|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #31892 PHP_SELF incorrect without cgi.fix_pathinfo, but turning on screws up PATH_INFO
Submitted: 2005-02-09 09:34 UTC Modified: 2007-08-08 13:03 UTC
Avg. Score:4.8 ± 0.5
Reproduced:33 of 33 (100.0%)
Same Version:14 (42.4%)
Same OS:19 (57.6%)
From: ceefour at gauldong dot net Assigned: dmitry
Status: Closed Package: CGI/CLI related
PHP Version: 5CVS, 4CVS (2005-02-11) OS: *
Private report: No CVE-ID:
 [2005-02-09 09:34 UTC] ceefour at gauldong dot net
Following up bug #31843, I tried to set cgi.fix_pathinfo On, which is "weird" considering that this option says ANYthing about PHP_SELF. But a good friend of mine pointed out it works on fixing PHP_SELF, so I did, and to my surprise, it works!

So, my problem was solved, PHP_SELF was returning the correct value... though not in a very elegant way, in my opinion, since who has access to some hosting server's php.ini? Everyone but the most elite premium services, I guess. Nonetheless it worked, so I enjoyed cherish, fortune, and glory... for several seconds.

It turned that turning on cgi.fix_pathinfo actually screws up PATH_INFO, at least in my configuration, which is VERY strange considering the name of the option (shouldn't it be cgi.fix_phpself_and_screw_up_pathinfo???) ;-)

Let me apologize for a bit of sinism but really it was just for making fun out of it. So, phpinfo() says PATH_INFO and PATH_TRANSLATED is now "no value". Something's good though, ORIG_PATH_* returns the correct value (weird). It's possible to use ORIG_PATH_* but I guess I should stick to the standards. Since that server was in heavy use, I quickly realized that by just turning that option on, I could have caused many pages to fail (since they rely on PATH_INFO) so I quickly turn this option off again (I already had a workaround for PHP_SELF bug, it's not a problem anymore but I'm still seeking for an elegant resolution on this, in the part of PHP developers not in my part).

Reproduce code:

Expected result:
PHP_SELF: phpinfo.php/test/me
PATH_INFO: /test/me

Actual result:

PHP_SELF: /test/me
PATH_INFO: /test/me


PHP_SELF: phpinfo.php/test/me
PATH_INFO: (no value)


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2005-02-13 23:19 UTC] ceefour at gauldong dot net
I have verified this problem with PHP 5.0.3 on Linux 2.4 and it also exists in PHP 5.0.3.

I'm using PHP 5.0.3 as CGI under Apache 1.3.33.

Check out this link:

It gives out the following results:
_SERVER["PATH_INFO"]	/test/me
_SERVER["PATH_TRANSLATED"]	/home/u1294/domain/
_SERVER["ORIG_PATH_TRANSLATED"]	/home/u1294/domain/
_SERVER["ORIG_PATH_INFO"]	/phpinfo.php/test/me
_SERVER["ORIG_SCRIPT_NAME"]	/cgi-bin/php
_SERVER["ORIG_SCRIPT_FILENAME"]	/home/u1294/domain/
_SERVER["PHP_SELF"]	/phpinfo.php

Note that it's using a default php.ini for PHP 5 meaning cgi.fix_pathinfo is turned ON.

In the above results PHP_SELF is incorrect. It should be /phpinfo.php/test/me (it's missing the pathinfo part). Other variables are correct I suppose. I hope this is fixed soon. And also in PHP 4.

The fact that this bug exists in the latest versions of both PHP 4 and PHP 5 is truly beyond me. :-(
 [2006-02-06 21:52 UTC] php-bugs at dave dot staff dot spoonguard dot org
The following patch causes $_SERVER['PHP_SELF'] to include the PATH_INFO component when running under CGI:

Previously, PHP_SELF was being set to SCRIPT_NAME when cgi.fix_pathinfo was set. This changes the behavior, by setting PHP_SELF to SCRIPT_NAME + PATH_INFO.

Is this similar to what you're looking for?


- Dave
 [2006-05-09 02:11 UTC] lwalker at magi dot net dot au
I'm expreiencing the same issue on PHP 4.3 + 4.4 under Apache 1.3.33 and have had to switch back to mod_php for our hosting server.

Tried to access the patch to have a look at it, however it's not loading.

Do you still have a copy of the patch, or are you able to post a backported PHP 4.x version?

I do believe that SCRIPT_NAME + PHP_INFO is the expected behaviour.
 [2006-05-11 14:34 UTC] kk at keppler-it dot de
These patches are based on the code from Dave; the work fine within our hosting environment.

Comments welcome. :-)

Here's the code in clear text (nearly identical for 4.x and 5.x):

--- php-4.4.2/sapi/cgi/cgi_main.c.orig  2006-01-01 14:47:01.000000000 +0100
+++ php-4.4.2/sapi/cgi/cgi_main.c       2006-05-11 16:23:51.000000000 +0200
@@ -871,11 +871,25 @@
                } else {
                        /* pre 4.3 behaviour, shouldn't be used but provides BC */
+                       /*
                        if (env_path_info) {
                                SG(request_info).request_uri = env_path_info;
                        } else {
                                SG(request_info).request_uri = env_script_name;
+                       */
+                       /* <> PHP_SELF := SCRIPT_NAME + PATH_INFO */
+                       /* Patch based upon */
+                       SG(request_info).request_uri = sapi_cgibin_getenv("SCRIPT_NAME", 0 TSRMLS_CC);
+                       if (SG(request_info).request_uri && (env_path_info = sapi_cgibin_getenv("PATH_INFO", 0 TSRMLS_CC))) {
+                               int request_uri_len = strlen(SG(request_info).request_uri) + strlen(env_path_info) + 1;
+                               char *request_uri = (char *) emalloc(request_uri_len);
+                               *request_uri = '\0';
+                               strcat(request_uri, SG(request_info).request_uri);
+                               strcat(request_uri, env_path_info);
+                               SG(request_info).request_uri = request_uri;
+                       }
+                       /* </kk> */
                        if (env_path_translated)
                                script_path_translated = env_path_translated;
 [2006-05-29 18:47 UTC] php dot net at jon dot limedaley dot com
I assume this isn't going to be fixed? since it has been a year since it was reported, and it is still in the "verified" state.

I figured php5 would be stable by now, but it appears that php_self is broken with cgi.fix_pathinfo=0 and _SERVER["PATH_INFO"] is broken with cgi.fix_pathinfo=1.

Is the official solution to use php4 instead?
 [2007-07-26 19:18 UTC] mccammos at onid dot oregonstate dot edu
I just tried a July 26, 2007 snapshot of php5.2 and can report that the bug still remains unfixed.
 [2007-08-07 12:55 UTC]
This patch (against latest CVS checkout of PHP_5_2 branch) should fix the issues with PHP_SELF/PATH_INFO/etc. I tested under Apache 2 and it works fine now:

Please test it ASAP! We're about to roll 5.2.4 and it would be really nice to fix this issue once and for all..
 [2007-08-08 13:03 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2016 The PHP Group
All rights reserved.
Last updated: Fri May 06 05:01:46 2016 UTC