This one isn't Actinic's fault but the PHP that V10 uses has been discovered to be susceptible to a bug that causes computers to freeze when they process certain numerical values.

See http://www.theregister.co.uk/2011/01/04/weird_php_dos_vuln/ for details.

I tested this on V10.0.2 using this simple bit of code in a Fragment description:

!!<<actinic:block php="true">$d = 2.2250738585072011e-308;</actinic:block>>!!

And wham! Actinic hung using up 50% CPU forever. And immediately hung on restarting. Had to edit ActinicCatalog.mdb in Access to remove my bit of test code in order to regain control.

This is unlikely to be a problem for developers as it's unlikely that anyone would code something like this.

However if you use PHP on the server that accepts numeric values as customer provided input, then any idiot out there could feed in one of these poisonous numbers and hang PHP. Hopefully not taking down the entire server.

This could be pretty major for hosts.

However if you use PHP on the server that accepts numeric values as customer provided input, then any idiot out there could feed in one of these poisonous numbers and hang PHP. Hopefully not taking down the entire server.


So presumably the recommendation is to test numeric inputs for valid values when using php?

Mike

That may be tricky. PHP automatically separates all user input into an array and doing anything with one of these values may be enough to trip the bug.

Luckily said values are initially passed as strings so it should be possible to clean them up without casting them to numbers.

It's so severe that a fix to PHP will probably be quickly provided. Then it's up to ISP's to install it.

There is little need for Actinic to treat this as a severe bug as Actinic's built-in PHP is only used for helping build the site and is not exposed to malevolent user input.

The more I hear about V10, the happier I am I held back from using the upgrade...sad to say it but true.

This is nothing to do with Actinic or v10 even - it's a bug in php itself that shouldn't affect Actinic at all. It only affects php pages with passed parameters of a certain format.

This is nothing to do with Actinic V10 as such. The bug is in php5ts.dll which is an open source bit of code from the PHP foundation. Actinic comes with php5ts.dll V5.2.3 32bit which is problematical. You're already using it in your Actinic V9.

This is nothing to do with Actinic V10 as such. The bug is in php5ts.dll which is an open source bit of code from the PHP foundation. Actinic comes with php5ts.dll V5.2.3 32bit which is problematical. You're already using it in your Actinic V9.This is not the only bug in V5.2.3 that affects Actinic and interestingly it is no longer mentioned as a version on the PHP distribution sites. I would have thought that Actinic would be upgrading to the later version of the dll, I have tried it myself but was warned not to deploy it by Actinic.

We've had previous problems with PHP. One bug caused crashes in Actinic and took an age to sort out, including a load of discussions with the PHP developers.

So we're fairly careful about implementing any new versions, and up to now there's not been any particular reason to do so.

Chris