我在PHP的“crypt()”中找到了一个错误? [英] Did I find a bug in PHP's `crypt()`?
问题描述
我想我可能在Windows下发现了PHP的 crypt()函数中的错误。
然而:我认识到这可能是我的错误。 PHP被数以百万计使用,成千上万的工作;我的代码被我使用了几十个。 (这个论点是最好的解释为编码恐怖)
所以我要求帮助:告诉我我的错。我一直试图找到它几天,没有运气。
设置
m使用带有Apache 2.2.14(Win32)和PHP 5.3.2的Windows服务器安装。我的开发框运行Windows XP Professional; 生产服务器(这是一个内部网设置)运行Windows Storage Server 2003.问题发生在两者上。
我没有看到任何 php.ini 与 crypt()相关,但会很高兴地回答有关我的配置的问题。
问题
我的PHP应用程序中的几个脚本偶尔挂起:页面坐在那里等待本地主机,从不完成。这些脚本中的每一个都使用 crypt 在将用户密码存储在数据库中之前进行哈希,或者在登录页面的情况下,将输入的密码进行哈希,然后将其与存储在数据库中的版本。
由于登录页面最简单,因此我专注于测试。我反复登录,发现它可能会挂起10次10分。
作为一个实验,我更改了登录页面以使用纯文本密码并更改我的密码在数据库中以其纯文本版本。页面停止挂起。
我看到PHP的最新版本列出了这个错误:
修正错误#51059(当
无效的盐被给定时,密码崩溃)。
所以我创建了一个非常简单的测试脚本,如下,使用与官方示例:
$ foo = crypt('rasmuslerdorf','r1');
echo $ foo;
此页面也将挂起,如果我重新加载它像疯狂。我只将看到挂在Chrome上的,但无论浏览器如何,对Apache的影响是一样的。
对Apache的影响
当这些页面挂起时,Apache的服务器-status页面(我解释了 here ,关于不同的问题)增加正在处理的请求数量,并减少空闲工作人员的数量。正在处理的请求几乎都有发送回复的状态,但有时候他们会显示阅读请求或保持活动(读取)。
最终, Apache可能会崩溃。 Windows崩溃报告如下所示:
szAppName:httpd.exe
szAppVer:2.2.14.0
szModName:php5ts.dll
szModVer:5.3.1.0 // OK,此报告之前我升级到PHP 5.3.2,
//但是没有修复它
偏移量:00a2615
是我的错?
我很想在这里向PHP提交一个错误报告。反对它的论据是,如上所述,错误几乎总是我的错。
但是,我的论点赞成这是PHP的错误'是:
- 我正在使用Windows,而大多数服务器使用Linux(我不会选择这个),所以机会更大,我发现了一个边缘案例
- 最近有一个错误,
crypt(),所以也许它仍然有问题 - 我做了最简单的测试案例,我仍然有问题
有人可以复制吗?您能否提出错误的地方?我应该提交错误吗?
提前感谢您提供的任何帮助。
错误51059(仅关于传递无效输入)或50947(不同的代码5.3具有在所有平台上实现的PHP中的新算法和功能)与此问题无关。 >
然而 http://bugs.php .net / bug.php?id = 51424 是。我已经在那里贴了一些部分补丁,但是它解决了大部分可能的锁,但这确实是不够的。在下一个5.3版本中将会有一个完整的修复程序。
顺便说一下,它不是Windows特定的,而是关于线程SAPI(例如Windows apache 2.2) / p>
I think I may have found a bug in PHP's crypt() function under Windows.
However: I recognize that it's probably my fault. PHP is used by millions and worked on by thousands; my code is used by tens and worked on by me. (This argument is best explained on Coding Horror.)
So I'm asking for help: show me my fault. I've been trying to find it for a few days now, with no luck.
The setup
I'm using a Windows server installation with Apache 2.2.14 (Win32) and PHP 5.3.2. My development box runs Windows XP Professional; the 'production' server (this is an intranet setup) runs Windows Storage Server 2003. The problem happens on both.
I don't see anything in php.ini related to crypt(), but will happily answer questions about my config.
The problem
Several scripts in my PHP app occasionally hang: the page sits there on 'waiting for localhost' and never finishes. Each of these scripts uses crypt to hash a user's password before storing it in the database, or, in the case of the login page, to hash the entered password before comparing it to the version stored in the database.
Since the login page is the simplest, I focused on it for testing. I repeatedly logged in, and found that it would hang maybe 4 out of 10 times.
As an experiment, I changed the login page to use the plain text password and changed my password in the database to its plain text version. The page stopped hanging.
I saw that PHP's latest version lists this bugfix:
Fixed bug #51059 (crypt crashes when invalid salt are [sic] given).
So I created a very simple test script, as follows, using the same salt given in an official example:
$foo = crypt('rasmuslerdorf','r1');
echo $foo;
This page, too, will hang, if I reload it like crazy. I only see it hanging in Chrome, but regardless of browser, the effect on Apache is the same.
Effect on Apache
When these pages hang, Apache's server-status page (which I explained here, regarding a different problem) increments the number of requests being processed and decrements the number of idle workers. The requests being processed almost all have a status of 'Sending Reply,' though sometimes for a moment they will show either 'Reading request' or 'keepalive (read).'
Eventually, Apache may crash. When it does, the Windows crash report looks like this:
szAppName: httpd.exe
szAppVer: 2.2.14.0
szModName: php5ts.dll
szModVer: 5.3.1.0 // OK, this report was before I upgraded to PHP 5.3.2,
// but that didn't fix it
offset: 00a2615
Is it my fault?
I'm tempted to file a bug report to PHP on this. The argument against it is, as stated above, that bugs are nearly always my fault.
However, my argument in favor of 'it's PHP's fault' is:
- I'm using Windows, whereas most servers use Linux (I don't get to choose this), so the chances are greater that I've found an edge case
- There was recently a bug with
crypt(), so maybe it still has issues - I have made the simplest test case I can, and I still have the problem
Can anyone duplicate this? Can you suggest where I've gone wrong? Should I file the bug after all?
Thanks in advance for any help you may give.
The bugs 51059 (only about passing invalid inputs) or 50947 (not the same code, 5.3 has new algorithms and features implemented in php, on all platforms) are not related to this problem.
However http://bugs.php.net/bug.php?id=51424 is. I already posted a partial patch there, but it solves most of the possible locks but it is indeed not sufficient. A full fix will be present in the next 5.3 release.
By the way, it is not windows specific but about the threaded SAPI (windows apache 2.2 for example).
这篇关于我在PHP的“crypt()”中找到了一个错误?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
