Hi folks! I know this isn't the kind of fun stuff people want to deal with on Friday but ...
In an effort to fix a very old (seven years old) DoS vulnerability involving encrypted streams I created a regression where feof() notifications on encrypted sockets are broken. This is present in both the most recent 5.4.33 and 5.5.17 releases. To be clear, this wasn't just a spurious change that resulted in a bug. The functionality was already problematic, it worked most of the time for most use cases but was a clear DoS problem. In any case, I've updated the relevant bug with a patch that *I believe* should solve the issue once and for all: - https://bugs.php.net/bug.php?id=41631 - https://bugs.php.net/patch-display.php?bug=41631&patch=bug41631.patch&revision=1411139621 This is a somewhat difficult thing to test for in isolation as it the right conditions can depend on network topography and edge-case scenarios, so I would appreciate it if someone involved with the horde project could build php against the new patch and verify that things work as expected before I merge this upstream. I believe (but haven't verified) that the same problem exists in the current 5.6 branch as well, so this needs resolution prior to 5.6.1 (not present in 5.6.0). Apologies that this made its way into releases :/
