PHP :: Bug #30279 :: 404 instead of 403 when permission denied

Bug #30279	404 instead of 403 when permission denied
Submitted:	2004-09-29 19:27 UTC	Modified:	2004-09-30 03:58 UTC
From:	pviet at azuria dot com	Assigned:
Status:	Not a bug	Package:	CGI/CLI related
PHP Version:	4.3.9	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	pviet at azuria dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2004-09-29 19:27 UTC] pviet at azuria dot com

Description:
------------
Status 404 instead of 403 when file passed via environment is not accessible. This leads to error on debugging and took me about 7hrs to find what was really happening
(wrong rights)

Reproduce code:
---------------
Abstract :
- A PHP file is called x.php, located in /data/www/x.php
- My user is called someunixuser
- This someunixuser can't read the file because lacking unix permissions (not owner, 0700 or so on)

mybox:~$ cat /data/www/x.php
cat: /data/www/x.php: Permission denied

mybox:~$ env SCRIPT_FILENAME=/data/www/x.php /usr/bin/php
Status: 404
Content-type: text/html
X-Powered-By: PHP/4.3.9

No input file specified.
mybox:~$

Expected result:
----------------
Return a 403 and "Permission denied on /data/web/x.php"

Actual result:
--------------
Return a 404 and "No input files"

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2004-09-30 03:28 UTC] iliaa@php.net

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

PHP has no way of knowing if a file existings when it does not have permission to access. Hence the 404 error message.

[2004-09-30 03:54 UTC] pviet at azuria dot com

Isn't it more logical that denied should return 403.. ?
(and keep 404 for when php KNOWS the file doesn't exist, eg. has access to the directory)

[2004-09-30 03:58 UTC] iliaa@php.net

In some cases it may have access to the directory and in other cases it may not. So rather then return 2 different error codes for the same error PHP tries to be consistent.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Jul 02 01:01:34 2025 UTC