php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #22127 bogus http response when force-cgi-redirect safety mechanism triggered
Submitted: 2003-02-08 14:46 UTC Modified: 2004-03-12 08:58 UTC
From: zlo at canada dot com Assigned:
Status: Closed Package: CGI/CLI related
PHP Version: 4CVS, 5CVS OS: *
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: zlo at canada dot com
New email:
PHP Version: OS:

 

 [2003-02-08 14:46 UTC] zlo at canada dot com 
When php is used in cgi mode with force-cgi-redirect enabled, and the safety mechanism is triggered, PHP produces a bogus http response line:
HTTP/1.1 0
this is invalid and browsers fail to display the output.
it happens for PHP 4.3.0 and a fresh PHP 4.3.1-dev snapshot under both Windows and Linux.
AFAIK 0 is not a valid response code, and unless one uses a non-compliant browser or accesses the page through a raw telnet session, the warning page cannot be seen.
it would be desirable for PHP to produce a meaningful response code, such as 200, 403 or 500.
for example:

GET /cgi-bin/php/pi.php HTTP/1.1
HOST: mysite

HTTP/1.1 0
Date: Sat, 08 Feb 2003 20:32:46 GMT
Server: Apache/1.3.27 (Unix) PHP/4.3.0
Transfer-Encoding: chunked
Content-Type: text/html; charset=windows-1251

283
<b>Security Alert!</b> The PHP CGI cannot be accessed directly.

<p>This PHP CGI binary was compiled with force-cgi-redirect enabled.  This
means that a page will only be served up if the REDIRECT_STATUS CGI variable is
set, e.g. via an Apache Action directive.</p>
<p>For more information as to <i>why</i> this behaviour exists, see the <a href="http://php.net/security.cgi-bin">manual page for CGI security</a>.</p>
<p>For more information about changing this behaviour or re-enabling this webserver,
consult the installation file that came with this distribution, or visit
<a href="http://php.net/install.windows">the manual page</a>.</p>

0

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-03-30 06:44 UTC] moriyoshi@php.net 
Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip
 [2003-03-30 15:45 UTC] zlo at canada dot com 
using the latest build:
# HEAD http://mysite/cgi-bin/php/pi.php
500 Bad response code: 'HTTP/1.1 0'
 [2003-08-08 06:16 UTC] sniper@php.net 
Still a problem with both PHP4/PHP5.
 [2004-02-28 09:52 UTC] scottmacvicar at ntlworld dot com 
403 is probably the most appropriate response code.
Though 400 Bad Request could be another possibility.

http://www.w3.org/Protocols/HTTP/HTRESP.html

patch
-------
diff -u cgi_main.c cgi_main.c.patched
--- cgi_main.c  2004-02-28 14:53:31.000000000 +0000
+++ cgi_main.c.patched  2004-02-28 14:54:16.000000000 +0000
@@ -1106,6 +1106,7 @@
                            in case some server does something different than above */
                        && (!redirect_status_env || !getenv(redirect_status_env))
                        ) {
+                       SG(sapi_headers).http_response_code = 403;
                        PUTS("<b>Security Alert!</b> The PHP CGI cannot be accessed directly.\n\n\
 <p>This PHP CGI binary was compiled with force-cgi-redirect enabled.  This\n\
 means that a page will only be served up if the REDIRECT_STATUS CGI variable is\n\
 [2004-03-12 08:58 UTC] iliaa@php.net 
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun Nov 24 00:01:27 2024 UTC