php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #14776 httpd crashes with 4.1.1 (and 4.1.0) when safe-mode=on and header();
Submitted: 2001-12-30 14:20 UTC Modified: 2002-01-14 22:10 UTC
Votes:13
Avg. Score:4.9 ± 0.3
Reproduced:12 of 12 (100.0%)
Same Version:12 (100.0%)
Same OS:2 (16.7%)
From: fabio at isec dot com dot br Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 4.1.1 OS: FreeBSD 4.4-stable
Private report: No CVE-ID: None
 [2001-12-30 14:20 UTC] fabio at isec dot com dot br
I'm running FreeBSD 4.4-stable, Apache 1.3.22 and PHP 4.1.1 (this bug comes since 4.1.0, I've hoped it would be fixed in 4.1.1, but it hasn't). (php 4.0.6 works without problems)

The httpd crashes ONLY when php.ini is running with SAFE-MODE ENABLED ( When safe-mode is OFF, it works flawlessly)!! the function seems to be header()

Be SURE safe-mode is ON, and run this example :

<?php
  if(!isset($HTTP_SERVER_VARS['PHP_AUTH_USER'])) {
    header("WWW-Authenticate: Basic realm=\"My Realm\"");
    header("HTTP/1.0 401 Unauthorized");
    echo "Text to send if user hits Cancel button\n";
    exit;
  } else {
    echo "<p>Hello {$HTTP_SERVER_VARS['PHP_AUTH_USER']} .</p>";
    echo "<p>You entered {$HTTP_SERVER_VARS['PHP_AUTH_PW']} as your password.</p>";
  }
?>

Here's a gdb backtrace

--
Starting program: /usr/local/apache/bin/httpd -X
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x28167a5a in memcpy () from /usr/lib/libc.so.4
(gdb) bt
#0  0x28167a5a in memcpy () from /usr/lib/libc.so.4
#1  0x4 in ?? ()
#2  0x281bbafe in _mem_block_check (ptr=0x2829b0e0, silent=1, 
    __zend_filename=0x2829deb2 "SAPI.c", __zend_lineno=505, 
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at zend_alloc.c:659
#3  0x281ba994 in _efree (ptr=0x2829b0e0, __zend_filename=0x2829deb2 "SAPI.c", 
    __zend_lineno=505, __zend_orig_filename=0x0, __zend_orig_lineno=0)
    at zend_alloc.c:224
#4  0x281f0024 in sapi_add_header_ex (
    header_line=0x81495a4 'Z' <repeats 41 times>, "\204?\217*", 
    header_line_len=40, duplicate=1 '\001', replace=1 '\001') at SAPI.c:505
#5  0x282472b0 in zif_header (ht=1, return_value=0x8141fa4, this_ptr=0x0, 
    return_value_used=0) at head.c:56
#6  0x281c81a3 in execute (op_array=0x8143ea4) at ./zend_execute.c:1590
#7  0x281d96a0 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at zend.c:814
#8  0x281ec311 in php_execute_script (primary_file=0xbfbff8ac) at main.c:1307
#9  0x281e6f52 in apache_php_module_main (r=0x813e034, display_source_mode=0)
    at sapi_apache.c:90
#10 0x281e7e44 in send_php (r=0x813e034, display_source_mode=0, 
    filename=0x813eadc "/usr/home2/www-galeriadev/teste.php") at mod_php4.c:575
#11 0x281e7eb7 in send_parsed_php (r=0x813e034) at mod_php4.c:590
#12 0x806b82d in ap_invoke_handler ()
#13 0x8080164 in process_request_internal ()
---Type <return> to continue, or q <return> to quit---
#14 0x80801ce in ap_process_request ()
#15 0x807713b in child_main ()
#16 0x80772fd in make_child ()
#17 0x8077476 in startup_children ()
#18 0x8077aa8 in standalone_main ()
#19 0x80782f8 in main ()
#20 0x804ef1d in _start ()
(gdb) 
--

If I you need any more information, just let me know.

Thanks
Fabio Vilan - Duwde
fabio@isec.com.br

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-01-14 08:15 UTC] a dot mayrhofer at kpnqwest dot at
there are a bunch of related bug reports. see

#14515
#14964
#14453
maybe #14389
maybe #14733
 [2002-01-14 08:46 UTC] sesser@php.net
I just fixed it in CVS
(atleast I cannot crash it here anymore)

Please check with latest CVS version.
 [2002-01-14 22:10 UTC] yohgaki@php.net
User reported it works. Closed
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sun Oct 17 20:03:37 2021 UTC