php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Doc Bug #18349 PATH_TRANSLATED agian
Submitted: 2002-07-15 08:53 UTC Modified: 2002-12-03 01:10 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: madmax at express dot ru Assigned:
Status: Closed Package: Documentation problem
PHP Version: 4.2.1 OS: FreeBSD 4.6-RELEASE
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: madmax at express dot ru
New email:
PHP Version: OS:

 

 [2002-07-15 08:53 UTC] madmax at express dot ru 
Try include this string in apache configuration (.htaccess or base config)
---------------------------------------------
AddType myphp/tst php4
Action myphp/tst /cgi-bin/printenv
---------------------------------------------
Now run any script with .php4 extension, output would include:
PATH_TRANSLATED="/usr/local/apache/virthost/v1/tst/tst.php4"
...
SCRIPT_FILENAME="/usr/local/apache/virthost/v1/cgi-bin/printenv"

Ok, now try change "printenv" on correct path to PHP, for example:
---------------------------------------------
AddType myphp/tst php4
Action myphp/tst /cgi-bin/php
---------------------------------------------

Now PHP try parsed himself, (some internal parser error on line 1234, for example, in file /usr/local/apache/virthost/v1/cgi-bin/php). 
But  which env path must used PHP for target script ?
May be PATH_TRANSLATED ? As we can see in printenv, this variable correct defined  by apache.

b.r.
  Kozin Maxim

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-07-15 10:04 UTC] madmax at express dot ru 
change  description:
---------------------------------------------------------------------------------------
--enable-discard-path
If this is enabled, the PHP CGI binary can safely be placed outside of the web tree and people will not be able to circumvent .htaccess security.

(why ? what happened with this option ? without ?)

to more clear:
---------------------------------------------------------------------------------------
-enable-discard-path
If this is enabled, the PHP CGI binary would get
script for execution from ENV("SCRIPT_FILENAME"),
if disabled - from ENV("PATH_TRANSLATED").
If this options disabled, anyone can
call PHP in this way:
http://servername/php4/php?/etc/passwd
or so
http://servername/php4/php?/home/clinets/somename/.htaccess

where /php4 is defined like
ScriptAlias /php4 /usr/local/not_web_root/php4
and /usr/local/not_web_root/php4 contained binary of cgi version php
.
To disable this unsecure behavior, set option
--enable-force-cgi-redirect
With this options, PHP check inside some internal variable (NOT enviroment from client, evil user can't spoof this variable !)
And if php call in direct way, then PATH_TRANSLATED parameter don't be proceeded as php script file.
========================================================
May be to long and "not pure english", but I spend 1 hour , when tryed undestand, what means M$-like  text "Now, Be more secure with this options !" 

p.s.
 may be You need one options ? 
--with-cgi
It will assumed --enable-force-cgi-redirect and 
--enable-discard-path=no.
Who realy need "--disable-force-cgi-redirect" ???
Who realy need --enable-discard-path=yes ?

b.r.
  Kozin Maxim
 [2002-07-26 05:13 UTC] madmax at express dot ru 
next problem with start PHP as CGI with

AddType some/type php
Action some/type /cgi-bin/php

With call script as:
http://server/script.php/a/b/c

For compare look at ./sapi/fastcgi/fastcgi.с  on function 
+244 init_request_info()
...
        /*
         * if the file doesn't exist, try to extract PATH_INFO out
         * of it by stat'ing back through the '/'
         */
...
May be cgi code need like chunk ?

b.r. 
 Kozin Maxim
 [2002-11-24 01:52 UTC] mochaexpress at yahoo dot com 
I experienced the same problem with using php cgi version for 4.2.1 and 4.2.2. I ended up hacking it by using a shell script to call the actual php cgi:

#!/bin/sh
export SCRIPT_FILENAME=$PATH_TRANSLATED
/usr/bin/php
 [2002-12-03 01:10 UTC] shane@php.net 
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Mon Jul 14 07:01:32 2025 UTC