Bug #51688 [Opn->Asn]: php_cgi_ini_activate_user_config() crashes when given apache-rewritten URL

Wed, 28 Apr 2010 16:52:14 -0700 

Edit report at http://bugs.php.net/bug.php?id=51688&edit=1

 ID:               51688
 Updated by:       johan...@php.net
 Reported by:      marcusmarch at gmail dot com
 Summary:          php_cgi_ini_activate_user_config() crashes when given
                   apache-rewritten URL
-Status:           Open
+Status:           Assigned
 Type:             Bug
 Package:          Reproducible crash
 Operating System: Linux
 PHP Version:      5.3.2
-Assigned To:      
+Assigned To:      pajoye



Previous Comments:
------------------------------------------------------------------------
[2010-04-28 23:33:05] marcusmarch at gmail dot com

Description:
------------
Using php-5.3.2 as a cgi executable with Apache on Linux (though this
bug looks to exist in the trunk branch as well).



We have an apache RewriteRule that turned the URL requested into another
location (that unfortunately does not exist on the file system).



Here is a source change I made to find the error:

Index: sapi/cgi/cgi_main.c                                              
       

=================================================================== 

diff -p -u -r1.5 cgi_main.c

--- sapi/cgi/cgi_main.c 16 Apr 2010 19:15:31 -0000  1.5

+++ sapi/cgi/cgi_main.c 28 Apr 2010 20:12:25 -0000

@@ -750,8 +750,10 @@ static void php_cgi_ini_activate_user_co

        zend_hash_clean(entry->user_config);



        if (!IS_ABSOLUTE_PATH(path, path_len)) {

+            fprintf(stderr, "MZ1 2.3, path is %s\n", path);

            real_path = tsrm_realpath(path, NULL TSRMLS_CC);

-           real_path_len = strlen(real_path);

+            fprintf(stderr, "MZ1 2.4, real_path is %s\n", real_path ?
real_path : "(MZ nil)");

+           real_path_len = real_path ? strlen(real_path) : 0;

            path = real_path;

            path_len = real_path_len;

        }

========================================================

And here is the resultant error_log info from Apache:

----------------------

[Wed Apr 28 14:13:29 2010] [error] [client 192.168.6.63] MZ1 2.3, path
is
redirect:/per_site_html_root/mzoellerapache/euf/application/gonow/widgets/standard/navigation/NavigationTab2/logic.js/gonow/widgets/standard/navigation/NavigationTab2/

[Wed Apr 28 14:13:29 2010] [error] [client 192.168.6.63] MZ1 2.4,
real_path is (MZ nil)

--------------



The process would fail on the call to strlen(real_path), as real_path
was a NULL pointer. This might also be classified as Junk In, Junk Out,
as we were passing a messed up path due to the Apache rewrite rule.



It looks like this error was introduced by pajoye with Revision 282336 :
https://cvs.php.net/viewvc/php/php-src/branches/PHP_5_3/sapi/cgi/cgi_main.c?r1=282335&r2=282336&;







------------------------------------------------------------------------



-- 
Edit this bug report at http://bugs.php.net/bug.php?id=51688&edit=1

Reply via email to