php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #62606 PHP as fastCgi traverses directory up to the root / permission issues
Submitted: 2012-07-19 06:07 UTC Modified: -
Votes:2
Avg. Score:3.5 ± 0.5
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: thomas dot hoffmann at speed4trade dot com Assigned:
Status: Open Package: Performance problem
PHP Version: 5.3.14 OS: Win2008 R2
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: thomas dot hoffmann at speed4trade dot com
New email:
PHP Version: OS:

 

 [2012-07-19 06:07 UTC] thomas dot hoffmann at speed4trade dot com
Description:
------------
I use PHP via FastCGI on Win2008R2 IIS 7.5
Via "Process Monitor" I can see that the first time I access a php page, the
PHP-CGI.exe opens the php-file and then walks up the directory tree up to the
root.
It traverses/opens all directories till it reaches the Root-Folder (e.g. d:\)
This causes a huge performance impact when the PHP process doesnt have
permissions to travers the root-folder (or a folder outside the webroot).

Starting a webpage with redaxo e.g. lasts about 50 seconds instead of 1 or 2 seconds as many file includes/(accesses take place.

user_ini.filename is disabled (but PHP should anyway stop at the webroot).
safe_mode and open_basedir are off / not used

Test script:
---------------
- Create test.php with just one echo line
- Use PHP-CGI.exe via FastCGI on Windows 2008R2
- Open "Process monitor" and apply filter for php-cgi.exe
- Open test.php via browser
- See in process monitor how the process accesses not only test.php
  but also walks up the directory tree and traverses all parent folders
  till it reaches the root
- To test the performance impact you can delete the folder permission
  on the parent folders of the webroot and open the page several times
  (e.g. via curl and a loop)

Expected result:
----------------
PHP-cgi.exe should not travers folders outside the webroot.

Actual result:
--------------
PHP-cgi.exe opens/traverses all parent folders of the webroot up to the root.

Patches

Pull Requests

 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 14:01:32 2024 UTC