Subject: PHP unserialize terrible performance
From: Leonard den Ottolander <leonard@den.ottolander.nl>
To: mcihar@suse.de
   
Hello,

I hope you don't mind me contacting you about this directly.

Since the update of mod_php4 to version 4.3.3-183 (SuSE 9.0) the
performance of unserialize() has deteriorated. I noticed this when
loading index.php in phpGedView-3.00.1. The rendering of the page used
to take a few seconds, but it now takes over 2 minutes! Reverting to
-179 fixes the issue.

It seems this issue is known by the php developers and has been fixed in
CVS (http://bugs.php.net/bug.php?id=31332).

The fix essentially is to update var_unserialize.c to CVS rev. 1.18.4.15
(or maybe even 1.18.4.14 although the CVS comments suggest the former)
and var_php.h to CVS rev. 1.21.4.5. The only fix is the "#if 1" below
"yy67:" as php_get_nan() and php_get_inf() are not yet defined.

I split out the fixes for CAN-2004-1018, CAN-2004-1019 and CAN-2004-1065
from php-4.3.3-secfix1.patch and updated the fix for CAN-2004-1019. You
no longer need the patches that touch var_unserializer.c. So you should
drop patches #10, #20 and #21 and add three separate patches for these
CAN issues.

Attached you find the three patches. I'd send you a SPEC file if you'd
like, but I suspect you can update it yourself.

I hope this patch (or a similar one) gets included in SuSE 9.0 soon so
people can enjoy a reasonable performance from unserializer() again.

Regards,
Leonard den Ottolander.