Edit report at http://bugs.php.net/bug.php?id=51688&edit=1
ID: 51688
Updated by: paj...@php.net
Reported by: marcusmarch at gmail dot com
Summary: php_cgi_ini_activate_user_config() crashes when given
apache-rewritten URL
-Status: Assigned
+Status: Closed
Type: Bug
Package: Reproducible crash
Operating System: Linux
PHP Version: 5.3.2
Assigned To: pajoye
New Comment:
This bug has been fixed in SVN.
Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
Thank you for the report, and for helping us make PHP better.
Previous Comments:
------------------------------------------------------------------------
[2010-04-30 10:15:11] paj...@php.net
Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&revision=298794
Log: - Fix #51688, ini per dir crashes when invalid document root are
given
------------------------------------------------------------------------
[2010-04-30 09:45:13] paj...@php.net
While php should not crash it seems to be a bug in mod_fcgid (or
whatever you use with php's cgi with apache). The path actually comes
from the document root server environment variable, which must be a
valid path.
However I will add the sanity check and simply bail out of this function
when realpath fails.
------------------------------------------------------------------------
[2010-04-28 23:33:05] marcusmarch at gmail dot com
Description:
------------
Using php-5.3.2 as a cgi executable with Apache on Linux (though this
bug looks to exist in the trunk branch as well).
We have an apache RewriteRule that turned the URL requested into another
location (that unfortunately does not exist on the file system).
Here is a source change I made to find the error:
Index: sapi/cgi/cgi_main.c
===================================================================
diff -p -u -r1.5 cgi_main.c
--- sapi/cgi/cgi_main.c 16 Apr 2010 19:15:31 -0000 1.5
+++ sapi/cgi/cgi_main.c 28 Apr 2010 20:12:25 -0000
@@ -750,8 +750,10 @@ static void php_cgi_ini_activate_user_co
zend_hash_clean(entry->user_config);
if (!IS_ABSOLUTE_PATH(path, path_len)) {
+ fprintf(stderr, "MZ1 2.3, path is %s\n", path);
real_path = tsrm_realpath(path, NULL TSRMLS_CC);
- real_path_len = strlen(real_path);
+ fprintf(stderr, "MZ1 2.4, real_path is %s\n", real_path ?
real_path : "(MZ nil)");
+ real_path_len = real_path ? strlen(real_path) : 0;
path = real_path;
path_len = real_path_len;
}
========================================================
And here is the resultant error_log info from Apache:
----------------------
[Wed Apr 28 14:13:29 2010] [error] [client 192.168.6.63] MZ1 2.3, path
is
redirect:/per_site_html_root/mzoellerapache/euf/application/gonow/widgets/standard/navigation/NavigationTab2/logic.js/gonow/widgets/standard/navigation/NavigationTab2/
[Wed Apr 28 14:13:29 2010] [error] [client 192.168.6.63] MZ1 2.4,
real_path is (MZ nil)
--------------
The process would fail on the call to strlen(real_path), as real_path
was a NULL pointer. This might also be classified as Junk In, Junk Out,
as we were passing a messed up path due to the Apache rewrite rule.
It looks like this error was introduced by pajoye with Revision 282336 :
https://cvs.php.net/viewvc/php/php-src/branches/PHP_5_3/sapi/cgi/cgi_main.c?r1=282335&r2=282336&;
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/bug.php?id=51688&edit=1
