#37157 [Opn->Asn]: force-cgi-redirect is not checked under FastCGI

Tue, 20 Jun 2006 07:59:50 -0700 

 ID:               37157
 Updated by:       [EMAIL PROTECTED]
 Reported By:      askalski at gmail dot com
-Status:           Open
+Status:           Assigned
 Bug Type:         CGI related
 Operating System: Linux
 PHP Version:      5CVS-2006-04-21 (snap)
 Assigned To:      dmitry


Previous Comments:
------------------------------------------------------------------------

[2006-04-29 17:20:00] askalski at gmail dot com

Yes.  I've been through the cgi_main source code, which goes something
like this:

main()
{
    ...
    /* this check here doesn't help in fastcgi mode */
    do_force_redirect_check();
    ...

    while (accept_fastcgi_connection())
    {
        import_cgi_environment();

        /* but here it would */
    }

    ...
}

------------------------------------------------------------------------

[2006-04-29 12:45:59] [EMAIL PROTECTED]

Have you set "cgi.force_redirect=1" in your php.ini?

------------------------------------------------------------------------

[2006-04-21 22:02:45] askalski at gmail dot com

Description:
------------
The FastCGI version of PHP does not perform the force-cgi-redirect
check for page requests.

If I request http://localhost/cgi-bin/php, PHP
tries to parse the PHP binary in /cgi-bin as
if it was a script.

If cgi.fix_pathinfo is turned off, users can
bypass .htaccess security.

See also bug #22846.


Reproduce code:
---------------
PHP was configured with:

./configure --enable-fastcgi --enable-force-cgi-redirect


My /cgi-bin/php is a wrapper script that sets up
FastCGI environment variables:

#! /bin/sh

export PHPRC=/etc/apache
export PHP_FCGI_CHILDREN=4
export PHP_FCGI_MAX_REQUESTS=512

exec /usr/local/bin/php


Expected result:
----------------
Security Alert! The PHP CGI cannot be accessed directly.

This PHP CGI binary was compiled with force-cgi-redirect enabled. This
means that a page will only be served up if the REDIRECT_STATUS CGI
variable is set, e.g. via an Apache Action directive.

For more information as to why this behaviour exists, see the manual
page for CGI security.

For more information about changing this behaviour or re-enabling this
webserver, consult the installation file that came with this
distribution, or visit the manual page.


Actual result:
--------------
export PHPRC=/etc/apache
export PHP_FCGI_CHILDREN=4
export PHP_FCGI_MAX_REQUESTS=512

exec /usr/local/bin/php



------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=37157&edit=1

Reply via email to