ID: 22481 Updated by: [EMAIL PROTECTED] Reported By: stefano dot cecconi at staff dot aruba dot it -Status: Open +Status: Closed Bug Type: Feature/Change Request Operating System: windows 2000 PHP Version: 4.2.3 New Comment:
This bug has been fixed in CVS. In case this was a PHP problem, snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. In case this was a documentation problem, the fix will show up soon at http://www.php.net/manual/. In case this was a PHP.net website problem, the change will show up on the PHP.net site and on the mirror sites in short time. Thank you for the report, and for helping us make PHP better. This has been fixed in CVS with the addition of the disable_functions ini parameter. Previous Comments: ------------------------------------------------------------------------ [2003-03-02 19:57:47] stefano dot cecconi at staff dot aruba dot it I'm very happy to hear something like that :) >deny your IUSR_ access to your components, >i don't see this as an issue. We host about 160.000 web sites, we have hundreds of servers : i simply can't disable IUSR_ access to COM or other functions without disabling them for other languages too or without creating a lot of unforseeable issues. I'm happy to see that you consider needs of web hosters too. By the way i'd like to advise you to looking for the cause of the "unable to read memory" given by php.exe using this kind of COM calls. You can use my example code to reproduce the php.exe error and crash. I'm not asking you to investigate the consequent inetinfo.exe crash, just the php.exe one. Thank you. ------------------------------------------------------------------------ [2003-03-02 16:40:37] [EMAIL PROTECTED] was: disabling com calls after a short discussion on irc we came to the conclusion that adding a disable_functions like disable_classes ini entry would propably the best solution for everone. bringing this to php-dev ------------------------------------------------------------------------ [2003-03-02 16:31:56] [EMAIL PROTECTED] Sorry, but your problem does not imply a bug in PHP itself. For a list of more appropriate places to ask for help using PHP, please visit http://www.php.net/support.php as this bug system is not the appropriate forum for asking support questions. Thank you for your interest in PHP. simply deny your IUSR_ access to your components, i don't see this as an issue. there are easier ways to bring down a server than that. ------------------------------------------------------------------------ [2003-03-02 01:45:25] stefano dot cecconi at staff dot aruba dot it The problem is simple : there are a lot of COM calls that are able to hang inetinfo and even the entire server. That's why i'm looking for a way to disable COM calls. I'm using the php.exe version instead of the isapi one. That's an example code that is able to kill inetinfo : <?php $message = new COM('CDO.Message'); $message->To = 'test'; $message->From = '[EMAIL PROTECTED]'; $message->Subject = 'test'; $message->HTMLBody = '<html><body>test</body></html>'; $message->AddAttachment('test'); $message->Send(); ?> It's very difficult to disable COM using os permissions without disabling it for other languages too. I need to disable COM calls for php only, because this support is very dangerous for server stability. On a web hosting server always will be someone using wrong or dangerous code. I think it's better to add the choice in the php.ini instead of ask people to recompile php.exe without COM support. ------------------------------------------------------------------------ [2003-03-01 10:13:40] [EMAIL PROTECTED] Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php guess why it's called 'dcom' :) there's no way to disable com beside compiling php without the com extension, but there's also no reason to do so because you can always handle this via acls. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/22481 -- Edit this bug report at http://bugs.php.net/?id=22481&edit=1
