Remote recursion - security flaw or just annoyance?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Remote recursion - security flaw or just annoyance?

Post by alex.barylski »

Assume you have a section in your code which can (under rare circumstances) potentially be used to cause recursion on your server until the script times out. Is this a security flaw or something not worth worrying about?

The only reason I haven't fixed it, is because the fix is hackish in nature and the only way to prevent this exploit from happening at the code level.

Do you hack it in order to patch it up or leave it up to the system to handle these rare circumstances?
User avatar
Kieran Huggins
DevNet Master
Posts: 3635
Joined: Wed Dec 06, 2006 4:14 pm
Location: Toronto, Canada
Contact:

Post by Kieran Huggins »

example?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

I can't see how stopping a recursive function from recursing indefinitely could be "hackish". Writing end-of-recursion checks is essential part of writing recursive functions.

This sounds like a DOS precondition, and even if you think it would happen only rarely (can't say anything without seeing code) you should be open to the idea that your judgement is wrong ;) And again, if it's not trivial to fix, you're probably doing something very wrong. Fix the code or refactor the caller not to use the function.
Post Reply