ID: 40419
Comment by: jankorichter at yahoo dot de
Reported By: samuele dot diella at gmail dot com
Status: Feedback
Bug Type: CGI related
Operating System: Slackware 10.2
PHP Version: 5.2.1
Assigned To: dmitry
New Comment:
Yes, cgi.fix_pathinfo is set to 1. I have checked it with phpinfo().
But it doesn't work without patch.
Previous Comments:
------------------------------------------------------------------------
[2007-05-21 11:31:04] [EMAIL PROTECTED]
Check that cgi.fix_pathinfo in php.ini is set to 1.
I cannot reproduce the behavior and cannot understand how patch can fix
it.
------------------------------------------------------------------------
[2007-05-21 10:45:08] jankorichter at yahoo dot de
SCRIPT_FILENAME fixed.
--- php-5.2.2/sapi/cgi/cgi_main.c 2007-04-17 22:00:53.000000000
+0200
+++ php-5.2.2.new/sapi/cgi/cgi_main.c 2007-05-21 12:24:31.000000000
+0200
@@ -961,7 +961,15 @@
/* some server configurations allow '..' to slip
through in the
translated path. We'll just refuse to handle such
a path. */
if (script_path_translated &&
!strstr(script_path_translated, "..")) {
- SG(request_info).path_translated =
estrdup(script_path_translated);
+ char * real_path =
tsrm_realpath(script_path_translated, NULL TSRMLS_CC);
+ if ( real_path )
+ {
+ SG(request_info).path_translated =
estrdup(real_path);
+ script_path_translated =
_sapi_cgibin_putenv("SCRIPT_FILENAME", real_path TSRMLS_CC);
+ free(real_path);
+ } else {
+ SG(request_info).path_translated =
estrdup(script_path_translated);
+ }
}
SG(request_info).content_type = (content_type ?
content_type : "" );
SG(request_info).content_length = (content_length ?
atoi(content_length) : 0);
------------------------------------------------------------------------
[2007-05-18 11:41:26] bugs at spuetz dot ath dot cx
Oh, it isn't, partially.
with patch applied, SCRIPT_FILENAME has still a trailing slash.
On a working system (without the patch, too) a url
/test.php/
results in a SCRIPT_FILENAME => /path/to/test.php
with patch:
SCRIPT_FILENAME => /path/to/test.php/
------------------------------------------------------------------------
[2007-05-18 11:29:32] bugs at spuetz dot ath dot cx
I can confirm this for RHES3, 32bit, Apache 2.2.4 and fastcgi with
suexec.
The patch is working.
------------------------------------------------------------------------
[2007-05-15 16:17:12] jankorichter at yahoo dot de
I have created a small patch as a workaround. Should be checked and
approved.
--- sapi/cgi/cgi_main.c.org 2007-04-17 22:00:53.000000000 +0200
+++ sapi/cgi/cgi_main.c 2007-05-15 17:35:39.000000000 +0200
@@ -961,7 +961,14 @@
/* some server configurations allow '..' to slip
through in the
translated path. We'll just refuse to handle such
a path. */
if (script_path_translated &&
!strstr(script_path_translated, "..")) {
- SG(request_info).path_translated =
estrdup(script_path_translated);
+ char * real_path =
tsrm_realpath(script_path_translated, NULL TSRMLS_CC);
+ if ( real_path )
+ {
+ SG(request_info).path_translated =
estrdup(real_path);
+ free(real_path);
+ } else {
+ SG(request_info).path_translated =
estrdup(script_path_translated);
+ }
}
SG(request_info).content_type = (content_type ?
content_type : "" );
SG(request_info).content_length = (content_length ?
atoi(content_length) : 0);
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/40419
--
Edit this bug report at http://bugs.php.net/?id=40419&edit=1
