php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #24248 .htaccess php var overides not being cleared between page requests
Submitted: 2003-06-18 16:10 UTC Modified: 2003-12-30 20:02 UTC
Votes:4
Avg. Score:4.8 ± 0.4
Reproduced:4 of 4 (100.0%)
Same Version:2 (50.0%)
Same OS:2 (50.0%)
From: dkh-php at nighttide dot net Assigned:
Status: Not a bug Package: PHP options/info functions
PHP Version: 4.3.3RC2-dev/4.3.4/5.0.0b1/5.0.0b3 OS: multiple
Private report: No CVE-ID: None
 [2003-06-18 16:10 UTC] dkh-php at nighttide dot net
Description:
------------
FreeBSD 4.8-STABLE
Apache 2.0.46
PHP 4.3.2 

PHP being used as module.

User 1 creates an .htaccess file in their dir at /home/user1/WWW/sub/.htaccess. This file contains php var overides for auto_prepend_file, auto_append_file, include_path etc.

User 2 has a simple index.php file - html tag, body tag, single text line followed by a php invocation of phpinfo (happens with other pages as well) then closing tags. No .htaccess file here.

User 1 stuff in /home/user1/WWW/sub/index.php works as expected

User 2 stuff in /home/user2/WWW/index.php, if loaded immediately after /home/user1/WWW/sub/index.php will see User 1's auto_prepend_file and auto_append_file. The local values from the phpinfo invocation shows User 2's overrides.

Appears as if the apache session (or thread?) that serviced the first request, doesn't clear out the local overrides before handling a new request. Potentially dangerous.



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-06-18 18:20 UTC] sniper@php.net
Apache2 is not really ready for production. Could you please test and see if this happens with Apache 1.3.27 ?

And does this happen randomly or..?

 [2003-06-18 21:57 UTC] dkh-php at nighttide dot net
It does not happen with Apache 1.3.27. Though the versions I have installed are not completely congruent (no ssl in the older version for instance.

I have not been able to recreate the problem with Apache2 and the same version of PHP on a FreeBSD 4.8-RC install (slightly older source). Will update both systems to the most current STABLE release and see if the behavior occurs on both.

The behavior is consistant. Load the first page then load the second page (lightly loaded server so the requests are sequential with nothing intervening) and you get the problem. Reloading the second page a couple of times will see the same result but after that the second page loads as it should. 

Have tried compiling php without pth threads to no effect.

The outward appearance is that the php var overides are not being cleared between page requests.
 [2003-07-11 00:07 UTC] sniper@php.net
What was the configure line used to configure Apache2?

 [2003-07-11 10:53 UTC] sniper@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

And maybe the latest Apache2 version too. (2.0.47 or higher)

 [2003-07-16 22:13 UTC] dkh-php at nighttide dot net
Ok, got time to try this tonight. Installed latest stable release of apache (2.0.47) and php4-STABLE-200307170130.

Same problem.

For some reason the .htaccess overrides in the first directory are sticking accross invocations. Not sure about the achitecture of the code but it sure looks the php module  isn't reseting its values between transactions.
 [2003-07-16 22:17 UTC] dkh-php at nighttide dot net
One further note.

If an .htaccess file redefines the auto_prepend_file and auto_append_file variables in the second page things work as expected.
 [2003-08-14 01:16 UTC] sniper@php.net
How was Apache2 configured?

 [2003-08-15 21:15 UTC] dkh-php at nighttide dot net
Do you want the whole configuration file?

Its a pretty standard configuration. Regular host and a couple of virtual hosts.

Lines directly relevent to php:

LoadModule php4_module   modules/libphp4.so

DirectoryIndex index.html index.php index.shtml index.html.var

AddType application/x-httpd-php .php

ErrorDocument lines all pointing to /errors.php
 [2003-08-15 21:29 UTC] sniper@php.net
I wanted to know what was the configure line used to configure Apache2 before running 'make'..

 [2003-08-15 21:37 UTC] dkh-php at nighttide dot net
Ah, responded to that in our 11 Jul exchange hence my confussion.

./configure --prefix=/usr/local/apache2 --enable-mods-shared=most
--enable-ssl
 [2003-08-15 21:41 UTC] sniper@php.net
Oh, my bad. We can't really do anything about this unless we can reproduce this ourselves so you need to provide us all the necessary information how to do it. So you need to create shortest possible httpd.conf, php.ini, .htaccess, etc. which we can then use to setup our own test environment.

 [2003-12-22 16:17 UTC] dkh-php at nighttide dot net
4.3.4 with Apach 2.0.48 on FreeBSD 4.9-STABLE still seeing this problem. 

Default php.ini files. htaccess files described previously. I've seen a number of comments regarding this problem now coming from Linux users as well. php config info below:

CPPFLAGS="-I/usr/local/include/pth" \
  ./configure \
  --prefix=/usr/local/php \
  --with-apxs2=/usr/local/apache2/bin/apxs \
  --with-mysql=/usr/local/mysql \
  --with-tsrm-pth=/usr/local/lib/pth \
  --with-zlib \
  --with-bz2 \
  --with-openssl \
  --with-pspell \
  --with-curl \
  --with-gdbm \
  --with-ndbm \
  --with-gettext \
  --with-mcrypt \
  --with-pear \
  --with-gd \
  --enable-magic-quotes \
  --enable-bcmath \
  --enable-ftp \
  --enable-memory-limit \
  --enable-dba \
  --with-flatfile \
  --with-mime-magic \
  --with-ncurses \
  --with-exif \
  --with-dom \
  --with-dom-xslt \
  --with-dom-exslt \
  --with-freetype-dir=/usr/local/lib \
  --enable-gd-native-ttf \
  --with-wddx
 [2003-12-22 17:10 UTC] dkh-php at nighttide dot net
This is also a problem with 5.0.0b3.

One new item, I notice that the include path is also not being reset in these instances. The local value sticks. This is not a problem for things like magic_quotes_gps wich only effects the correct local value.
 [2003-12-30 20:02 UTC] sniper@php.net
Please do not submit the same bug more than once. An existing
bug report already describes this very problem. Even if you feel
that your issue is somewhat different, the resolution is likely
to be the same. 

Thank you for your interest in PHP.

Same as bug #25753
 [2004-01-11 07:14 UTC] d dot mekic-php at interlize dot net
We've got the same problem with Apache 2.0.48 and PHP 4.3.4 running under RedHat 9.0.
 [2004-01-11 07:29 UTC] d dot mekic-php at interlize dot net
The solution seems to be to enable SAFE_MODE for the sites which uses (in .htaccess or httpd.conf) the prepend command.
 [2004-01-26 01:48 UTC] paul at vanbrouwershaven dot com
Same problem with apache 2.0.48 and PHP 4.3.4

We "solved" the problem by downgrading tot PHP 4.3.1
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Dec 12 10:01:26 2024 UTC