[OWASP_PHPSEC] Couple of Questions on Code

Abbas Naderi abiusx at owasp.org
Fri Jun 28 09:34:39 UTC 2013


Hi Rahul,
As soon as the client closes the connection, the server script terminates, though it would be better to do it until seek_end.

You should not check for max_execution_time, but to check if you are allowed to extend it.

sleep allows an application to get blocked in the OS pool and don't use resources. It also spends one second so that our application feeds certain size of data each second.
-Abbas
On Tir 7, 1392, at 8:20 AM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:

> IN your implementation of Feed, you specified seek_Start and seek_end.
> 
> However when you are returning the file, you are starting to read from seek_start but are not specifying the end. So the whole data would be read from seek_Start, which is wrong, isn't it??
> 
> because you must only read data till seek_end and no further.
> 
> 
> On Thu, Jun 27, 2013 at 11:06 PM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:
> ok....I understand now...but why sleep ??
> 
> and how to check if a variable such as "max_execution_time" inside php.ini is set or not??
> 
> 
> On Thu, Jun 27, 2013 at 1:52 PM, Abbas Naderi <abiusx at owasp.org> wrote:
> Hi Azzeddine,
> Good to have you back on board.
> Rahul, what Azzeddine said is true. set_time_limit(0) means unlimited time, though it needs to be allowed by php.ini, so its better to check it somewhere and throw an exception if it is not supported.
> 
> BandwidthLimits are means of limiting the speed visitors can download files at. For example if you're providing videos or music archives, you don't want them to be leeched and you don't want your server to be overwhelmed, so you put a limit of 512kbps per person per file. That means that a minimum of 2000 users can download files from your server if you're serving on a 1gbps connection.
> 
> Since we don't want this limit to be enforced upon javascript and css files that actually form our web pages (yet are counted as static downloadable contents) we set a minimum size for enabling the limitation. For example for all files that are bigger than 1MB we set this limit and others are unlimited in bandwidth, so that our website doesnt look slow or problematic to the end user.
> 
> Thanks
> -Abbas
> On Tir 6, 1392, at 9:35 PM, Azeddine Islam Mennouchi <azeddine.mennouchi at owasp.org> wrote:
> 
>> I do not have any knowledge about jframework
>> but for the 2nd question it is totally on the contrary it will make an error goes away
>> if any action you are doing can take more than the max_execution time you need to put set_time_limit(0) or you will Maximum execution time exceeded
>> I think that $BandwidthLimitInitialSize is a bandwidth limitation (the amount of data that you read in one time)
>> The rest I can't tell
>> 
>> Regards Islam,
>> 
>> 
>> On Thu, Jun 27, 2013 at 5:30 PM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:
>> This is the code inside Feed in download.php inside jFramwork: Comments are my questions:
>> 
>> //Q1-> What does $BandwidthLimitInitialSize represents ???
>> if (self::$BandwidthLimitInitialSize>0 && $FileSize > self::$BandwidthLimitInitialSize)
>>         {
>>             $f = fopen($File, "rb");
>>             fseek($f, $seek_start);
>>             set_time_limit(0);   // Q2->   Why is time set to 0. Would't it trigger an error ???
>>             while (! feof($f))
>>             {
>>                 echo fread($f, self::$BandwidthLimitSpeed);
>>                 flush();
>>                 ob_flush(); //Q3->  You haven't done ob_Start() here but still you are using ob_flush() ???
>>                 sleep(1);  //Q4->   Why sleep ???
>>             }
>>             fclose($f);
>>             return true;
>>         }
>> 
>> 
>> -- 
>> Regards,
>> Rahul Chaudhary
>> Ph - 412-519-9634
>> 
>> _______________________________________________
>> OWASP_PHP_Security_Project mailing list
>> OWASP_PHP_Security_Project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>> 
>> 
>> 
>> 
>> -- 
>> Islam Azeddine Mennouchi
>> Consultant at NovaSup
>> http://www.novasup.com/
>> OWASP ALGERIA Chapter Leader
>> phone n°: +213796314102
>> _______________________________________________
>> OWASP_PHP_Security_Project mailing list
>> OWASP_PHP_Security_Project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
> 
> 
> 
> 
> -- 
> Regards,
> Rahul Chaudhary
> Ph - 412-519-9634
> 
> 
> 
> -- 
> Regards,
> Rahul Chaudhary
> Ph - 412-519-9634

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130628/e3a2defa/attachment-0001.html>


More information about the OWASP_PHP_Security_Project mailing list