PHP :: Bug #69250 :: PHP FPM status report produces invalid JSON and XML

Bug #69250	PHP FPM status report produces invalid JSON and XML
Submitted:	2015-03-17 19:27 UTC	Modified:	2023-06-16 17:50 UTC
From:	s dot greiner at cadenas dot de	Assigned:	bukka (profile)
Status:	Closed	Package:	FPM related
PHP Version:	5.5.22	OS:	any
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	s dot greiner at cadenas dot de
New email:
PHP Version:		OS:

New Comment:

[2015-03-17 19:27 UTC] s dot greiner at cadenas dot de

Description:
------------
Open the Status Page of FPM, for example:
http://my.server.ip/status-php-fpm?json&full&testparam=\a\b\c

Take the "json" output of it and validate it -> it will fail because any backslash is not escaped in the "request uri" property.

According to http://json.org/string.gif every unicode character is allowed in a string but no " or \ or a control character. They have to be escaped.
The same problem may occur with the "script" property.

Regarding XML output: the text nodes of <request-uri> and <script> should be wrapped in CDATA sections.

This erroneous behavior applies to every request not only the ones to the status page, for example a request to http://my.server.ip/mywebsite/something?path=foo\bar will make the status page to produce invalid output.

Expected result:
----------------
"processes":[
{
  "pid":2432,
  "state":"Idle",
  "start time":1425579888,
  "start since":1039595,
  "requests":1523,
  "request duration":614,
  "request method":"GET",
  "request uri":"/php-status?json&full&testparam=\\a\\b\\c",
  "content length":0,
  "user":"-",
  "script":"-",
  "last request cpu":0.00,
  "last request memory":262144
},
...

Actual result:
--------------
"processes":[
{
  "pid":2432,
  "state":"Idle",
  "start time":1425579888,
  "start since":1039595,
  "requests":1523,
  "request duration":614,
  "request method":"GET",
  "request uri":"/php-status?json&full&testparam=\a\b\c",
  "content length":0,
  "user":"-",
  "script":"-",
  "last request cpu":0.00,
  "last request memory":262144
},
...

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2023-06-16 17:50 UTC] bukka@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: bukka

[2023-06-16 17:50 UTC] bukka@php.net

So the JSON request uri escaping was implemented in https://github.com/php/php-src/commit/5e64ead64ab5eaba5d62847483c847c1836171d7 and it is part of just released PHP 8.1.20.

I left this open before to also check the XML part which I just did. This is already escaped for request-uri in the same way as HTML format. Using CDATA is not necessary here and cannot be considered as a bug and escaping result is the same for the parsers.

The only part that actually is worth to look at more into is the mentioned script. This applies on JSON as well and I have just created a ticket specifically for that: https://github.com/php/php-src/issues/11464 and will be looked at later as it is not a major issue really.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Dec 26 10:01:29 2024 UTC