Tim, I'm no core PHP developer (just a user) but I'm pretty convinced that there's nothing that can be done to solve this from PHP. PHP just passes bytes to the zlib functions (which are implemented by the zlib guys). If one of these functions causes a segfault, there's really nothing you can do. Zlib just shouldn't segfault, but return a nice clean error. That's where the problem is. Once zlib segfaults, PHP segfaults (it's all the same process). I don't think there's any way to manage this behavior from PHP.
Ron "Tim Nufire" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > This is starting to sound like the dispute in the initial bug > report..... Regardless of the root cause, this is a serious bug in PHP > which exposes any script using gzinflate to denial of service attacks. > While I'm sure extending zlib provides the most elegant fix to this > problem, it should be possible to protect PHP scripts from crashes > without such extensions. At the very least, the documentation should > include a warning about this vulnerability..... I agree that a bug > should be filed against zlib as well but don't understand why there is > so much resistance to tracking this in the PHP bug database. I am not > the right person to file the zlib bug since I don't know enough about > what is needed there but I can open a new bug in the PHP db if reopening > 30153 is not the right answer. > > Tim > > George Schlossnagle wrote: > > > > > On Oct 4, 2005, at 11:50 AM, Tim Nufire wrote: > > > >> Ramus, > >> > >> Thanks for the response. Unfortunately, I don't have any great ideas > >> on how to patch this and for now have just stopped using gzinflate > >> :-/ Is there a way to reopen bug 30153? That description of this > >> issue is pretty good and, even if the bug is hard to fix, it should > >> still be tracked somewhere.... > > > > > > You should file a bug against zlib, as it is the library that needs > > to export these sorts of validation methods. If/when zlib supports > > this sort of feature, PHP will support it. > > > > George > > > > -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
