memcpy(buf, SG(request_info).raw_post_data + *position, read_bytes); + *position += read_bytes; } + return read_bytes; } else if(sapi_module.read_post) { read_bytes = sapi_module.read_post(buf, count TSRMLS_CC); if(read_bytes <= 0){ Diff finished. Wed Aug 19 08:26:08 2009 ------------------------------------------------------------------------ [2009-08-18 15:27:39] jost_boekemeier at users dot sf dot net Hi, I have pasted a conversion from the php java bridge mailing list. Please re-read the ticket, the problematic line and a possible fix is there. > simple fopen("php://input","r"); certainly does NOT crash in PHP_5_2 o Hrm. Please read the ticket again. A function which doesn't read anything but which increments the global read counter so that the cgi sapi shutdown calculates false read values certainly contains a bug. ------------------------------------------------------------------------ [2009-08-18 15:10:47] [email protected] Who are you talking to? Where's the reproduce code that crashes? (fyi: simple fopen("php://input","r"); certainly does NOT crash in PHP_5_2 or PHP_5_3 or HEAD right now. ------------------------------------------------------------------------ [2009-08-18 12:03:18] jost_boekemeier at users dot sf dot net Description: ------------ You are right, when calling fopen("php://input", "r") PHP version 5 may crash or hang. Please do not use it until this PHP5 bug is fixed. I have looked at php 5.2.5. In php_fopen_wrapper.c line 81 it reads the raw_post_data and then increments the SG(read_post_bytes) even though it hasn't read anything. The result is that SG(read_post_bytes) is twice the CONTENT_LENGTH size, causing all sorts of strage side effects later on. Reproduce code: --------------- Current code from http://svn.php.net/viewvc/php/php-src/trunk/ext/standard/php_fopen_wrapper.c?revision=276986&view=markup if(SG(request_info).raw_post_data) { /* data has already been read by a post handler */ read_bytes = SG(request_info).raw_post_data_length - *position; ... SG(read_post_bytes) += read_bytes; Suggested fix; make read_bytes a local var: size_t read_bytes = SG(request_info).raw_post_data_length - *position; ^^^^^^^ Expected result: ---------------- SG(read_post_bytes) == CONTENT_LENGTH Actual result: -------------- SG(read_post_bytes) 2 times CONTENT_LENGTH ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=49286&edit=1
