php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #30849 example conf of README.FastCGI is not secure (or: fastcgi + force_redirect)
Submitted: 2004-11-20 14:22 UTC Modified: 2017-01-29 04:22 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: xuefer at 21cn dot com Assigned:
Status: No Feedback Package: *General Issues
PHP Version: 4.3.9 OS: win
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: xuefer at 21cn dot com
New email:
PHP Version: OS:

 

 [2004-11-20 14:22 UTC] xuefer at 21cn dot com 
Description:
------------
sapi/cgi/README.FastCGI (with apache mod_fastcgi)
both ScriptAlias(dynserver) or Alias(static server) method issue a security problem.
force_redirect is not done for fastcgi, only for cgi
this have same problem as cgi with no force_redirect
i guess redirect checking can be done after $_SERVER is ready, while cgi use getenv.

separate php is not affected by this problem.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-12-13 10:10 UTC] xuefer at 21cn dot com 
the bug is, "force_redirect" is not implemented by fastcgi sapi, maybe this is a feature request?
this lead to same issue as CGI, because both of them use ScriptAlias
afaik, ScriptAlias is good for normal cgi program, but bad for scripting-language without "force_redirect"

using ScriptAlias
http://your-server/fcgi/php-fcgi/abc.php
have same issue as:
http://your-server/cgi-bin/php-cgi/abc.php


the only thing i can do is to use "auto_prepend_file" add a script that check $_SERVER, for REDIRECT_STATUS. this should be better done in api imho.

i don't know how to explain, but it's same as cgi. just "force_redirect" don't work and i need it
 [2004-12-29 12:16 UTC] grange at club-internet dot fr 
I added a note on http://www.php.net/manual/en/security.cgi-bin.php to achieve the same results with mod_rewrite.
 [2017-01-20 20:27 UTC] heiglandreas@php.net
-Status: Open +Status: Feedback -Package: Feature/Change Request +Package: *General Issues
 [2017-01-20 20:27 UTC] heiglandreas@php.net 
Is this still relevant?
 [2017-01-29 04:22 UTC] php-bugs at lists dot php dot net 
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Apr 27 01:01:30 2024 UTC