ID: 18349 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] Status: Open Bug Type: Documentation problem Operating System: FreeBSD 4.6-RELEASE PHP Version: 4.2.1 New Comment:
next problem with start PHP as CGI with AddType some/type php Action some/type /cgi-bin/php With call script as: http://server/script.php/a/b/c For compare look at ./sapi/fastcgi/fastcgi.с on function +244 init_request_info() ... /* * if the file doesn't exist, try to extract PATH_INFO out * of it by stat'ing back through the '/' */ ... May be cgi code need like chunk ? b.r. Kozin Maxim Previous Comments: ------------------------------------------------------------------------ [2002-07-15 10:04:55] [EMAIL PROTECTED] change description: --------------------------------------------------------------------------------------- --enable-discard-path If this is enabled, the PHP CGI binary can safely be placed outside of the web tree and people will not be able to circumvent .htaccess security. (why ? what happened with this option ? without ?) to more clear: --------------------------------------------------------------------------------------- -enable-discard-path If this is enabled, the PHP CGI binary would get script for execution from ENV("SCRIPT_FILENAME"), if disabled - from ENV("PATH_TRANSLATED"). If this options disabled, anyone can call PHP in this way: http://servername/php4/php?/etc/passwd or so http://servername/php4/php?/home/clinets/somename/.htaccess where /php4 is defined like ScriptAlias /php4 /usr/local/not_web_root/php4 and /usr/local/not_web_root/php4 contained binary of cgi version php . To disable this unsecure behavior, set option --enable-force-cgi-redirect With this options, PHP check inside some internal variable (NOT enviroment from client, evil user can't spoof this variable !) And if php call in direct way, then PATH_TRANSLATED parameter don't be proceeded as php script file. ======================================================== May be to long and "not pure english", but I spend 1 hour , when tryed undestand, what means M$-like text "Now, Be more secure with this options !" p.s. may be You need one options ? --with-cgi It will assumed --enable-force-cgi-redirect and --enable-discard-path=no. Who realy need "--disable-force-cgi-redirect" ??? Who realy need --enable-discard-path=yes ? b.r. Kozin Maxim ------------------------------------------------------------------------ [2002-07-15 08:53:36] [EMAIL PROTECTED] Try include this string in apache configuration (.htaccess or base config) --------------------------------------------- AddType myphp/tst php4 Action myphp/tst /cgi-bin/printenv --------------------------------------------- Now run any script with .php4 extension, output would include: PATH_TRANSLATED="/usr/local/apache/virthost/v1/tst/tst.php4" ... SCRIPT_FILENAME="/usr/local/apache/virthost/v1/cgi-bin/printenv" Ok, now try change "printenv" on correct path to PHP, for example: --------------------------------------------- AddType myphp/tst php4 Action myphp/tst /cgi-bin/php --------------------------------------------- Now PHP try parsed himself, (some internal parser error on line 1234, for example, in file /usr/local/apache/virthost/v1/cgi-bin/php). But which env path must used PHP for target script ? May be PATH_TRANSLATED ? As we can see in printenv, this variable correct defined by apache. b.r. Kozin Maxim ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=18349&edit=1 -- PHP Documentation Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php