ID: 18349
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Open
-Bug Type: Apache related
+Bug Type: Documentation problem
Operating System: FreeBSD 4.6-RELEASE
PHP Version: 4.2.1
New Comment:
change description:
---------------------------------------------------------------------------------------
--enable-discard-path
If this is enabled, the PHP CGI binary can safely be placed outside of
the web tree and people will not be able to circumvent .htaccess
security.
(why ? what happened with this option ? without ?)
to more clear:
---------------------------------------------------------------------------------------
-enable-discard-path
If this is enabled, the PHP CGI binary would get
script for execution from ENV("SCRIPT_FILENAME"),
if disabled - from ENV("PATH_TRANSLATED").
If this options disabled, anyone can
call PHP in this way:
http://servername/php4/php?/etc/passwd
or so
http://servername/php4/php?/home/clinets/somename/.htaccess
where /php4 is defined like
ScriptAlias /php4 /usr/local/not_web_root/php4
and /usr/local/not_web_root/php4 contained binary of cgi version php
.
To disable this unsecure behavior, set option
--enable-force-cgi-redirect
With this options, PHP check inside some internal variable (NOT
enviroment from client, evil user can't spoof this variable !)
And if php call in direct way, then PATH_TRANSLATED parameter don't be
proceeded as php script file.
========================================================
May be to long and "not pure english", but I spend 1 hour , when tryed
undestand, what means M$-like text "Now, Be more secure with this
options !"
p.s.
may be You need one options ?
--with-cgi
It will assumed --enable-force-cgi-redirect and
--enable-discard-path=no.
Who realy need "--disable-force-cgi-redirect" ???
Who realy need --enable-discard-path=yes ?
b.r.
Kozin Maxim
Previous Comments:
------------------------------------------------------------------------
[2002-07-15 08:53:36] [EMAIL PROTECTED]
Try include this string in apache configuration (.htaccess or base
config)
---------------------------------------------
AddType myphp/tst php4
Action myphp/tst /cgi-bin/printenv
---------------------------------------------
Now run any script with .php4 extension, output would include:
PATH_TRANSLATED="/usr/local/apache/virthost/v1/tst/tst.php4"
...
SCRIPT_FILENAME="/usr/local/apache/virthost/v1/cgi-bin/printenv"
Ok, now try change "printenv" on correct path to PHP, for example:
---------------------------------------------
AddType myphp/tst php4
Action myphp/tst /cgi-bin/php
---------------------------------------------
Now PHP try parsed himself, (some internal parser error on line 1234,
for example, in file /usr/local/apache/virthost/v1/cgi-bin/php).
But which env path must used PHP for target script ?
May be PATH_TRANSLATED ? As we can see in printenv, this variable
correct defined by apache.
b.r.
Kozin Maxim
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=18349&edit=1
--
PHP Documentation Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
