php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #49182 PHP CGI always outputs the shebang line
Submitted: 2009-08-06 18:59 UTC Modified: 2009-09-09 19:57 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: salsi at icosaedro dot it Assigned: iliaa (profile)
Status: Closed Package: CGI/CLI related
PHP Version: 5.3SVN-2009-09-04 (SVN) OS: *
Private report: No CVE-ID: None
 [2009-08-06 18:59 UTC] salsi at icosaedro dot it
Description:
------------
Executing any PHP CGI script always results in the shebang line being displayed along the correct HTML code of the WEB page.
This happens with and without the --enable-discard-path configuration flag (although I'm not really sure this flag be realted to the issue or not).

Reproduce code:
---------------
#!/usr/local/php-5.3.0/bin/php-cgi -c /home/salsi/php530/php.ini
<?php
echo PHP_VERSION;
?>


Expected result:
----------------
$ ./shebang.php 
X-Powered-By: PHP/5.3.1-dev
Content-type: text/html

5.3.1-dev

Actual result:
--------------
$ ./shebang.php 
X-Powered-By: PHP/5.3.1-dev
Content-type: text/html

#!/usr/local/php-5.3.0/bin/php-cgi -c /home/salsi/php530/php.ini
5.3.1-dev

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-08-06 20:01 UTC] jani@php.net
What webserver? How did you configure PHP into it? 
 [2009-08-06 20:45 UTC] salsi at icosaedro dot it
I'm using Apache 2.2.8 + suexec without any support for PHP (it executes only CGI programs) and all worked well with PHP 5.2.5 I used until now. But this should not care, as in my opinion the shebang should not be displayed once the script has been detected to be executed as a program.

I configured PHP as follows:

./configure \
        --disable-all \
        --prefix=/usr/local/php-5.3.0 \
        --exec-prefix=/usr/local/php-5.3.0 \
        --disable-rpath \
        --disable-ipv6 \
        --enable-ftp=shared \
        --enable-sockets=shared \
        --enable-tokenizer \
        --with-gnu-ld=shared \
        --with-pgsql=shared \
        --enable-session \
        --enable-posix \
        --with-pcre-regex \
        --enable-mbstring=all \
        --enable-mbregex \
        --enable-libxml \
        --enable-xml \
        --enable-dom \
        --enable-pdo

I can also confirm that with the old version of PHP the shebang line did not came out under Apache and neither did it under the command line.
 [2009-08-09 09:51 UTC] salsi at icosaedro dot it
I also noted that the CGI version considers the shebang line as "generated output", and then namespace declarations are not allowed. For example:

#!/usr/local/php-5.3.0/bin/php-cgi -c /home/salsi/php530/php.ini
<?php
namespace foo\bar;
?>

tells

Fatal error:  Namespace declaration statement has to be the very first statement in the script in /home/salsi/php530/test.php on line 3

The CLI version /usr/local/php-5.3.0/bin/php instead works as expected and the  shebang line is not displayed.
 [2009-09-04 07:34 UTC] niklas at narhinen dot net
Hi, using php 5.3.0.

my script is:

#!/path/to/php-cgi
<?php
phpinfo();
?>

and it prints "#!/path/to/php-cgi" on top of the normal phpinfo

Running Debian Etch

This bug needs to be reopened..
 [2009-09-04 07:41 UTC] jani@php.net
Still borked.
 [2009-09-04 07:48 UTC] jani@php.net
Still happens using latest SVN checkout of today.
 [2009-09-04 11:22 UTC] jani@php.net
Ilia's fix for bug #46844 actually broke it.
 [2009-09-04 15:26 UTC] joey@php.net
Maybe that's a good argument for moving it out of the scanner and back into the SAPIs? I don't find it difficult to accept the argument that it's a SAPI-specific behaviour.
 [2009-09-05 11:50 UTC] jani@php.net
It's only useful for CGI and CLI. Other SAPIs shouldn't care about it.
 [2009-09-05 17:07 UTC] svn@php.net
Automatic comment from SVN on behalf of jani
Revision: http://svn.php.net/viewvc/?view=revision&revision=288081
Log: - Fixed bug #49182 (PHP CGI always outputs the shebang line)
 [2009-09-05 17:08 UTC] jani@php.net
Fixed in SVN. No idea in what release it will be in, but next snapshot 
of 5.3 at least has it.
 [2009-09-05 17:09 UTC] jani@php.net
The fix was simply reverting this change:
  
  http://svn.php.net/viewvc?view=revision&revision=264152

 [2009-09-09 19:57 UTC] jani@php.net
See also bug #48930 (adding url here to keep it in mind if _this_ bug 
gets fixed in scanner again :)
 [2009-10-09 17:03 UTC] svn@php.net
Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&revision=289428
Log: - Merge: Fixed bug #49182 (PHP CGI always outputs the shebang line), kill unused var
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 09:01:28 2024 UTC