HOME Community Articles Code Library People Mail Archive My Account Contribute PHP Jobs

Open Source Database Feature Comparison Matrix Try Declarative Programming with Annotations and Aspects Locate All Stored Procedures and Their Objects/SQL Tables Building a Stored Procedure Generator Making Tables Read-only in Oracle

24-hour Support Daily Backup Dedicated Servers JSP/Java Servlets PHP MySQL Streaming Audio/Video Telnet/SSH Unix Hosting 24-hour Support

From: shane <email protected>
Date: 12/03/02

• Next message: philip <email protected>: "[PHP-DOC] #7741 [Csd->Opn]: [feature request] Document about every predefined variable"
• Previous message: shane <email protected>: "[PHP-DOC] #7741 [Opn->Csd]: .cgi does not adhere to quasi-RFC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 ID: 18349
 Updated by: shane <email protected>
 Reported By: madmax <email protected>
-Status: Open
+Status: Closed
 Bug Type: Documentation problem
 Operating System: FreeBSD 4.6-RELEASE
 PHP Version: 4.2.1
 New Comment:

This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.

Previous Comments:
------------------------------------------------------------------------

[2002-11-24 01:52:48] mochaexpress <email protected>

I experienced the same problem with using php cgi version for 4.2.1 and
4.2.2. I ended up hacking it by using a shell script to call the actual
php cgi:

#!/bin/sh
export SCRIPT_FILENAME=$PATH_TRANSLATED
/usr/bin/php

------------------------------------------------------------------------

[2002-07-26 05:13:41] madmax <email protected>

next problem with start PHP as CGI with

AddType some/type php
Action some/type /cgi-bin/php

With call script as:
http://server/script.php/a/b/c

For compare look at ./sapi/fastcgi/fastcgi.&#1089; on function
+244 init_request_info()
...
        /*
         * if the file doesn't exist, try to extract PATH_INFO out
         * of it by stat'ing back through the '/'
         */
...
May be cgi code need like chunk ?

b.r.
 Kozin Maxim

------------------------------------------------------------------------

[2002-07-15 10:04:55] madmax <email protected>

change description:
---------------------------------------------------------------------------------------
--enable-discard-path
If this is enabled, the PHP CGI binary can safely be placed outside of
the web tree and people will not be able to circumvent .htaccess
security.

(why ? what happened with this option ? without ?)

to more clear:
---------------------------------------------------------------------------------------
-enable-discard-path
If this is enabled, the PHP CGI binary would get
script for execution from ENV("SCRIPT_FILENAME"),
if disabled - from ENV("PATH_TRANSLATED").
If this options disabled, anyone can
call PHP in this way:
http://servername/php4/php?/etc/passwd
or so
http://servername/php4/php?/home/clinets/somename/.htaccess

where /php4 is defined like
ScriptAlias /php4 /usr/local/not_web_root/php4
and /usr/local/not_web_root/php4 contained binary of cgi version php
.
To disable this unsecure behavior, set option
--enable-force-cgi-redirect
With this options, PHP check inside some internal variable (NOT
enviroment from client, evil user can't spoof this variable !)
And if php call in direct way, then PATH_TRANSLATED parameter don't be
proceeded as php script file.
========================================================
May be to long and "not pure english", but I spend 1 hour , when tryed
undestand, what means M$-like text "Now, Be more secure with this
options !"

p.s.
 may be You need one options ?
--with-cgi
It will assumed --enable-force-cgi-redirect and
--enable-discard-path=no.
Who realy need "--disable-force-cgi-redirect" ???
Who realy need --enable-discard-path=yes ?

b.r.
  Kozin Maxim

------------------------------------------------------------------------

[2002-07-15 08:53:36] madmax <email protected>

Try include this string in apache configuration (.htaccess or base
config)
---------------------------------------------
AddType myphp/tst php4
Action myphp/tst /cgi-bin/printenv
---------------------------------------------
Now run any script with .php4 extension, output would include:
PATH_TRANSLATED="/usr/local/apache/virthost/v1/tst/tst.php4"
...
SCRIPT_FILENAME="/usr/local/apache/virthost/v1/cgi-bin/printenv"

Ok, now try change "printenv" on correct path to PHP, for example:
---------------------------------------------
AddType myphp/tst php4
Action myphp/tst /cgi-bin/php
---------------------------------------------

Now PHP try parsed himself, (some internal parser error on line 1234,
for example, in file /usr/local/apache/virthost/v1/cgi-bin/php).
But which env path must used PHP for target script ?
May be PATH_TRANSLATED ? As we can see in printenv, this variable
correct defined by apache.

b.r.
  Kozin Maxim

------------------------------------------------------------------------

-- 
Edit this bug report at http://bugs.php.net/?id=18349&edit=1
-- 
PHP Documentation Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

• Next message: philip <email protected>: "[PHP-DOC] #7741 [Csd->Opn]: [feature request] Document about every predefined variable"
• Previous message: shane <email protected>: "[PHP-DOC] #7741 [Opn->Csd]: .cgi does not adhere to quasi-RFC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]