php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #13455 Using include() with Apache ErrorDocument directive can crash the webserver
Submitted: 2001-09-26 12:37 UTC Modified: 2002-12-06 19:56 UTC
Votes:1
Avg. Score:1.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: manitu at manitu dot net Assigned:
Status: Wont fix Package: Scripting Engine problem
PHP Version: 4.0.6 OS: Any Linux with any Apache
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2001-09-26 12:37 UTC] manitu at manitu dot net
HOW TO REPRODUCE

1. You must run Apache in any version on a Linux system and have setup an VirtualHost entry with
an example domain "www.domain.com".

2. Configure an .htaccess file like

    ErrorDocument 404 http://www.domain.com/notfound.html

3. The notfound.html file MUST NOT exist and you MUST use an external path

4. Write a php script like

      <?php
      include("http://www.domain.com/any_file_that_does_not_exist.html");
      ?>


WHAT HAPPENS

The include() function tries to get the specified document but cannot find it. So the Apache webserver
sends an 404 error together with a HTTP redirection. The include() tries to catch this address which
leads into an infinite loop. The webserver will die shortly.

HOW TO SOLVE

The include() function should have a limit on how many levels it tries to catch since the webserver is not
able to determine if the caller runs into an infinite loop.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-12-14 14:10 UTC] yohgaki@php.net
I understand what you've explained. But I'll set status to Suspended. Please work around this problem.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC