| Index: trunk/php/luasandbox/luasandbox.c |
| — | — | @@ -26,8 +26,21 @@ |
| 27 | 27 | * lua_tocfunction(). |
| 28 | 28 | * |
| 29 | 29 | * * Add CPU time limits. |
| | 30 | + * |
| | 31 | + * Doing a longjmp() from a signal handler destroys anything that the |
| | 32 | + * call stack may have been modifying at the time. Allowing continued |
| | 33 | + * access to such state will allow security vulnerabilities (SIG32-C). |
| | 34 | + * |
| | 35 | + * So I propose having two timeouts. When the first expires, a debug hook |
| | 36 | + * is set which calls lua_error(), and a flag is set prohibiting dispatch |
| | 37 | + * of any PHP callback. When the second expires, emergency action is |
| | 38 | + * taken. If a PHP callback has been dispatched and we are waiting for it |
| | 39 | + * to return, zend_error() will need to be called with E_ERROR, to safely |
| | 40 | + * destroy the PHP state. This mirrors the behaviour of normal Zend timeouts. |
| | 41 | + * Otherwise, lua_error() should be called, to return control to the |
| | 42 | + * lua_pcall() caller, which should then destroy the lua state. |
| | 43 | + * |
| 30 | 44 | * * Add LuaSandbox::getMemoryUsage(). |
| 31 | | - * * Fix memory leak probably in |
| 32 | 45 | */ |
| 33 | 46 | |
| 34 | 47 | #ifdef HAVE_CONFIG_H |