ID: 22127 Comment by: scottmacvicar at ntlworld dot com Reported By: zlo at canada dot com Status: Verified Bug Type: CGI related Operating System: * PHP Version: 4CVS, 5CVS New Comment:
403 is probably the most appropriate response code. Though 400 Bad Request could be another possibility. http://www.w3.org/Protocols/HTTP/HTRESP.html patch ------- diff -u cgi_main.c cgi_main.c.patched --- cgi_main.c 2004-02-28 14:53:31.000000000 +0000 +++ cgi_main.c.patched 2004-02-28 14:54:16.000000000 +0000 @@ -1106,6 +1106,7 @@ in case some server does something different than above */ && (!redirect_status_env || !getenv(redirect_status_env)) ) { + SG(sapi_headers).http_response_code = 403; PUTS("<b>Security Alert!</b> The PHP CGI cannot be accessed directly.\n\n\ <p>This PHP CGI binary was compiled with force-cgi-redirect enabled. This\n\ means that a page will only be served up if the REDIRECT_STATUS CGI variable is\n\ Previous Comments: ------------------------------------------------------------------------ [2003-08-08 06:16:21] [EMAIL PROTECTED] Still a problem with both PHP4/PHP5. ------------------------------------------------------------------------ [2003-03-30 15:45:43] zlo at canada dot com using the latest build: # HEAD http://mysite/cgi-bin/php/pi.php 500 Bad response code: 'HTTP/1.1 0' ------------------------------------------------------------------------ [2003-03-30 06:44:32] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php4-STABLE-latest.tar.gz For Windows: http://snaps.php.net/win32/php4-win32-STABLE-latest.zip ------------------------------------------------------------------------ [2003-02-08 14:46:41] zlo at canada dot com When php is used in cgi mode with force-cgi-redirect enabled, and the safety mechanism is triggered, PHP produces a bogus http response line: HTTP/1.1 0 this is invalid and browsers fail to display the output. it happens for PHP 4.3.0 and a fresh PHP 4.3.1-dev snapshot under both Windows and Linux. AFAIK 0 is not a valid response code, and unless one uses a non-compliant browser or accesses the page through a raw telnet session, the warning page cannot be seen. it would be desirable for PHP to produce a meaningful response code, such as 200, 403 or 500. for example: GET /cgi-bin/php/pi.php HTTP/1.1 HOST: mysite HTTP/1.1 0 Date: Sat, 08 Feb 2003 20:32:46 GMT Server: Apache/1.3.27 (Unix) PHP/4.3.0 Transfer-Encoding: chunked Content-Type: text/html; charset=windows-1251 283 <b>Security Alert!</b> The PHP CGI cannot be accessed directly. <p>This PHP CGI binary was compiled with force-cgi-redirect enabled. This means that a page will only be served up if the REDIRECT_STATUS CGI variable is set, e.g. via an Apache Action directive.</p> <p>For more information as to <i>why</i> this behaviour exists, see the <a href="http://php.net/security.cgi-bin";>manual page for CGI security</a>.</p> <p>For more information about changing this behaviour or re-enabling this webserver, consult the installation file that came with this distribution, or visit <a href="http://php.net/install.windows";>the manual page</a>.</p> 0 ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=22127&edit=1
