ID: 15230 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] Status: Open Bug Type: Documentation problem Operating System: Linux / Windows PHP Version: 4.1.1 New Comment:
Windows binary 4.2.1 still don't have --enable-memory-limit. In config fils and in docs with distributed files there's no mention about disabling those limits. This could obviously lead to DoS on servers using binary from PHP.NET. This is a security issue and should have highest priority. Sample: <?for($i=1; $i>0; $i=1) $a.=$a."a";?> After consuming huge amount of memory and killing apache in error.log we can see: FATAL: erealloc(): Unable to allocate 268435456 bytes Main apache process survives in my case. Michal 'Cyb.org' Pena Previous Comments: ------------------------------------------------------------------------ [2002-01-26 01:08:47] [EMAIL PROTECTED] You know, I did think to try phpinfo(), as I remember my Linux version used to show the compile settings. But Windows php.exe doesn't show the compile-time options in phpinfo(). It used to be at the top of phpinfo()... where is it now? By the way, I'm running IIS / CGI mode. A side issue - why is memory_limit disabled for Windows? Scott. ------------------------------------------------------------------------ [2002-01-26 00:11:43] [EMAIL PROTECTED] Very odd...galeon seems to have gotten the form fields confused and changed the summary and poster. Just replacing them now... Torben ------------------------------------------------------------------------ [2002-01-26 00:07:56] [EMAIL PROTECTED] Dunno whether it was, or if so, why, but even better than us including the compile options would be if you just checked the output of phpinfo(). That'll will tell you the same thing, and you can be sure it's accurate for what you have running when you try it. :) Torben ------------------------------------------------------------------------ [2002-01-25 23:59:39] [EMAIL PROTECTED] The Windows binary for 4.1.1 appears to have --enable-memory-limit disabled, but I can't find it mentioned anywhere in the docs. The only documentation that comes packaged with PHP is the readme.txt, and it isn't in there. It isn't in the online manual, either. It would be good to add the compile options for PHP into the readme.txt file for later releases under windows. One bug report for an earlier PHP version suggested to run ./configure to find out what compile options were set. This obviously doesn't work for the distributed binary... While we are on the subject, I don't suppose you can shed light on why it isn't enabled? Scott. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=15230&edit=1 -- PHP Documentation Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
