cgi sapi is incorrectly removing the SCRIPT

cgi sapi is incorrectly removing the SCRIPT_FILENAME for non apache

Bug #47042

cgi sapi is incorrectly removing the SCRIPT_FILENAME for non apache

Submitted:

2009-01-08 20:04 UTC

Modified:

2009-06-09 13:33 UTC

Votes:	8
Avg. Score:	4.1 ± 0.9
Reproduced:	6 of 6 (100.0%)
Same Version:	5 (83.3%)
Same OS:	6 (100.0%)

From:

sriram dot natarajan at sun dot com

Assigned:

Status:

Closed

Package:

CGI/CLI related

PHP Version:

5.2.9

OS:

linux , solaris

Private report:

CVE-ID:

None

[2009-01-08 20:04 UTC] sriram dot natarajan at sun dot com

Description:
------------
currently, php cgi sapi code checks for redirect url and env_path_translated to determine if the request is coming from apache web server and accordingly modifies the CGI environment variables so that server can continue processing. 

however, this check is insufficient considering that any web server exporting SCRIPT_FILENAME and REDIRECT_URL with some value will be hit by the apache specific processing.



Reproduce code:
---------------
          if (env_path_translated != NULL && env_redirect_url != NULL) {
                /*
                   pretty much apache specific.  If we have a redirect_url
                   then our script_filename and script_name point to the
                   php executable
                */
                script_path_translated = env_path_translated;
                /* we correct SCRIPT_NAME now in case we don't have PATH_INFO */
                env_script_name = env_redirect_url;
            }



Expected result:
----------------
server should continue processing

Actual result:
--------------
no input file is returned

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-01-08 20:06 UTC] sriram dot natarajan at sun dot com

here is the suggested patch to address this issue

--- sapi/cgi/cgi_main.c.ORIG    Wed Jan  7 07:10:14 2009
+++ sapi/cgi/cgi_main.c Wed Jan  7 19:37:21 2009
@@ -960,16 +960,18 @@
                                TRANSLATE_SLASHES(env_document_root);
                        }
 
-                       if (env_path_translated != NULL && env_redirect_url != NULL) {
-                               /* 
-                                  pretty much apache specific.  If we have a redirect_url
-                                  then our script_filename and script_name point to the
-                                  php executable
-                               */
-                               script_path_translated = env_path_translated;
-                               /* we correct SCRIPT_NAME now in case we don't have PATH_INFO */
-                               env_script_name = env_redirect_url;
-                       }
+                        if (env_path_translated != NULL && env_redirect_url != NULL &&
+                                orig_script_filename != NULL && script_path_translated != NULL &&
+                                strcmp(orig_script_filename, script_path_translated) != 0) {
+                                /*
+                                   pretty much apache specific.  If we have a redirect_url
+                                   then our script_filename and script_name point to the
+                                   php executable
+                                */
+                                script_path_translated = env_path_translated;
+                                /* we correct SCRIPT_NAME now in case we don't have PATH_INFO */
+                                env_script_name = env_redirect_url;
+                        }

[2009-01-08 22:19 UTC] sriram dot natarajan at sun dot com

previous patch had whitespaces instead of tabs causing the patch to appear distorted. 

posting a same patch with this issue addressed
--- sapi/cgi/cgi_main.c.ORIG    Thu Jan  8 14:18:25 2009
+++ sapi/cgi/cgi_main.c Thu Jan  8 14:18:31 2009
@@ -960,7 +960,9 @@
                                TRANSLATE_SLASHES(env_document_root);
                        }
 
-                       if (env_path_translated != NULL && env_redirect_url != NULL) {
+                       if (env_path_translated != NULL && env_redirect_url != NULL && 
+                               orig_script_filename != NULL && script_path_translated != NULL &&
+                               strcmp(orig_script_filename, script_path_translated) != 0) {
                                /* 
                                   pretty much apache specific.  If we have a redirect_url
                                   then our script_filename and script_name point to the

[2009-01-11 11:13 UTC] dsp@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

[2009-02-28 09:18 UTC] sriram dot natarajan at sun dot com

Hi
 php cgi module assumes that if redirect_uri is set , the request must be from apache and throws away the script_name value and assigns path_translated value to script name. 
 
 this is because, in cgi environment, apache sets the SCRIPT_NAME to the location of the php-cgi binary and keeping the PATH_INFO variable to point to the requested php script. this is very unique only to apache. 

 this crude test condition for apache is affecting sun web server executing in fastcgi mode where in it looses the script_name value and ends up returning with 'no input file specified'. 

 this happens only for sun web server and not for lighttpd because lighttpd does not set redirect_uri when requested for index.php. 

 based on this analysis , earlier, i provided a patch to address this issue . however, i overlooked the obvious and ended up breaking apache in cgi mode. 

 because of this, a separate bug : http://bugs.php.net/bug.php?id=47149 has been filed and my suggested patch was reverted.

my sincere apology on providing this obviously broken patch and wasting some of your time.

 pl. find attached a below patch that should do the right thing.
what we want to do is 

a) compare whether the script path is different from path translated since we know that apache by default sets the script name to point to the location of cgi binary and not the requested uri

[sn123202@samp]'php5'>diff -u php-5.2.9/sapi/cgi/cgi_main.c.ORIG php-5.2.9/sapi/cgi/cgi_main.c
--- php-5.2.9/sapi/cgi/cgi_main.c.ORIG  Sat Feb 28 00:44:54 2009
+++ php-5.2.9/sapi/cgi/cgi_main.c       Sat Feb 28 00:46:00 2009
@@ -961,7 +961,8 @@
                        }

                        if (env_path_translated != NULL && env_redirect_url != NULL &&
-                           orig_script_filename != NULL && script_path_translated != NULL) {
+                               env_path_translated != script_path_translated &&
+                               strcmp(env_path_translated, script_path_translated) != 0) {
                                /* 
                                   pretty much apache specific.  If we have a redirect_url
                                   then our script_filename and script_name point to the

[2009-03-03 09:56 UTC] sriram dot natarajan at sun dot com

i have tested this patch with apache 2.0 and 2.2 configurations within cgi and was able to get applications like joomla working fine.

can some one kindly look into the attached patch and provide your feedback

thanks

[2009-03-13 00:10 UTC] sriram dot natarajan at sun dot com

hi
 this fix is not available with the latest php snapshot. my latest patch needs to be looked into and considered fixing it for 5.3 as well as 5.2.9

[sn123202@samp]'php5'>diff -u php-5.2.9/sapi/cgi/cgi_main.c.ORIG
php-5.2.9/sapi/cgi/cgi_main.c
--- php-5.2.9/sapi/cgi/cgi_main.c.ORIG  Sat Feb 28 00:44:54 2009
+++ php-5.2.9/sapi/cgi/cgi_main.c       Sat Feb 28 00:46:00 2009
@@ -961,7 +961,8 @@
                        }

                        if (env_path_translated != NULL &&
env_redirect_url != NULL &&
-                           orig_script_filename != NULL &&
script_path_translated != NULL) {
+                               env_path_translated !=
script_path_translated &&
+                               strcmp(env_path_translated,
script_path_translated) != 0) {
                                /* 
                                   pretty much apache specific.  If we
have a redirect_url
                                   then our script_filename and
script_name point to the

thanks
sriram

[2009-05-09 18:40 UTC] php at dzm dot com

This behavior remains broken in PHP 5.2.9. Is there any chance at all of the patch being integrated into 5.2.10?

[2009-06-09 00:39 UTC] php at dzm dot com

I can verify that Sriram's patch works correctly (13-Mar) on a patched PHP 5.2.9 FCGI on Fedora 10.

Can anyone validate this for Windows/IIS and get this into PHP 5.2.10?

[2009-06-09 13:33 UTC] dsp@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.