PHP :: Bug #30279 :: 404 instead of 403 when permission denied

Bug #30279	404 instead of 403 when permission denied
Submitted:	2004-09-29 19:27 UTC	Modified:	2004-09-30 03:58 UTC
From:	pviet at azuria dot com	Assigned:
Status:	Not a bug	Package:	CGI/CLI related
PHP Version:	4.3.9	OS:	Linux
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	pviet at azuria dot com
New email:
PHP Version:		OS:

New Comment:

[2004-09-29 19:27 UTC] pviet at azuria dot com

Description:
------------
Status 404 instead of 403 when file passed via environment is not accessible. This leads to error on debugging and took me about 7hrs to find what was really happening
(wrong rights)

Reproduce code:
---------------
Abstract :
- A PHP file is called x.php, located in /data/www/x.php
- My user is called someunixuser
- This someunixuser can't read the file because lacking unix permissions (not owner, 0700 or so on)

mybox:~$ cat /data/www/x.php
cat: /data/www/x.php: Permission denied

mybox:~$ env SCRIPT_FILENAME=/data/www/x.php /usr/bin/php
Status: 404
Content-type: text/html
X-Powered-By: PHP/4.3.9

No input file specified.
mybox:~$

Expected result:
----------------
Return a 403 and "Permission denied on /data/web/x.php"

Actual result:
--------------
Return a 404 and "No input files"

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2004-09-30 03:28 UTC] iliaa@php.net

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

PHP has no way of knowing if a file existings when it does not have permission to access. Hence the 404 error message.

[2004-09-30 03:54 UTC] pviet at azuria dot com

Isn't it more logical that denied should return 403.. ?
(and keep 404 for when php KNOWS the file doesn't exist, eg. has access to the directory)

[2004-09-30 03:58 UTC] iliaa@php.net

In some cases it may have access to the directory and in other cases it may not. So rather then return 2 different error codes for the same error PHP tries to be consistent.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Mon Apr 29 05:01:28 2024 UTC