diff options
| author | Anatol Belski <ab@php.net> | 2018-01-10 17:50:09 +0100 |
|---|---|---|
| committer | Anatol Belski <ab@php.net> | 2018-01-10 18:45:15 +0100 |
| commit | c3717d9aecbe65cb2e5778a24a91e9eaf638639e (patch) | |
| tree | 119a27f92bd5b99f39bc4f3207a07fb4602430cd /Zend | |
| parent | f09c012ebe9ea413394fe4476b29bc790d903378 (diff) | |
| download | php-git-c3717d9aecbe65cb2e5778a24a91e9eaf638639e.tar.gz | |
Add possibility to lower timer resolution
The recently discovered security flaw Spectre requires a high resolution
timer. To the today's knowledge, PHP can't be used to create an attack for
this flaw. Still some concerns were raised, that there might be impact in
shared hosting environments. This patch adds a possibility to reduce the
timer resolution by an ini setting, thus giving administrators full
control. Especially, as the flaw was also demonstrated by an abuse of
the JS engine in a browser, Firefox reduced several time sources to 20us.
Any programming language, that doesn't compile to JIT, won't be able to
produce an attack vector for Meltdown and Spectre, at least by todays
knowledge. There are also other factors that say that the security
concern on the hrtime feature is to the big part not justified, still we
aim JIT in the future. Thus, adding a possibility to control the timer
resolution is a good and small enough tradeoff for safety and future.
Diffstat (limited to 'Zend')
0 files changed, 0 insertions, 0 deletions