php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #30279 404 instead of 403 when permission denied
Submitted: 2004-09-29 19:27 UTC Modified: 2004-09-30 03:58 UTC
From: pviet at azuria dot com Assigned:
Status: Not a bug Package: CGI/CLI related
PHP Version: 4.3.9 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: pviet at azuria dot com
New email:
PHP Version: OS:

 

 [2004-09-29 19:27 UTC] pviet at azuria dot com
Description:
------------
Status 404 instead of 403 when file passed via environment is not accessible. This leads to error on debugging and took me about 7hrs to find what was really happening
(wrong rights)

Reproduce code:
---------------
Abstract :
- A PHP file is called x.php, located in /data/www/x.php
- My user is called someunixuser
- This someunixuser can't read the file because lacking unix permissions (not owner, 0700 or so on)

mybox:~$ cat /data/www/x.php
cat: /data/www/x.php: Permission denied

mybox:~$ env SCRIPT_FILENAME=/data/www/x.php /usr/bin/php
Status: 404
Content-type: text/html
X-Powered-By: PHP/4.3.9

No input file specified.
mybox:~$

Expected result:
----------------
Return a 403 and "Permission denied on /data/web/x.php"

Actual result:
--------------
Return a 404 and "No input files"

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-09-30 03:28 UTC] iliaa@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

PHP has no way of knowing if a file existings when it does not have permission to access. Hence the 404 error message.
 [2004-09-30 03:54 UTC] pviet at azuria dot com
Isn't it more logical that denied should return 403.. ?
(and keep 404 for when php KNOWS the file doesn't exist, eg. has access to the directory)
 [2004-09-30 03:58 UTC] iliaa@php.net
In some cases it may have access to the directory and in other cases it may not. So rather then return 2 different error codes for the same error PHP tries to be consistent.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Oct 31 23:01:28 2024 UTC