Edit report at https://bugs.php.net/bug.php?id=51983&edit=1
ID: 51983
Comment by: f...@php.net
Reported by: konstantin at symbi dot org
Summary: [fpm sapi] pm.status_path not working when
cgi.fix_pathinfo=1
Status: Assigned
Type: Bug
Package: FPM related
Operating System: Any
PHP Version: 5.3SVN-2010-06-03 (snap)
Assigned To: fat
Block user comment: N
Private report: N
New Comment:
I'm dequeuing FPM bugs. I've started with the simple ones. This one is on my
todo
list. I don't have an ETA right now.
++ Jerome
Previous Comments:
------------------------------------------------------------------------
[2011-07-03 14:33:23] fel...@php.net
What is the status of this?
------------------------------------------------------------------------
[2011-02-01 13:34:05] slim at inbox dot lv
after applying the patch php compiled with debug complain on every request:
Feb 01 14:26:38.214800 [WARNING] [pool www] child 16257 said into stderr: "[Tue
Feb 1 14:26:38 2011] Script: '-'"
Feb 01 14:26:38.214846 [WARNING] [pool www] child 16257 said into stderr:
"/var/tmp/portage/dev-lang/php-5.3.5-r100/work/sapis-build/fpm/sapi/fpm/fpm/fpm_main.c(1116)
: Freeing 0x08B95CBC (23 bytes), script=-"
Feb 01 14:26:38.214857 [WARNING] [pool www] child 16257 said into stderr: "===
Total 1 memory leaks detected ==="
Feb 01 14:26:40.535416 [WARNING] [pool www] child 16258 said into stderr: "[Tue
Feb 1 14:26:40 2011] Script: '-'"
Feb 01 14:26:40.535466 [WARNING] [pool www] child 16258 said into stderr:
"/var/tmp/portage/dev-lang/php-5.3.5-r100/work/sapis-build/fpm/sapi/fpm/fpm/fpm_main.c(1116)
: Freeing 0x08B95EA4 (23 bytes), script=-"
Feb 01 14:26:40.535477 [WARNING] [pool www] child 16258 said into stderr: "===
Total 1 memory leaks detected ==="
a line at fpm_main.c(1116) causing this is
SG(request_info).request_uri = request_uri ? estrndup(request_uri,
strcspn(request_uri, "?")) : NULL;
------------------------------------------------------------------------
[2010-08-04 17:07:20] konstantin at symbi dot org
btw, current fix_pathinfo implementation has security problems:
http://habrahabr.ru/blogs/sysadm/100961/
http://www.80sec.com/nginx-securit.html
If a site has uploads (say, images), one can upload an image containing
executable php code and append /something.php to the image url (say,
/uploads/1.jpg/test.php). When fix_pathinfo=1, init_request_info would use
/uploads/1.jpg as a script filename.
The suggested patch fixes this, too.
------------------------------------------------------------------------
[2010-06-09 16:15:57] f...@php.net
I mentioned all the web servers to make sure we agree on doing this.
I totaly agree on making this change. This pathinfo thing sucks for real.
------------------------------------------------------------------------
[2010-06-09 15:59:48] tony2...@php.net
Jerome, I agree that we should drop this fix_pathinfo stuff - it makes no sense
to adopt all the freaky things from CGI API.
The patch requires some extensive testing, though, that's clear. But I don't
think we should keep in mind of all the web-servers you mentioned.
Apache, nginx & lightty are my biggest concern, others can be safely dropped
(or assumed working).
You can forget about IIS anyway, FPM doesn't support Windows.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=51983
--
Edit this bug report at https://bugs.php.net/bug.php?id=51983&edit=1
