From: bugs-php at misc dot lka dot org dot lu
Operating system: Linux
PHP version: 5.2.3
PHP Bug Type: PHP options/info functions
Bug description: Provide option to limit number of logfile entries per script
invocation
Description:
------------
Right now, an untrusted user can write a PHP script that seriously impacts
a server by filling up its log file.
Even the ignore_repeated_errors settings doesn't help here, if the script
alternates between two messges.
We had this happen here accidentally, using a construct such as follows:
$fp=fopen($website,"r");
while (!feof($fp))
{
....
}
where the test whether $fp was a valid file handle was forgotten...
And log_errors_max_len didn't help either; apparently this covers the
length of an individual log entry, rather than multiple log entries issued
by the same script invocation.
In order to solve this issue, would it be possible to have one of the
following solutions:
1. A max_log_lines quota which would just stop logging if reached.
2. A max_log_lines_kill quota, which would kill the script if reached
3. Some mandatory wait after each log line, to slow down the filling up
of the log
Reproduce code:
---------------
<?php
$website="http://www.ruthe.de/strip/strip.pl";;
$fp=fopen($website,"r");
// or die ("Cannot open url");
$bild="null";
while (!feof($fp))
{
$a = ereg("img/strip_[0-9]+.jpg",fgets($fp,1024),$bild);
}
$url="http://www.ruthe.de/strip/".$bild[0];
//print "ruthe.de=$url";
fclose($fp);
?>
Expected result:
----------------
Script fails, but machine stays up
Actual result:
--------------
Apache error_log file fills up /var partition until machine crashes and
burns...
--
Edit bug report at http://bugs.php.net/?id=41809&edit=1
--
Try a CVS snapshot (PHP 4.4):
http://bugs.php.net/fix.php?id=41809&r=trysnapshot44
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=41809&r=trysnapshot52
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=41809&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=41809&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=41809&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=41809&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=41809&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=41809&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=41809&r=support
Expected behavior: http://bugs.php.net/fix.php?id=41809&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=41809&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=41809&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=41809&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=41809&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=41809&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=41809&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=41809&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=41809&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=41809&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=41809&r=mysqlcfg
