Announcement

Collapse
No announcement yet.

Bug discovered in PHP that could crash Actinic.

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
    #1

    Bug discovered in PHP that could crash Actinic.

    This one isn't Actinic's fault but the PHP that V10 uses has been discovered to be susceptible to a bug that causes computers to freeze when they process certain numerical values.

    See http://www.theregister.co.uk/2011/01..._php_dos_vuln/ for details.

    I tested this on V10.0.2 using this simple bit of code in a Fragment description:
    Code:
    !!<<actinic:block php="true">$d = 2.2250738585072011e-308;</actinic:block>>!!
    And wham! Actinic hung using up 50% CPU forever. And immediately hung on restarting. Had to edit ActinicCatalog.mdb in Access to remove my bit of test code in order to regain control.

    This is unlikely to be a problem for developers as it's unlikely that anyone would code something like this.

    However if you use PHP on the server that accepts numeric values as customer provided input, then any idiot out there could feed in one of these poisonous numbers and hang PHP. Hopefully not taking down the entire server.
    Norman - www.drillpine.biz
    Edinburgh, U K / Bitez, Turkey
    Tags: None
    #2
    This could be pretty major for hosts.

    Comment

      #3
      However if you use PHP on the server that accepts numeric values as customer provided input, then any idiot out there could feed in one of these poisonous numbers and hang PHP. Hopefully not taking down the entire server.
      So presumably the recommendation is to test numeric inputs for valid values when using php?

      Mike
      -----------------------------------------

      First Tackle - Fly Fishing and Game Angling

      -----------------------------------------

      Comment

        #4
        That may be tricky. PHP automatically separates all user input into an array and doing anything with one of these values may be enough to trip the bug.

        Luckily said values are initially passed as strings so it should be possible to clean them up without casting them to numbers.

        It's so severe that a fix to PHP will probably be quickly provided. Then it's up to ISP's to install it.

        There is little need for Actinic to treat this as a severe bug as Actinic's built-in PHP is only used for helping build the site and is not exposed to malevolent user input.
        Norman - www.drillpine.biz
        Edinburgh, U K / Bitez, Turkey

        Comment

          #5
          PHP Bug

          The more I hear about V10, the happier I am I held back from using the upgrade...sad to say it but true.
          Steve Griggs.

          "People in business often miss opportunities, mainly because they usually arrive dressed in overalls and looking like work."



          www.kitchenwareonline.com
          www.microwave-repair.co.uk

          Comment

            #6
            This is nothing to do with Actinic or v10 even - it's a bug in php itself that shouldn't affect Actinic at all. It only affects php pages with passed parameters of a certain format.

            Comment

              #7
              This is nothing to do with Actinic V10 as such. The bug is in php5ts.dll which is an open source bit of code from the PHP foundation. Actinic comes with php5ts.dll V5.2.3 32bit which is problematical. You're already using it in your Actinic V9.
              Norman - www.drillpine.biz
              Edinburgh, U K / Bitez, Turkey

              Comment

                #8
                Originally posted by NormanRouxel View Post
                This is nothing to do with Actinic V10 as such. The bug is in php5ts.dll which is an open source bit of code from the PHP foundation. Actinic comes with php5ts.dll V5.2.3 32bit which is problematical. You're already using it in your Actinic V9.
                This is not the only bug in V5.2.3 that affects Actinic and interestingly it is no longer mentioned as a version on the PHP distribution sites. I would have thought that Actinic would be upgrading to the later version of the dll, I have tried it myself but was warned not to deploy it by Actinic.

                Malcolm
                SellerDeck Accredited Partner,
                SellerDeck 2016 Extensions, and
                Custom Packages

                Comment

                  #9
                  We've had previous problems with PHP. One bug caused crashes in Actinic and took an age to sort out, including a load of discussions with the PHP developers.

                  So we're fairly careful about implementing any new versions, and up to now there's not been any particular reason to do so.

                  Chris

                  Comment

                  Previous template Next
                  Working...
                  X