php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #60677 CGI doesn't properly validate shebang line contains #!
Submitted: 2012-01-07 02:39 UTC Modified: 2019-07-15 14:31 UTC
Votes:3
Avg. Score:3.7 ± 1.2
Reproduced:3 of 3 (100.0%)
Same Version:2 (66.7%)
Same OS:3 (100.0%)
From: pasamio at gmail dot com Assigned: nikic (profile)
Status: Closed Package: CGI/CLI related
PHP Version: PHP 5.6.7 OS: N/A
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: pasamio at gmail dot com
New email:
PHP Version: OS:

 

 [2012-01-07 02:39 UTC] pasamio at gmail dot com 
Description:
------------
When running in CGI, PHP attempts to look for a shebang. However there is a bug 
where if the first character of the first line is a hash character/pound 
character (#), PHP doesn't validate that the next character is an exclamation 
mark and thus a properly formed shebang line (e.g. #!). Instead PHP just skips 
the entire line ignoring any PHP code that might be on that line.

The code in question from a quick examination appears to be here in trunk:
http://svn.php.net/viewvc/php/php-src/trunk/sapi/cgi/cgi_main.c?
revision=321634&view=markup

On lines 2361, 2379 and 2396.

And on the PHP 5.4 branch:
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_4/sapi/cgi/cgi_main.c?
revision=321634&view=markup

On lines 2362, 2380 and 2397.

This has been replicated on PHP 5.3.3 and PHP 5.3.5 as well as being in current 
trunk.

Test script:
---------------
#<?php echo "Hello World\n"; ?>
Second line.

Expected result:
----------------
X-Powered-By: PHP/5.3.3-7+squeeze3
Content-type: text/html

#Hello World
Second line.

Actual result:
--------------
X-Powered-By: PHP/5.3.3-7+squeeze3
Content-type: text/html

Second line.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-01-07 02:43 UTC] pasamio at gmail dot com 
This appears to have been introduced with this change:

http://svn.php.net/viewvc/php/php-src/trunk/sapi/cgi/cgi_main.c?
r1=288080&r2=288081&
 [2012-01-07 05:20 UTC] dtajchreber@php.net
-Status: Open +Status: Bogus
 [2012-01-07 05:20 UTC] dtajchreber@php.net 
Lines that begin with a hash tag can also be comments... 

# This is a comment... <?php echo 'None of this will appear!' ?>

http://us.php.net/manual/en/language.basic-syntax.comments.php
 [2012-01-07 05:37 UTC] dtajchreber@php.net
-Status: Bogus +Status: Verified
 [2012-01-07 05:37 UTC] dtajchreber@php.net 
I completely misunderstood what you were saying... forgive me. :) Taking a second 
look, you're right... the logic only checks the first character when 
cgi.check_shebang_line = 1.
 [2012-01-07 06:47 UTC] pasamio at gmail dot com 
The Apache 2 Handler appears to work properly though I can't find the code.

Additionally the PHP CLI handles this correctly:
http://svn.php.net/viewvc/php/php-src/trunk/sapi/cli/php_cli.c?
revision=321634&view=markup

Line 633 with:
if (c == '#' && (c = fgetc(file_handle->handle.fp)) == '!') {

And a later rewind. Should be sufficient for some of the CGI stuff but not all 
three of the instances in question.
 [2015-04-13 13:31 UTC] cmb@php.net
-PHP Version: trunk-SVN-2012-01-07 (SVN) +PHP Version: PHP 5.6.7
 [2015-04-13 13:31 UTC] cmb@php.net 
The SVN related links are outdated. The relevant code is now:
<https://github.com/php/php-src/blob/PHP-5.6.7/sapi/cgi/cgi_main.c#L2388-L2461>
 [2015-04-15 11:39 UTC] cmb@php.net 
Related To: Bug #69460
 [2019-07-15 14:31 UTC] nikic@php.net
-Status: Verified +Status: Closed -Assigned To: +Assigned To: nikic
 [2019-07-15 14:31 UTC] nikic@php.net 
Fixed by https://github.com/php/php-src/commit/c5f1b384b591009310370f0b06b10868d2d62741 for 7.4.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Nov 23 07:01:29 2024 UTC