ID: 22481 User updated by: stefano dot cecconi at staff dot aruba dot it Reported By: stefano dot cecconi at staff dot aruba dot it Status: Open Bug Type: Feature/Change Request Operating System: windows 2000 PHP Version: 4.2.3 New Comment:
I'm very happy to hear something like that :) >deny your IUSR_ access to your components, >i don't see this as an issue. We host about 160.000 web sites, we have hundreds of servers : i simply can't disable IUSR_ access to COM or other functions without disabling them for other languages too or without creating a lot of unforseeable issues. I'm happy to see that you consider needs of web hosters too. By the way i'd like to advise you to looking for the cause of the "unable to read memory" given by php.exe using this kind of COM calls. You can use my example code to reproduce the php.exe error and crash. I'm not asking you to investigate the consequent inetinfo.exe crash, just the php.exe one. Thank you. Previous Comments: ------------------------------------------------------------------------ [2003-03-02 16:40:37] [EMAIL PROTECTED] was: disabling com calls after a short discussion on irc we came to the conclusion that adding a disable_functions like disable_classes ini entry would propably the best solution for everone. bringing this to php-dev ------------------------------------------------------------------------ [2003-03-02 16:31:56] [EMAIL PROTECTED] Sorry, but your problem does not imply a bug in PHP itself. For a list of more appropriate places to ask for help using PHP, please visit http://www.php.net/support.php as this bug system is not the appropriate forum for asking support questions. Thank you for your interest in PHP. simply deny your IUSR_ access to your components, i don't see this as an issue. there are easier ways to bring down a server than that. ------------------------------------------------------------------------ [2003-03-02 01:45:25] stefano dot cecconi at staff dot aruba dot it The problem is simple : there are a lot of COM calls that are able to hang inetinfo and even the entire server. That's why i'm looking for a way to disable COM calls. I'm using the php.exe version instead of the isapi one. That's an example code that is able to kill inetinfo : <?php $message = new COM('CDO.Message'); $message->To = 'test'; $message->From = '[EMAIL PROTECTED]'; $message->Subject = 'test'; $message->HTMLBody = '<html><body>test</body></html>'; $message->AddAttachment('test'); $message->Send(); ?> It's very difficult to disable COM using os permissions without disabling it for other languages too. I need to disable COM calls for php only, because this support is very dangerous for server stability. On a web hosting server always will be someone using wrong or dangerous code. I think it's better to add the choice in the php.ini instead of ask people to recompile php.exe without COM support. ------------------------------------------------------------------------ [2003-03-01 10:13:40] [EMAIL PROTECTED] Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php guess why it's called 'dcom' :) there's no way to disable com beside compiling php without the com extension, but there's also no reason to do so because you can always handle this via acls. ------------------------------------------------------------------------ [2003-02-28 12:15:54] stefano dot cecconi at staff dot aruba dot it Setting com.allow_dcom = false doesn't disable com calls. $dbc = new COM("ADODB.Connection"); It works if either allow_dcom is on or off Maybe there is another way to disable com calls? Stefano ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=22481&edit=1
