ID: 18349 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] -Status: Open +Status: Closed Bug Type: Documentation problem Operating System: FreeBSD 4.6-RELEASE PHP Version: 4.2.1 New Comment:
This bug has been fixed in CVS. In case this was a PHP problem, snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. In case this was a documentation problem, the fix will show up soon at http://www.php.net/manual/. In case this was a PHP.net website problem, the change will show up on the PHP.net site and on the mirror sites in short time. Thank you for the report, and for helping us make PHP better. Previous Comments: ------------------------------------------------------------------------ [2002-11-24 01:52:48] [EMAIL PROTECTED] I experienced the same problem with using php cgi version for 4.2.1 and 4.2.2. I ended up hacking it by using a shell script to call the actual php cgi: #!/bin/sh export SCRIPT_FILENAME=$PATH_TRANSLATED /usr/bin/php ------------------------------------------------------------------------ [2002-07-26 05:13:41] [EMAIL PROTECTED] next problem with start PHP as CGI with AddType some/type php Action some/type /cgi-bin/php With call script as: http://server/script.php/a/b/c For compare look at ./sapi/fastcgi/fastcgi.с on function +244 init_request_info() ... /* * if the file doesn't exist, try to extract PATH_INFO out * of it by stat'ing back through the '/' */ ... May be cgi code need like chunk ? b.r. Kozin Maxim ------------------------------------------------------------------------ [2002-07-15 10:04:55] [EMAIL PROTECTED] change description: --------------------------------------------------------------------------------------- --enable-discard-path If this is enabled, the PHP CGI binary can safely be placed outside of the web tree and people will not be able to circumvent .htaccess security. (why ? what happened with this option ? without ?) to more clear: --------------------------------------------------------------------------------------- -enable-discard-path If this is enabled, the PHP CGI binary would get script for execution from ENV("SCRIPT_FILENAME"), if disabled - from ENV("PATH_TRANSLATED"). If this options disabled, anyone can call PHP in this way: http://servername/php4/php?/etc/passwd or so http://servername/php4/php?/home/clinets/somename/.htaccess where /php4 is defined like ScriptAlias /php4 /usr/local/not_web_root/php4 and /usr/local/not_web_root/php4 contained binary of cgi version php . To disable this unsecure behavior, set option --enable-force-cgi-redirect With this options, PHP check inside some internal variable (NOT enviroment from client, evil user can't spoof this variable !) And if php call in direct way, then PATH_TRANSLATED parameter don't be proceeded as php script file. ======================================================== May be to long and "not pure english", but I spend 1 hour , when tryed undestand, what means M$-like text "Now, Be more secure with this options !" p.s. may be You need one options ? --with-cgi It will assumed --enable-force-cgi-redirect and --enable-discard-path=no. Who realy need "--disable-force-cgi-redirect" ??? Who realy need --enable-discard-path=yes ? b.r. Kozin Maxim ------------------------------------------------------------------------ [2002-07-15 08:53:36] [EMAIL PROTECTED] Try include this string in apache configuration (.htaccess or base config) --------------------------------------------- AddType myphp/tst php4 Action myphp/tst /cgi-bin/printenv --------------------------------------------- Now run any script with .php4 extension, output would include: PATH_TRANSLATED="/usr/local/apache/virthost/v1/tst/tst.php4" ... SCRIPT_FILENAME="/usr/local/apache/virthost/v1/cgi-bin/printenv" Ok, now try change "printenv" on correct path to PHP, for example: --------------------------------------------- AddType myphp/tst php4 Action myphp/tst /cgi-bin/php --------------------------------------------- Now PHP try parsed himself, (some internal parser error on line 1234, for example, in file /usr/local/apache/virthost/v1/cgi-bin/php). But which env path must used PHP for target script ? May be PATH_TRANSLATED ? As we can see in printenv, this variable correct defined by apache. b.r. Kozin Maxim ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=18349&edit=1 -- PHP Documentation Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
