> I don't imagine how one really could calculate maximum depth without > solving the halting problem, so I must be missing something. I ask > somebody who knows what these patches are to send me a link - if there > were patches that do that automatically for any code I would very much > like to see them. > Adding the arbitrary - even configurable - limit doesn't seem to me the > correct solution, since it has high potential to break application code Maybe I was a bit unspecific. If I recall correctly Nuno had some patch (or was it someone else) that was keeping track of depth and maximum stack size and was deciding on the fly if another step deeper could crash. Of course you need some sane detection. Other languages like Python or Perl (I actually don't remember which one of the two is protected) have a stack depth protection, and live happily with it.
And the arbitrary limit argument. Well if you write portable PHP code you have an arbitrary limit anyway. IIRC on some Solaris Sparc systems the crash limit was at 800. > understand, Hardened PHP patch has this protection disabled by default. Hardened-PHP is no more. As a thankyou for my security work I was forbidden to carry the PHP tag in the name. But this is history and now Suhosin exists. And the only reason it is deactivated by default is that without knowing the system and code it is hard to detect a sane limit. I personally believe that 256 is enough for everyone. And even if you require a deeper limit Suhosin has a nice simulation mode that will not block deeper recursion, so that you can run the simulation mode on your development server for weeks and see if you ever violate the 256 depth. Stefan Esser -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
