php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #19324 show PHP source on client's browser
Submitted: 2002-09-09 20:54 UTC Modified: 2002-10-28 01:00 UTC
Votes:9
Avg. Score:4.6 ± 0.8
Reproduced:6 of 7 (85.7%)
Same Version:2 (33.3%)
Same OS:3 (50.0%)
From: wiseguy at ms10 dot url dot com dot tw Assigned:
Status: No Feedback Package: Output Control
PHP Version: 4.2.3 OS: Solaris8 x86
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2002-09-09 20:54 UTC] wiseguy at ms10 dot url dot com dot tw
After I upgrade PHP from v4.2.2 to v4.2.3, my system 
actually show PHP source on client's browser ! It never 
arise in v4.2.2 , and I haven't change my configure and
php.ini . The case is not always arising. It should arise 
when I click the links to switch the PHP pages fast.

===========================================================
CC=gcc \
CFLAGS="-O6 -mcpu=pentiumpro" \
./configure \
--enable-track-vars \
--enable-inline-optimization \
--enable-mbstring \
--enable-ctype \
--disable-wddx \
--disable-debug \
--disable-experimental-zts \
--with-xml \
--with-mcrypt=/usr/local \
--with-dom=/usr/local \
--with-zlib-dir=/usr/local \
--with-mysql=/usr/local/mysql \
--with-iconv=/usr/local \
--with-apxs=/usr/local/apache/bin/apxs \
--prefix=/usr/local

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-09-25 03:56 UTC] wiseguy at ms10 dot url dot com dot tw
When I use :
header('Location: xxx.php?a=123&b=456');

(1) use header() function
(2) the URL append GET string

then php file show the source on client's browser.
But after reload, the PHP just normal run.
 [2002-09-25 09:44 UTC] sniper@php.net
Could you try compiling PHP without using ANY predefined CFLAGS?  ie. only run the configure with your options.

 [2002-09-25 21:29 UTC] wiseguy at ms10 dot url dot com dot tw
I compiled php without any CFLAGS, showing source still 
arisen .
My gcc version is 3.2 .

PS: but the situation doesn't arise on "APACHE 2.x + PHP" .
 [2002-09-25 22:48 UTC] sniper@php.net
With which apache version it doesn't work?

 [2002-09-25 22:59 UTC] wiseguy at ms10 dot url dot com dot tw
apache 1.3.26
 [2002-09-26 17:27 UTC] sniper@php.net
Could you please try using this line to compile:

rm config.cache && ./configure --with-apxs=/usr/local/apache/bin/apxs && make clean && make

And then try seeing if this happens with such 'pure' build?

 [2002-09-26 20:36 UTC] wiseguy at ms10 dot url dot com dot tw
compiling fault. I use php4-200209241800 .

/bin/sh libtool --silent --mode=link gcc -export-dynamic   -avoid-version -module -L/usr/ucblib -L/usr/local/lib/gcc-lib/i386-pc-solaris2.8/3.2  -R /usr/ucblib -R /usr/local/lib/gcc-lib/i386-pc-solaris2.8/3.2 ext/ctype/ctype.lo ext/mbstring/mbfilter_ja.lo ext/mbstring/mbfilter_cn.lo ext/mbstring/mbfilter_tw.lo ext/mbstring/mbfilter_kr.lo ext/mbstring/mbfilter_ru.lo ext/mbstring/mbfilter.lo ext/mbstring/mbstring.lo ext/mbstring/mbregex.lo ext/mbstring/php_mbregex.lo ext/mbstring/html_entities.lo ext/mysql/php_mysql.lo ext/mysql/libmysql/libmysql.lo ext/mysql/libmysql/errmsg.lo ext/mysql/libmysql/net.lo ext/mysql/libmysql/violite.lo ext/mysql/libmysql/password.lo ext/mysql/libmysql/my_init.lo ext/mysql/libmysql/my_lib.lo ext/mysql/libmysql/my_static.lo ext/mysql/libmysql/my_malloc.lo ext/mysql/libmysql/my_realloc.lo ext/mysql/libmysql/my_create.lo ext/mysql/libmysql/my_delete.lo ext/mysql/libmysql/my_tempnam.lo ext/mysql/libmysql/my_open.lo ext/mysql/libmysql/mf_casecnv.lo ext/mysql/libmysql/my_read.lo ext/mysql/libmysql/my_write.lo ext/mysql/libmysql/errors.lo ext/mysql/libmysql/my_error.lo ext/mysql/libmysql/my_getwd.lo ext/mysql/libmysql/my_div.lo ext/mysql/libmysql/mf_pack.lo ext/mysql/libmysql/my_messnc.lo ext/mysql/libmysql/mf_dirname.lo ext/mysql/libmysql/mf_fn_ext.lo ext/mysql/libmysql/mf_wcomp.lo ext/mysql/libmysql/typelib.lo ext/mysql/libmysql/safemalloc.lo ext/mysql/libmysql/my_alloc.lo ext/mysql/libmysql/mf_format.lo ext/mysql/libmysql/mf_path.lo ext/mysql/libmysql/mf_unixpath.lo ext/mysql/libmysql/my_fopen.lo ext/mysql/libmysql/mf_loadpath.lo ext/mysql/libmysql/my_pthread.lo ext/mysql/libmysql/my_thr_init.lo ext/mysql/libmysql/thr_mutex.lo ext/mysql/libmysql/mulalloc.lo ext/mysql/libmysql/string.lo ext/mysql/libmysql/default.lo ext/mysql/libmysql/my_compress.lo ext/mysql/libmysql/array.lo ext/mysql/libmysql/my_once.lo ext/mysql/libmysql/list.lo ext/mysql/libmysql/my_net.lo ext/mysql/libmysql/dbug.lo ext/mysql/libmysql/strmov.lo ext/mysql/libmysql/strxmov.lo ext/mysql/libmysql/strnmov.lo ext/mysql/libmysql/strmake.lo ext/mysql/libmysql/strend.lo ext/mysql/libmysql/strfill.lo ext/mysql/libmysql/is_prefix.lo ext/mysql/libmysql/int2str.lo ext/mysql/libmysql/str2int.lo ext/mysql/libmysql/strinstr.lo ext/mysql/libmysql/strcont.lo ext/mysql/libmysql/strcend.lo ext/mysql/libmysql/bchange.lo ext/mysql/libmysql/bmove.lo ext/mysql/libmysql/bmove_upp.lo ext/mysql/libmysql/longlong2str.lo ext/mysql/libmysql/strtoull.lo ext/mysql/libmysql/strtoll.lo ext/mysql/libmysql/charset.lo ext/mysql/libmysql/ctype.lo ext/overload/overload.lo ext/pcre/pcrelib/maketables.lo ext/pcre/pcrelib/get.lo ext/pcre/pcrelib/study.lo ext/pcre/pcrelib/pcre.lo ext/pcre/php_pcre.lo ext/posix/posix.lo ext/session/session.lo ext/session/mod_files.lo ext/session/mod_mm.lo ext/session/mod_user.lo ext/standard/array.lo ext/standard/base64.lo ext/standard/basic_functions.lo ext/standard/browscap.lo ext/standard/crc32.lo ext/standard/crypt.lo ext/standard/cyr_convert.lo ext/standard/datetime.lo ext/standard/dir.lo ext/standard/dl.lo ext/standard/dns.lo ext/standard/exec.lo ext/standard/file.lo ext/standard/filestat.lo ext/standard/flock_compat.lo ext/standard/formatted_print.lo ext/standard/fsock.lo ext/standard/head.lo ext/standard/html.lo ext/standard/image.lo ext/standard/info.lo ext/standard/iptc.lo ext/standard/lcg.lo ext/standard/link.lo ext/standard/mail.lo ext/standard/math.lo ext/standard/md5.lo ext/standard/metaphone.lo ext/standard/microtime.lo ext/standard/pack.lo ext/standard/pageinfo.lo ext/standard/parsedate.lo ext/standard/quot_print.lo ext/standard/rand.lo ext/standard/reg.lo ext/standard/soundex.lo ext/standard/string.lo ext/standard/scanf.lo ext/standard/syslog.lo ext/standard/type.lo ext/standard/uniqid.lo ext/standard/url.lo ext/standard/url_scanner.lo ext/standard/var.lo ext/standard/versioning.lo ext/standard/assert.lo ext/standard/strnatcmp.lo ext/standard/levenshtein.lo ext/standard/incomplete_class.lo ext/standard/url_scanner_ex.lo ext/standard/ftp_fopen_wrapper.lo ext/standard/http_fopen_wrapper.lo ext/standard/php_fopen_wrapper.lo ext/standard/credits.lo ext/standard/css.lo ext/standard/var_unserializer.lo ext/standard/ftok.lo ext/standard/aggregation.lo ext/standard/sha1.lo ext/tokenizer/tokenizer.lo ext/xml/xml.lo ext/xml/expat/xmlparse.lo ext/xml/expat/xmlrole.lo ext/xml/expat/xmltok.lo regex/regcomp.lo regex/regexec.lo regex/regerror.lo regex/regfree.lo TSRM/TSRM.lo TSRM/tsrm_strtok_r.lo TSRM/tsrm_virtual_cwd.lo main/main.lo main/snprintf.lo main/spprintf.lo main/php_sprintf.lo main/safe_mode.lo main/fopen_wrappers.lo main/alloca.lo main/php_ini.lo main/SAPI.lo main/rfc1867.lo main/php_content_types.lo main/strlcpy.lo main/strlcat.lo main/mergesort.lo main/reentrancy.lo main/php_variables.lo main/php_ticks.lo main/streams.lo main/network.lo main/php_open_temporary_file.lo main/php_logos.lo main/output.lo main/memory_streams.lo main/user_streams.lo Zend/zend_language_parser.lo Zend/zend_language_scanner.lo Zend/zend_ini_parser.lo Zend/zend_ini_scanner.lo Zend/zend_alloc.lo Zend/zend_compile.lo Zend/zend_constants.lo Zend/zend_dynamic_array.lo Zend/zend_execute_API.lo Zend/zend_highlight.lo Zend/zend_llist.lo Zend/zend_opcode.lo Zend/zend_operators.lo Zend/zend_ptr_stack.lo Zend/zend_stack.lo Zend/zend_variables.lo Zend/zend.lo Zend/zend_API.lo Zend/zend_extensions.lo Zend/zend_hash.lo Zend/zend_list.lo Zend/zend_indent.lo Zend/zend_builtin_functions.lo Zend/zend_sprintf.lo Zend/zend_ini.lo Zend/zend_qsort.lo Zend/zend_multibyte.lo Zend/zend_execute.lo sapi/cli/php_cli.lo sapi/cli/getopt.lo main/internal_functions_cli.lo -lcrypt -lresolv -lm -ldl -lnsl -lsocket -lgcc -lcrypt -ldl -o sapi/cli/php
Output line too long.
Output line too long.
Output line too long.
gcc: ext/stan: No such file or directory
gmake: *** [sapi/cli/php] Error 1
 [2002-09-26 21:23 UTC] wiseguy at ms10 dot url dot com dot tw
I downloaded php4-STABLE-200209261800 and used pure compiling . showing source still arisen . :(
 [2002-09-27 00:40 UTC] derick@php.net
Solaris' sed doesn't handle the long lines, you will have more luck with gnu sed. Can you install that and try again?

Derick
 [2002-09-27 01:06 UTC] wiseguy at ms10 dot url dot com dot tw
No error as php4-200209241800 when I compiled 
php4-STABLE-200209261800 .
But the running result is the same. :(
 [2002-09-27 06:43 UTC] iliaa@php.net
Try the latest snapshot not the stable, the 'stable' brach is likely not to have the fix you need.
 [2002-09-28 04:44 UTC] wiseguy at ms10 dot url dot com dot tw
I used php4-200209280000 . the running result is the same.
 [2002-09-28 04:55 UTC] jmoore@php.net
You dont have php_engine=off in any of your apache vhosts do you?

- James
 [2002-09-28 09:55 UTC] wiseguy at ms10 dot url dot com dot tw
Yes, I do. But I use <Location> tag to include it.
because I want to make PHP can't work in some directories.
Why the showing source arise randomly ?
If I can't use "php_engine=off" , how I disable PHP
in some directories, please ?
 [2002-09-28 12:36 UTC] derick@php.net
Okay, looks like an old bug resurfaced. Can you do the following test, and stick to it very precise:

1. stop apache
2. start apache in single process mode like:
   /path/to/apache/httpd -X
3. Request a page from a vhost/directory where PHP is enabled
4. Do that again :)
5. Request a page from a vhost/directory where PHP is disabled
6. Request a page from a vhost/directory where PHP is enabled (but not explicit with php_engine = on, just the 'default')
7. Request a page from a vhost/directory where PHP is enabled (implicit wirth php_engine = on)
Please tell us when you see the source and when not.

regards,
Derick
 [2002-09-29 20:27 UTC] wiseguy at ms10 dot url dot com dot tw
No wonder the situation never arises in Apache2 .
I haven't used "php_engine=off" in httpd.conf (Apache2
will report config error ! It doesn't know the instruct .)

So, I just use "AddType text/html .php" to replace
"php_engine=off". It's work ! No showing source arise,
and some directory can disable PHP.

Thanks your help.
 [2002-09-30 00:27 UTC] derick@php.net
Did you do the tests I asked you to do?

Derick
 [2002-09-30 03:27 UTC] gild at mail2000 dot com dot tw
Will it fixed at next version?
 [2002-09-30 05:50 UTC] alberty at neptunelabs dot de
Hi ,

I have a small question to this bug, because I have the same problem.

>1. stop apache
>2. start apache in single process mode like:
>   /path/to/apache/httpd -X
>3. Request a page from a vhost/directory where PHP is enabled
>4. Do that again :)
>5. Request a page from a vhost/directory where PHP is disabled
>6. Request a page from a vhost/directory where PHP is enabled (but not
>explicit with php_engine = on, just the 'default')
>7. Request a page from a vhost/directory where PHP is enabled (implicit
>wirth php_engine = on)
>Please tell us when you see the source and when not.

Test 3 and 4 with explicit php_engine directive or not (the same as 6)?

However, with php_engine=on in a <virtualhost><location> and also a concurrently php_engine off directive in another <virtualhost>, Apache results always the source code on my virtualhost with php_engine=on.

Regards,

-- 
Steve
 [2002-09-30 05:53 UTC] derick@php.net
3 and 4 with the "php_engine = on" directive please (explicit).

Derick
 [2002-09-30 06:18 UTC] alberty at neptunelabs dot de
3. showing source code
4. showing source code
5. showing source code
6. no source code 
7. showing source code
 [2002-10-12 10:12 UTC] sniper@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php4-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-latest.zip


 [2002-10-28 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over 2 weeks, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2008-05-02 11:27 UTC] amohamed at ttcanc dot org
windows 2003, iis, php 5.2.3... website loads php code in browser. Sucks big time.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Thu Dec 02 05:03:34 2021 UTC