php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #40419 Trailing Slash in CGI request don't work
Submitted: 2007-02-09 17:37 UTC Modified: 2007-09-10 11:09 UTC
Votes:17
Avg. Score:4.9 ± 0.2
Reproduced:15 of 15 (100.0%)
Same Version:13 (86.7%)
Same OS:3 (20.0%)
From: samuele dot diella at gmail dot com Assigned: dmitry (profile)
Status: Closed Package: CGI/CLI related
PHP Version: 5.2.1 OS: Slackware 10.2
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: samuele dot diella at gmail dot com
New email:
PHP Version: OS:

 

 [2007-02-09 17:37 UTC] samuele dot diella at gmail dot com 
Description:
------------
In php-5.2.1 compiled as CGI under Apache 1.3.37, when i enter an url with a trailing slash, with no params after, i get a "No input file specified.".
If i don't write the slash, or if i write a single character after the slash, the request is handled correctly.

es.:

http://www.myserver.com/phpinfo.php5 ---> works
http://www.myserver.com/phpinfo.php5/ ---> No input file specified.
http://www.myserver.com/phpinfo.php5/test ---> works

In php-5.2.0, compiled with the same config, the request is handled correctly.

This is my config line:

./configure --prefix=/usr --with-xsl --sysconfdir=/etc --enable-discard-path --with-config-file-path=/etc/apache/php5 --enable-safe-mode --with-openssl --with-mhash --enable-bcmath --with-bz2 --with-pic --enable-calendar --enable-ctype --with-gdbm --with-db3 --with-imap-ssl=/usr/local/lib/c-client --with-imap=/usr/local/lib/c-client --enable-dbase --enable-ftp --with-iconv --with-dom --with-exif --enable-exif --with-gd --enable-gd-native-ttf --with-freetype-dir=/usr --with-t1lib=/usr --with-jpeg-dir=/usr --with-png --with-gmp --enable-mbstring --with-curl=/usr --with-pcre-regex=/usr --with-mysql --with-mysql-sock=/var/run/mysql --with-mysqli --with-gettext=shared,/usr --with-expat-dir=/usr --with-xml --with-tsrm-pthreads --with-mm=/usr --enable-trans-sid --enable-shmop --enable-sockets --with-regex=php --with-mime-magic --enable-sysvsem --enable-sysvshm --enable-yp --enable-memory-limit --enable-shared --disable-debug --with-zlib=/usr --with-mcrypt --with-ttf --enable-force-cgi-redirect

This is my Apache configuration:

AddType application/x-httpd-php5 .php5
Action application/x-httpd-php5 "/cgi-bin/php5"
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

I tryed many configuration options in php.ini and in configure command, but i was not able to get it works as before.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-02-13 12:24 UTC] hacker at ee dot ethz dot ch 
i can confirm this issue on sarge/amd64 (gcc),
whereas it works just fine on solaris8/sparc (gcc) with the same extensions enabled and the same php.ini settings.
i am running fastcgi with apache2.0.59.
 [2007-05-15 16:17 UTC] jankorichter at yahoo dot de 
I have created a small patch as a workaround. Should be checked and approved. 

--- sapi/cgi/cgi_main.c.org      2007-04-17 22:00:53.000000000 +0200
+++ sapi/cgi/cgi_main.c  2007-05-15 17:35:39.000000000 +0200
@@ -961,7 +961,14 @@
                /* some server configurations allow '..' to slip through in the
                   translated path.   We'll just refuse to handle such a path. */
                if (script_path_translated && !strstr(script_path_translated, "..")) {
-                       SG(request_info).path_translated = estrdup(script_path_translated);
+                       char * real_path = tsrm_realpath(script_path_translated, NULL TSRMLS_CC);
+                       if ( real_path )
+                       {
+                         SG(request_info).path_translated = estrdup(real_path);
+                         free(real_path);
+                       } else {
+                         SG(request_info).path_translated = estrdup(script_path_translated);
+                        }
                }
                SG(request_info).content_type = (content_type ? content_type : "" );
                SG(request_info).content_length = (content_length ? atoi(content_length) : 0);
 [2007-05-18 11:29 UTC] bugs at spuetz dot ath dot cx 
I can confirm this for RHES3, 32bit, Apache 2.2.4 and fastcgi with suexec. 

The patch is working.
 [2007-05-18 11:41 UTC] bugs at spuetz dot ath dot cx 
Oh, it isn't, partially.

with patch applied, SCRIPT_FILENAME has still a trailing slash. 

On a working system (without the patch, too) a url

/test.php/

results in a SCRIPT_FILENAME => /path/to/test.php

with patch:

SCRIPT_FILENAME => /path/to/test.php/
 [2007-05-21 10:45 UTC] jankorichter at yahoo dot de 
SCRIPT_FILENAME fixed.


--- php-5.2.2/sapi/cgi/cgi_main.c       2007-04-17 22:00:53.000000000 +0200
+++ php-5.2.2.new/sapi/cgi/cgi_main.c   2007-05-21 12:24:31.000000000 +0200
@@ -961,7 +961,15 @@
                /* some server configurations allow '..' to slip through in the
                   translated path.   We'll just refuse to handle such a path. */
                if (script_path_translated && !strstr(script_path_translated, "..")) {
-                       SG(request_info).path_translated = estrdup(script_path_translated);
+                       char * real_path = tsrm_realpath(script_path_translated, NULL TSRMLS_CC);
+                       if ( real_path )
+                       {
+                         SG(request_info).path_translated = estrdup(real_path);
+                         script_path_translated = _sapi_cgibin_putenv("SCRIPT_FILENAME", real_path TSRMLS_CC);
+                         free(real_path);
+                       } else {
+                         SG(request_info).path_translated = estrdup(script_path_translated);
+                        }
                }
                SG(request_info).content_type = (content_type ? content_type : "" );
                SG(request_info).content_length = (content_length ? atoi(content_length) : 0);
 [2007-05-21 11:31 UTC] dmitry@php.net 
Check that cgi.fix_pathinfo in php.ini is set to 1.

I cannot reproduce the behavior and cannot understand how patch can fix it.
 [2007-05-21 11:51 UTC] jankorichter at yahoo dot de 
Yes, cgi.fix_pathinfo is set to 1. I have checked it with phpinfo().
But it doesn't work without patch.
 [2007-06-21 10:21 UTC] bugs at spuetz dot ath dot cx 
I tried 5.2.3 and it doesn't work without patch. 

I just created a vhost with unpatched 5.2.3:
http://bug40419.screenwork-dev.de/info.php => works
http://bug40419.screenwork-dev.de/info.php/ => no input...

With patch:
http://www1.screenwork.de/mas/phpinfo.php
http://www1.screenwork.de/mas/phpinfo.php/

Patched with: http://www1.screenwork.de/mas/40419.patch

Do you need anything else?
 [2007-06-22 12:00 UTC] dmitry@php.net 
Could you test the following patch.

http://phpfi.com/243843
 [2007-06-23 11:01 UTC] bugs at spuetz dot ath dot cx 
Your patch works.
 [2007-06-26 07:33 UTC] jankorichter at yahoo dot de 
It works for me too.
 [2007-06-26 14:47 UTC] dmitry@php.net 
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.
 [2007-09-10 11:09 UTC] dmitry@php.net 
The fix for this bug was incorrect.
It causes bug #42587.
Please verify latest snapshot that contains fix for #42587.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri Jan 31 12:01:29 2025 UTC