[Bug 62339] New: proxy-fcgi-pathinfo=unescape breaks PATH_INFO and SCRIPT_NAME

Mon, 30 Apr 2018 03:13:58 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=62339

            Bug ID: 62339
           Summary: proxy-fcgi-pathinfo=unescape breaks PATH_INFO and
                    SCRIPT_NAME
           Product: Apache httpd-2
           Version: 2.4.25
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: blocker
          Priority: P2
         Component: mod_proxy_fcgi
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ---

To get a PATH_INFO environment variable available to PHP-FPM, the doc
http://httpd.apache.org/docs/current/mod/mod_proxy_fcgi.html#env says to add
this line in the conf:

  SetEnvIf REQUEST_URI "^/.*\.php/.*$" proxy-fcgi-pathinfo

It does works for ASCII values in PATH_INFO:
  /phpinfo.php/simple-path_info → PATH_INFO = /simple-path_info

However, for values containing spaces or non-ASCII values, it does urlencode
them:
  "/phpinfo.php/spaced path_info" → PATH_INFO="/spaced%20path_info"
  "/phpinfo.php/é_accent" → PATH_INFO="/%C3%A9_accent"

So, as I need a PATH_INFO unescaped, and still according to the doc, I valued
proxy-fcgi-pathinfo to "unescape":
  SetEnvIf REQUEST_URI "^/.*\.php/.*$" proxy-fcgi-pathinfo=unescape

This does unescape, but it does break strings too:
  "http://example.com/phpinfo.php/spaced path_info"
  → PATH_INFO = hp/spaced path_info
                ^^ Why the last 2 chars of "/phpinfo.php" are here?
  → SCRIPT_NAME = /var/www/html/phpinfo.p
                                        ^^^ It's missing the above "hp".

And it worsen with length of string. It looks like it truncate PATH_INFO by a
number of characters related to those it had to unescape :
  - "/phpinfo.php/a 1z" → PATH_INFO="hp/a 1z" ∕
SCRIPT_NAME="/var/www/html/phpinfo.p"
  - "/phpinfo.php/a 1 2z" → PATH_INFO=".php/a 1 2z" /
SCRIPT_NAME="/var/www/html/phpinfo"
  - "/phpinfo.php/a 1 2 3z" → PATH_INFO="fo.php/a 1 2 3z" /
SCRIPT_NAME="/var/www/html/phpin"
  - "/phpinfo.php/a 1 2 3 4 5z" → PATH_INFO="hpinfo.php/a 1 2 3 4 5z" /
SCRIPT_NAME="/var/www/html/p"

It does of course breaks with accented characters too, not only spaces (%20).

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to