[PHP-DEV] Readfile() security breach
Hi everyone, I just wanted to let you know about this breach unveiled by Secunia today. Well, actually i'm pretty sure you know about it, but i wanted to know if it was already being investigated and if there was a plan to release a patch soon. here's the link at secunia .. http://secunia.com/advisories/14409/ Thanks for any information. -- Chand -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] How to embed PHP5 into multi-threaded C app?
Wez, OK, I'm with you on this so far, but how do you differentiate ub_write, log_message, and sapi_error on different threads? It would seem to me that you'd need to have different functions for each thread as the calls to ub_write don't include some indication of the thread that this is being called under. Then again, maybe it's in the php_embed_module if it's tightly bound to the thread... For example, if I set the title in the thread-bound php_embed_module to something specific for each thread then check that within the call to ub_write() I can see who this 'write' belongs to. If I'm missing the boat on these function callbacks, or there's an easier way to capture stdout, stderr, etc. in a ZTS-enabled PHP/Zend environment, please let me know. I'm sorry if I seem a bit dense, but I'm trying to figure things out and design the code before I start writing it. Bob On Feb 28, 2005, at 11:56 PM, Wez Furlong wrote: ZTS enabled PHP has "strong thread affinity". Calls into the engine are thread-safe provided that you have previously initialized the engine on that thread. Note that you should not efree() memory allocated on one thread from outside of that thread, on pain of segfault. eg: resources from one thread cannot be safely passed on to another thread. --Wez. On Mon, 28 Feb 2005 14:24:05 -0600, Bob Beaty <[EMAIL PROTECTED]> wrote: Which is my concern. I've looked at the code differences, and it appears that this modification works for running different source files through the engine, but I'm concerned about the safety of zend_eval_string() if I initialize the engine in one thread and then try to have several threads calling zend_eval_string() on different strings. I'm not convinced that simply making the php_embed_module thread-local is going to work either. I'm concerned that the engine was written with the idea that only one thread can be initializing the php_embed_module and making calls to zend_eval_string(). If this is the case, then I'd have to re-write a lot more than php_embed.c to get thread-safety out of the engine. Or am I on the wrong track? Bob On Feb 28, 2005, at 1:08 PM, Vadka wrote: On Mon, 28 Feb 2005, Alan Knowles wrote: these still need tidying up alot, but the do work. http://docs.akbkhome.com/php_embed.c.txt http://docs.akbkhome.com/php_embed.h.txt replace the code in php_embed with them, make sure you compile with the zts enabled, and the macros's are similar to the original embed (use threaded start call at application start up, and thread start /start end within the pthread_start(...callback..) method Thread safeness is not a problem for a single thread. The problem is to call user functions from different threads (tsrm_ls pointed to somewhere in different threads, global vars etc are not protected). Thanks, Bob ([EMAIL PROTECTED]) The Man from S.P.U.D. We will write no code before it's designed. Thanks, Bob ([EMAIL PROTECTED]) The Man from S.P.U.D. We will write no code before it's designed.
Re: [PHP-DEV] How to embed PHP5 into multi-threaded C app?
The TSRMLS_DC magic parameter passes around the thread-local storage pointer for the thread; the SG() macro uses that information to get at the sapi_globals struct for your thread. You can also stuff your own SAPI related information into SG(server_context), if you are writing a SAPI: ... in my thread init code ... struct my_globals *g = calloc(1, sizeof(*g)); SG(server_context) = g; ... in the ub write callback ... struct my_globals *g = (struct my_globals*)SG(server_context); If TSRMLS_DC is not present in the function declaration, you can use TSRMLS_FETCH() to summon it out of thread-local-storage. --Wez. On Tue, 1 Mar 2005 04:35:43 -0600, Bob Beaty <[EMAIL PROTECTED]> wrote: > Wez, >OK, I'm with you on this so far, but how do you differentiate > ub_write, log_message, and sapi_error on different threads? It would > seem to me that you'd need to have different functions for each thread > as the calls to ub_write don't include some indication of the thread > that this is being called under. >Then again, maybe it's in the php_embed_module if it's tightly bound > to the thread... For example, if I set the title in the thread-bound > php_embed_module to something specific for each thread then check that > within the call to ub_write() I can see who this 'write' belongs to. >If I'm missing the boat on these function callbacks, or there's an > easier way to capture stdout, stderr, etc. in a ZTS-enabled PHP/Zend > environment, please let me know. >I'm sorry if I seem a bit dense, but I'm trying to figure things out > and design the code before I start writing it. > > Bob > > On Feb 28, 2005, at 11:56 PM, Wez Furlong wrote: > > > ZTS enabled PHP has "strong thread affinity". > > Calls into the engine are thread-safe provided that you have > > previously initialized the engine on that thread. > > > > Note that you should not efree() memory allocated on one thread from > > outside of that thread, on pain of segfault. eg: resources from one > > thread cannot be safely passed on to another thread. > > > > --Wez. > > > > > > > > On Mon, 28 Feb 2005 14:24:05 -0600, Bob Beaty <[EMAIL PROTECTED]> > > wrote: > >> Which is my concern. > >> > >> I've looked at the code differences, and it appears that this > >> modification works for running different source files through the > >> engine, but I'm concerned about the safety of zend_eval_string() if I > >> initialize the engine in one thread and then try to have several > >> threads calling zend_eval_string() on different strings. > >> > >> I'm not convinced that simply making the php_embed_module thread-local > >> is going to work either. I'm concerned that the engine was written > >> with > >> the idea that only one thread can be initializing the php_embed_module > >> and making calls to zend_eval_string(). If this is the case, then I'd > >> have to re-write a lot more than php_embed.c to get thread-safety out > >> of the engine. > >> > >> Or am I on the wrong track? > >> > >> Bob > >> > >> > >> On Feb 28, 2005, at 1:08 PM, Vadka wrote: > >> > >>> > >>> On Mon, 28 Feb 2005, Alan Knowles wrote: > >>> > these still need tidying up alot, but the do work. > http://docs.akbkhome.com/php_embed.c.txt > http://docs.akbkhome.com/php_embed.h.txt > replace the code in php_embed with them, make sure you compile with > the zts enabled, and the macros's are similar to the original embed > (use threaded start call at application start up, and thread start > /start end within the pthread_start(...callback..) method > >>> Thread safeness is not a problem for a single thread. > >>> The problem is to call user functions from different threads > >>> (tsrm_ls pointed to somewhere in different threads, global vars etc > >>> are not protected). > >> Thanks, > >> Bob ([EMAIL PROTECTED]) > >> The Man from S.P.U.D. > >> We will write no code before it's designed. > >> > >> > > > > > > Thanks, > Bob ([EMAIL PROTECTED]) > The Man from S.P.U.D. > We will write no code before it's designed. > > -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] How to embed PHP5 into multi-threaded C app?
On Tue, 1 Mar 2005, Wez Furlong wrote: ZTS enabled PHP has "strong thread affinity". Calls into the engine are thread-safe provided that you have previously initialized the engine on that thread. Hm... The problem is when we create a thread and call_user_function for the function from the parent thread. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] How to embed PHP5 into multi-threaded C app?
On Tue, 1 Mar 2005, Alan Knowles wrote: I think derick does something like this in SRM, but basically if you want to load something in the global thread, and let the children inherit the data / classes /function etc. AFAIR you need to serialize the opcodes, and copy them for each thread. (or use something like bcompiler to load cached opcodes for you..) For me, inter-threads variables api is working (separated table, holding references between threads; must be synched by mutexes). it will take some time to make that available... -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
