ID: 29652 Comment by: rvs at angara dot ru Reported By: yannick at agl dot fr Status: Open Bug Type: OCI8 related Operating System: Linux Redhat 7.3 PHP Version: 4.3.7 New Comment:
I have the same error on php4.3.8/ora9.2.0.1.0/Solaris 9/sparc. Some details: the .msb file descriptors grow in the following cases: A. using ocinlogon() B. using ocilogon() and working as a Apache module C. using oci*logon() with invalid credentials. The following code of case "C" may exhaust filedescriptor limit very easily and quickly. for ($i=0; $i < 200; $i++) @ocilogon($i, $i, $db); After extensive researching I've found that: 1. the .msb file openings occur when OCIEnvNlsCreate() is called. 2. in ext/oci8.c,v 1.183.2.12 line 2257, function _oci_open_session() the OCIEnvNlsCreate() invoked when session is not persistent, not cached, or is exclusive. 3. if the session setup is unsuccessful, the environment handle is not freed. 4. the environment handle is freed only when PHP shuts down, see line 613. The result will be filedescriptor and memory leakage in all cases A,B,C mentioned above. This could lead to security/DOS problem for websites which use ocilogon()/ocinlogon() or passthrough Oracle authentication in their php scripts. Recommendations, workaround: 1. in module mode, avoid using ocilogon(), use ociplogon() instead. 2. avoid using Oracle pass-through authentication (i.e. when username and password for ociplogon() is given from the website user). 3. fixing oci8.c code to free env handle at least after unsuccessful logon is necessary. With regards, Sergei V. Rozinov Leading RISC-Systems engineer JSC Sibron, RUSSIA Previous Comments: ------------------------------------------------------------------------ [2004-08-23 16:19:59] yannick at agl dot fr oci library: 9.2.0.3 ------------------------------------------------------------------------ [2004-08-23 16:08:47] esartoni at omniaglobal dot net Hey Yannick, could you please tell us what version of oci libraries are you using? With php 4.3.8 using oci 8.1.7.0.0 i have no problem at all. ------------------------------------------------------------------------ [2004-08-20 14:43:46] yannick at agl dot fr i tried with 4.3.8 without HAVE_OCI_9_2 there is no problem. if i defined HAVE_OCI_9_2 the issue occurs. ------------------------------------------------------------------------ [2004-08-20 10:26:00] yannick at agl dot fr tested with php 4.2.3 and php 5.0.1, there is no problem ------------------------------------------------------------------------ [2004-08-20 09:13:04] esartoni at omniaglobal dot net tony, i've already tested it with php 4.3.8 (cannot try with php 5) and with Solaris SunOS always gives the same problem. I'll try with the latest snapshot but always in the 4.x tree. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/29652 -- Edit this bug report at http://bugs.php.net/?id=29652&edit=1