Edit report at http://bugs.php.net/bug.php?id=51983&edit=1
ID: 51983
User updated by: konstantin at symbi dot org
Reported by: konstantin at symbi dot org
Summary: [fpm sapi] pm.status_path not working when
cgi.fix_pathinfo=1
Status: Assigned
Type: Bug
Package: FPM related
Operating System: Any
PHP Version: 5.3SVN-2010-06-03 (snap)
Assigned To: fat
Block user comment: N
New Comment:
btw, current fix_pathinfo implementation has security problems:
http://habrahabr.ru/blogs/sysadm/100961/
http://www.80sec.com/nginx-securit.html
If a site has uploads (say, images), one can upload an image containing
executable php code and append /something.php to the image url (say,
/uploads/1.jpg/test.php). When fix_pathinfo=1, init_request_info would
use
/uploads/1.jpg as a script filename.
The suggested patch fixes this, too.
Previous Comments:
------------------------------------------------------------------------
[2010-06-09 16:15:57] f...@php.net
I mentioned all the web servers to make sure we agree on doing this.
I totaly agree on making this change. This pathinfo thing sucks for
real.
------------------------------------------------------------------------
[2010-06-09 15:59:48] tony2...@php.net
Jerome, I agree that we should drop this fix_pathinfo stuff - it makes
no sense to adopt all the freaky things from CGI API.
The patch requires some extensive testing, though, that's clear. But I
don't think we should keep in mind of all the web-servers you
mentioned.
Apache, nginx & lightty are my biggest concern, others can be safely
dropped (or assumed working).
You can forget about IIS anyway, FPM doesn't support Windows.
------------------------------------------------------------------------
[2010-06-04 09:07:10] konstantin at symbi dot org
And of course I never say we should do anything with the CGI/FCGI sapi.
I am sure
its implementation must not be chanhed 'cause it was tested with many
webservers
during years. I am speaking only about FPM sapi which is much more
specific.
------------------------------------------------------------------------
[2010-06-04 09:04:54] konstantin at symbi dot org
FPM sapi implements remote fastcgi only (also known as "external
FastCGI").
So it is limited to web servers which support it.
I have tested Nginx, Lighttpd, and Apache mod_fastcgi.
For other webservers listed, are there ones which of them support remote
fastcgi? At least I am sure that IIS does not (even with its latest
fastcgi
implementations, I've asked this question on IIS FastCGI forums). As far
as I
know, thttpd does not, too.
------------------------------------------------------------------------
[2010-06-04 08:59:23] f...@php.net
I'm asking about Apache, to be certain not to ban some webservers from
using
FPM.
According to http://www.fastcgi.com/drupal/node/3, we have to make sure
that FPM
is compliant with all of the following webservers:
Apache
Microsoft IIS
Microsoft IIS (second generation)
SunOne
Lighttpd
Premium thttpd http
MyServer
Pi3Web
WebSTAR (Mac OS)
Nginx
Cherokee
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/bug.php?id=51983
--
Edit this bug report at http://bugs.php.net/bug.php?id=51983&edit=1
