php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #34581 crash with mod_rewrite
Submitted: 2005-09-21 16:19 UTC Modified: 2005-10-12 23:45 UTC
Votes:4
Avg. Score:5.0 ± 0.0
Reproduced:4 of 4 (100.0%)
Same Version:1 (25.0%)
Same OS:0 (0.0%)
From: phpbugrep-20050921 at pgregg dot com Assigned: tony2001 (profile)
Status: Closed Package: Apache2 related
PHP Version: 5CVS-2005-09-21 (snap) OS: FreeBSD5.4-STABLE
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: phpbugrep-20050921 at pgregg dot com
New email:
PHP Version: OS:

 

 [2005-09-21 16:19 UTC] phpbugrep-20050921 at pgregg dot com
Description:
------------
Similar to: http://bugs.php.net/bug.php?id=34204

PHP5.1-RC2-dev snaps (d/l today) crashes (segfaults) when a mod_rewrite is used with a .htaccess file (have not tried it hard coded into httpd.conf).   PHP-5.1b2 works correctly without crashing.


Reproduce code:
---------------
Code to reproduce is available at: http://www.pgregg.com/crash/

the .htaccess file used there is live and accessing the url:
http://www.pgregg.com/crash/d/123-123/foobar  (to match one of the rules) will cause the httpd child to segfault.

I have posted a backtrace there also.

This is the .htaccess file from PHP Gallery (G2) modified to work in my example dir.

Expected result:
----------------
I expect the test.php to be called like:
test.php?arg1=123&arg2=123


Actual result:
--------------
>gdb /usr/local/apache/bin/httpd  2:42PM
GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd5.4"...
(gdb) run -X
Starting program: /usr/local/apache2/bin/httpd -X

Program received signal SIGSEGV, Segmentation fault.
0x28565acd in _zend_hash_index_update_or_next_insert (ht=0x286d83b4, h=0, pData=0xbfbfd9a0,
    nDataSize=12, pDest=0x0, flag=1,
    __zend_filename=0x2863112c "/usr/local/src/Web/Apache2_PHP5/php5-200509211030/Zend/zend_list.c", __zend_lineno=47)
    at /usr/local/src/Web/Apache2_PHP5/php5-200509211030/Zend/zend_hash.c:354
354             p = ht->arBuckets[nIndex];
(gdb) bt
#0  0x28565acd in _zend_hash_index_update_or_next_insert (ht=0x286d83b4, h=0,
    pData=0xbfbfd9a0, nDataSize=12, pDest=0x0, flag=1,
    __zend_filename=0x2863112c "/usr/local/src/Web/Apache2_PHP5/php5-200509211030/Zend/zend_list.c", __zend_lineno=47)
    at /usr/local/src/Web/Apache2_PHP5/php5-200509211030/Zend/zend_hash.c:354
#1  0x28568106 in zend_list_insert (ptr=0x828f124, type=2)
    at /usr/local/src/Web/Apache2_PHP5/php5-200509211030/Zend/zend_list.c:47
#2  0x2856820c in zend_register_resource (rsrc_result=0x0, rsrc_pointer=0x828f124,
    rsrc_type=2) at /usr/local/src/Web/Apache2_PHP5/php5-200509211030/Zend/zend_list.c:99
#3  0x2852bbd8 in _php_stream_alloc (ops=0x286be5e0, abstract=0x828f024, persistent_id=0x0,
    mode=0x28617290 "rb", __php_stream_call_depth=5,
    __zend_filename=0x28619b78 "/usr/local/src/Web/Apache2_PHP5/php5-200509211030/main/streams/plain_wrapper.c", __zend_lineno=205,
    __zend_orig_filename=0x28616f70 "/usr/local/src/Web/Apache2_PHP5/php5-200509211030/main/main.c", __zend_orig_lineno=855)
    at /usr/local/src/Web/Apache2_PHP5/php5-200509211030/main/streams/streams.c:263
#4  0x2853249f in _php_stream_fopen_from_fd (fd=16, mode=0x28617290 "rb",
    persistent_id=0x0, __php_stream_call_depth=4,
    __zend_filename=0x28619b78 "/usr/local/src/Web/Apache2_PHP5/php5-200509211030/main/streams/plain_wrapper.c", __zend_lineno=882,
    __zend_orig_filename=0x28616f70 "/usr/local/src/Web/Apache2_PHP5/php5-200509211030/main/main.c", __zend_orig_lineno=855)
    at /usr/local/src/Web/Apache2_PHP5/php5-200509211030/main/streams/plain_wrapper.c:205
#5  0x285337b9 in _php_stream_fopen (
    filename=0x828d4c0 "/web/www.pgregg.com/source/test.php", mode=0x28617290 "rb",
    opened_path=0xbfbfe338, options=133, __php_stream_call_depth=3,
    __zend_filename=0x28619b78 "/usr/local/src/Web/Apache2_PHP5/php5-200509211030/main/streams/plain_wrapper.c", __zend_lineno=1233,
    __zend_orig_filename=0x28616f70 "/usr/local/src/Web/Apache2_PHP5/php5-200509211030/main/main.c", __zend_orig_lineno=855)
    at /usr/local/src/Web/Apache2_PHP5/php5-200509211030/main/streams/plain_wrapper.c:882
#6  0x28534432 in _php_stream_fopen_with_path (
    filename=0x828d4c0 "/web/www.pgregg.com/source/test.php", mode=0x28617290 "rb",
    path=0x28616d76 ".:/usr/local/lib/php", opened_path=0xbfbfe338, options=133,
    __php_stream_call_depth=2,
    __zend_filename=0x28619b78 "/usr/local/src/Web/Apache2_PHP5/php5-200509211030/main/streams/plain_wrapper.c", __zend_lineno=931,
    __zend_orig_filename=0x28616f70 "/usr/local/src/Web/Apache2_PHP5/php5-200509211030/main/main.c", __zend_orig_lineno=855)
    at /usr/local/src/Web/Apache2_PHP5/php5-200509211030/main/streams/plain_wrapper.c:1233
#7  0x28533958 in php_plain_files_stream_opener (wrapper=0x286be688,
    path=0x828d4c0 "/web/www.pgregg.com/source/test.php", mode=0x28617290 "rb",
    options=133, opened_path=0xbfbfe338, context=0x0, __php_stream_call_depth=1,
    __zend_filename=0x2861937c "/usr/local/src/Web/Apache2_PHP5/php5-200509211030/main/streams/streams.c", __zend_lineno=1773,
    __zend_orig_filename=0x28616f70 "/usr/local/src/Web/Apache2_PHP5/php5-200509211030/main/main.c", __zend_orig_lineno=855)
    at /usr/local/src/Web/Apache2_PHP5/php5-200509211030/main/streams/plain_wrapper.c:931
#8  0x2852eec8 in _php_stream_open_wrapper_ex (
    path=0x828d4c0 "/web/www.pgregg.com/source/test.php", mode=0x28617290 "rb",
    options=141, opened_path=0xbfbfe338, context=0x0, __php_stream_call_depth=0,
    __zend_filename=0x28616f70 "/usr/local/src/Web/Apache2_PHP5/php5-200509211030/main/main.c", __zend_lineno=855, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at /usr/local/src/Web/Apache2_PHP5/php5-200509211030/main/streams/streams.c:1771
#9  0x2851a2f4 in php_stream_open_for_zend (
    filename=0x828d4c0 "/web/www.pgregg.com/source/test.php", handle=0xbfbfe330)
    at /usr/local/src/Web/Apache2_PHP5/php5-200509211030/main/main.c:855
#10 0x2856f72c in zend_stream_open (
    filename=0x828d4c0 "/web/www.pgregg.com/source/test.php", handle=0xbfbfe330)
    at /usr/local/src/Web/Apache2_PHP5/php5-200509211030/Zend/zend_stream.c:47
#11 0x2856f7db in zend_stream_fixup (file_handle=0xbfbfe330)
    at /usr/local/src/Web/Apache2_PHP5/php5-200509211030/Zend/zend_stream.c:62
#12 0x2853e0a4 in open_file_for_scanning (file_handle=0xbfbfe330)
    at Zend/zend_language_scanner.c:3068
#13 0x2853e1e7 in compile_file (file_handle=0xbfbfe330, type=2)
    at Zend/zend_language_scanner.c:3154
#14 0x2855db19 in zend_execute_scripts (type=2, retval=0x0, file_count=1)
    at /usr/local/src/Web/Apache2_PHP5/php5-200509211030/Zend/zend.c:1079
#15 0x285cb940 in php_handler (r=0x8289a30)
    at /usr/local/src/Web/Apache2_PHP5/php5-200509211030/sapi/apache2handler/sapi_apache2.c:570
#16 0x080828aa in ap_run_handler (r=0x8289a30) at config.c:152
#17 0x08082c75 in ap_invoke_handler (r=0x8289a30) at config.c:364
#18 0x0806ae55 in ap_internal_redirect (new_uri=0x0, r=0x0) at http_request.c:465
#19 0x0807b607 in handler_redirect (r=0x827c050) at mod_rewrite.c:1735
#20 0x080828aa in ap_run_handler (r=0x827c050) at config.c:152
#21 0x08082c75 in ap_invoke_handler (r=0x827c050) at config.c:364
#22 0x0806b1d1 in ap_process_request (r=0x827c050) at http_request.c:249
#23 0x08066af9 in ap_process_http_connection (c=0x8276128) at http_core.c:251
#24 0x0808c12a in ap_run_process_connection (c=0x8276128) at connection.c:43
#25 0x080810c1 in child_main (child_num_arg=0) at prefork.c:610
#26 0x080812b5 in make_child (s=0x80c4c48, slot=0) at prefork.c:650
#27 0x0808137c in startup_children (number_to_start=5) at prefork.c:722
#28 0x080819ff in ap_mpm_run (_pconf=0xbfbfe6c0, plog=0x80f8018, s=0xbfbfe6c8)
    at prefork.c:941
#29 0x08086c07 in main (argc=2, argv=0xbfbfe7b0) at main.c:618

 (gdb) print p
 $1 = (Bucket *) 0x28567fdb
 (gdb) print ht
 $2 = (HashTable *) 0x286d83b4
 (gdb) print nIndex
 $3 = 0
 (gdb) print *ht
 $4 = {nTableSize = 0, nTableMask = 0, nNumOfElements = 0, nNextFreeElement = 0,
   pInternalPointer = 0x0, pListHead = 0x0, pListTail = 0x0, arBuckets = 0x0, pDestructor = 0,
   persistent = 0 '\0', nApplyCount = 0 '\0', bApplyProtection = 0 '\0', inconsistent = 0}



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-09-21 23:18 UTC] sniper@php.net
Try adding the rules into httpd.conf.

 [2005-09-22 00:23 UTC] phpbugrep-20050921 at pgregg dot com
I added the contents of the htaccess into the httpd.conf and stop/started.  Result was the same - still segfaulting.
Backtrace at: http://www.pgregg.com/crash/gdb_backtrace2.txt

They are essentially the same.

Problem still persists.

Thanks.
 [2005-09-22 08:32 UTC] sniper@php.net
What was the configure line you used to configure PHP?
(I can't reproduce this with the one I have..)

 [2005-09-22 11:10 UTC] phpbugrep-20050921 at pgregg dot com
more php5-200509211030/config.nice

#! /bin/sh
#
# Created by configure

'./configure' \
'--with-apxs2=/usr/local/apache2/bin/apxs' \
'--with-pgsql' \
'--with-gd' \
'--with-zlib-dir=/usr' \
'--with-jpeg-dir=/usr/local' \
'--with-xpm-dir=/usr/X11R6' \
'--with-ttf=/usr/compat/linux/usr/' \
'--with-freetype-dir=/usr/local' \
'--enable-gd-native-ttf' \
'--with-mime-magic' \
'--enable-bcmath' \
'--with-xmlreader' \
'--with-xsl' \
'--enable-debug' \
"$@"

Thanks
 [2005-09-22 11:28 UTC] sniper@php.net
Do you have any ErrorDocument directive set in any .htaccess file or httpd.conf?

 [2005-09-22 13:01 UTC] phpbugrep-20050921 at pgregg dot com
I did, but I have now turned it off. Makes no difference though.
 [2005-09-22 15:53 UTC] tony2001@php.net
I can't reproduce it either (tried both with Apache 1.3.x & Apache 2.x).
And valgrind doesn't say a word about it.
Please add some more info on how to reproduce it.

 [2005-09-27 18:20 UTC] dave at cc0 dot net
PHP5.1RC1 segfaults apache when a mod_rewrite is used in an .htaccess. My .htaccess: 

RewriteEngine on
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !.gif$
RewriteCond %{REQUEST_FILENAME} !.jpg$
RewriteRule ^(.*)$ /home/lists/index.php [T=application/x-httpd-php,L]

Commenting out last (RewriteRule) does not segfault apache, but obviously does not work as needed.

The related apache error log lines:

[Mon Sep 26 09:07:25 2005] [notice] child pid 10619 exit signal Segmentation fault (11)
[Mon Sep 26 09:07:26 2005] [error] [client 1.2.3.4] PHP Warning:  Unknown: SAFE MODE Restriction in effect. The script whose uid is 0 is not allowed to access /home/lists/index.php owned by uid 8000 in Unknown on line 138769176
[Mon Sep 26 09:07:26 2005] [error] [client 1.2.3.4] PHP Warning:  Unknown: failed to open stream: No such file or directory in Unknown on line 138769176
[Mon Sep 26 09:07:26 2005] [error] [client 1.2.3.4] PHP Warning:  Unknown: Failed opening '/home/lists/index.php' for inclusion (include_path='/home/include:/home/lists/include') in Unknown on line 138769176
 [2005-09-28 12:28 UTC] phpbugrep-20050921 at pgregg dot com
hmm, I have already given enough information on reproducing it.   However, I have set up a FreeBSD machine for you to login (with root access) if you wish so you may login and examine the setup.

I have setup a minimal apache2 httpd and a _minimal_ PHP (oh a --disable-everything-implied would be nice ;)   gdb6.3 is installed.

Please message Qube or Derick on Efnet for the login credentials - if you have @ in the appropriate channel you'll get them.
 [2005-10-12 19:09 UTC] tony2001@php.net
This patch worked for me:
http://tony2001.phpclub.net/dev/tmp/bug34581.diff
 [2005-10-12 22:32 UTC] jonathan dot semczyk at telecomlille dot net
Thanks Tony, it did work for me.

Jon.
 [2005-10-12 23:45 UTC] tony2001@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Nov 25 07:01:31 2024 UTC