PHP :: Bug #40419 :: Trailing Slash in CGI request don't work

Bug #40419

Trailing Slash in CGI request don't work

Submitted:

2007-02-09 17:37 UTC

Modified:

2007-09-10 11:09 UTC

Votes:	17
Avg. Score:	4.9 ± 0.2
Reproduced:	15 of 15 (100.0%)
Same Version:	13 (86.7%)
Same OS:	3 (20.0%)

From:

samuele dot diella at gmail dot com

Assigned:

dmitry (profile)

Status:

Closed

Package:

CGI/CLI related

PHP Version:

5.2.1

OS:

Slackware 10.2

Private report:

CVE-ID:

None

View Developer Edit

[2007-02-09 17:37 UTC] samuele dot diella at gmail dot com

Description:
------------
In php-5.2.1 compiled as CGI under Apache 1.3.37, when i enter an url with a trailing slash, with no params after, i get a "No input file specified.".
If i don't write the slash, or if i write a single character after the slash, the request is handled correctly.

es.:

http://www.myserver.com/phpinfo.php5 ---> works
http://www.myserver.com/phpinfo.php5/ ---> No input file specified.
http://www.myserver.com/phpinfo.php5/test ---> works

In php-5.2.0, compiled with the same config, the request is handled correctly.

This is my config line:

./configure --prefix=/usr --with-xsl --sysconfdir=/etc --enable-discard-path --with-config-file-path=/etc/apache/php5 --enable-safe-mode --with-openssl --with-mhash --enable-bcmath --with-bz2 --with-pic --enable-calendar --enable-ctype --with-gdbm --with-db3 --with-imap-ssl=/usr/local/lib/c-client --with-imap=/usr/local/lib/c-client --enable-dbase --enable-ftp --with-iconv --with-dom --with-exif --enable-exif --with-gd --enable-gd-native-ttf --with-freetype-dir=/usr --with-t1lib=/usr --with-jpeg-dir=/usr --with-png --with-gmp --enable-mbstring --with-curl=/usr --with-pcre-regex=/usr --with-mysql --with-mysql-sock=/var/run/mysql --with-mysqli --with-gettext=shared,/usr --with-expat-dir=/usr --with-xml --with-tsrm-pthreads --with-mm=/usr --enable-trans-sid --enable-shmop --enable-sockets --with-regex=php --with-mime-magic --enable-sysvsem --enable-sysvshm --enable-yp --enable-memory-limit --enable-shared --disable-debug --with-zlib=/usr --with-mcrypt --with-ttf --enable-force-cgi-redirect

This is my Apache configuration:

AddType application/x-httpd-php5 .php5
Action application/x-httpd-php5 "/cgi-bin/php5"
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

I tryed many configuration options in php.ini and in configure command, but i was not able to get it works as before.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-02-13 12:24 UTC] hacker at ee dot ethz dot ch

i can confirm this issue on sarge/amd64 (gcc),
whereas it works just fine on solaris8/sparc (gcc) with the same extensions enabled and the same php.ini settings.
i am running fastcgi with apache2.0.59.

[2007-05-15 16:17 UTC] jankorichter at yahoo dot de

I have created a small patch as a workaround. Should be checked and approved. 

--- sapi/cgi/cgi_main.c.org      2007-04-17 22:00:53.000000000 +0200
+++ sapi/cgi/cgi_main.c  2007-05-15 17:35:39.000000000 +0200
@@ -961,7 +961,14 @@
                /* some server configurations allow '..' to slip through in the
                   translated path.   We'll just refuse to handle such a path. */
                if (script_path_translated && !strstr(script_path_translated, "..")) {
-                       SG(request_info).path_translated = estrdup(script_path_translated);
+                       char * real_path = tsrm_realpath(script_path_translated, NULL TSRMLS_CC);
+                       if ( real_path )
+                       {
+                         SG(request_info).path_translated = estrdup(real_path);
+                         free(real_path);
+                       } else {
+                         SG(request_info).path_translated = estrdup(script_path_translated);
+                        }
                }
                SG(request_info).content_type = (content_type ? content_type : "" );
                SG(request_info).content_length = (content_length ? atoi(content_length) : 0);

[2007-05-18 11:29 UTC] bugs at spuetz dot ath dot cx

I can confirm this for RHES3, 32bit, Apache 2.2.4 and fastcgi with suexec. 

The patch is working.

[2007-05-18 11:41 UTC] bugs at spuetz dot ath dot cx

Oh, it isn't, partially.

with patch applied, SCRIPT_FILENAME has still a trailing slash. 

On a working system (without the patch, too) a url

/test.php/

results in a SCRIPT_FILENAME => /path/to/test.php

with patch:

SCRIPT_FILENAME => /path/to/test.php/

[2007-05-21 10:45 UTC] jankorichter at yahoo dot de

SCRIPT_FILENAME fixed.


--- php-5.2.2/sapi/cgi/cgi_main.c       2007-04-17 22:00:53.000000000 +0200
+++ php-5.2.2.new/sapi/cgi/cgi_main.c   2007-05-21 12:24:31.000000000 +0200
@@ -961,7 +961,15 @@
                /* some server configurations allow '..' to slip through in the
                   translated path.   We'll just refuse to handle such a path. */
                if (script_path_translated && !strstr(script_path_translated, "..")) {
-                       SG(request_info).path_translated = estrdup(script_path_translated);
+                       char * real_path = tsrm_realpath(script_path_translated, NULL TSRMLS_CC);
+                       if ( real_path )
+                       {
+                         SG(request_info).path_translated = estrdup(real_path);
+                         script_path_translated = _sapi_cgibin_putenv("SCRIPT_FILENAME", real_path TSRMLS_CC);
+                         free(real_path);
+                       } else {
+                         SG(request_info).path_translated = estrdup(script_path_translated);
+                        }
                }
                SG(request_info).content_type = (content_type ? content_type : "" );
                SG(request_info).content_length = (content_length ? atoi(content_length) : 0);

[2007-05-21 11:31 UTC] dmitry@php.net

Check that cgi.fix_pathinfo in php.ini is set to 1.

I cannot reproduce the behavior and cannot understand how patch can fix it.

[2007-05-21 11:51 UTC] jankorichter at yahoo dot de

Yes, cgi.fix_pathinfo is set to 1. I have checked it with phpinfo().
But it doesn't work without patch.

[2007-06-21 10:21 UTC] bugs at spuetz dot ath dot cx

I tried 5.2.3 and it doesn't work without patch. 

I just created a vhost with unpatched 5.2.3:
http://bug40419.screenwork-dev.de/info.php => works
http://bug40419.screenwork-dev.de/info.php/ => no input...

With patch:
http://www1.screenwork.de/mas/phpinfo.php
http://www1.screenwork.de/mas/phpinfo.php/

Patched with: http://www1.screenwork.de/mas/40419.patch

Do you need anything else?

[2007-06-22 12:00 UTC] dmitry@php.net

Could you test the following patch.

http://phpfi.com/243843

[2007-06-23 11:01 UTC] bugs at spuetz dot ath dot cx

Your patch works.

[2007-06-26 07:33 UTC] jankorichter at yahoo dot de

It works for me too.

[2007-06-26 14:47 UTC] dmitry@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

[2007-09-10 11:09 UTC] dmitry@php.net

The fix for this bug was incorrect.
It causes bug #42587.
Please verify latest snapshot that contains fix for #42587.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 09:01:32 2024 UTC