php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #35264 safe-mode errors with multiple include virtual requests
Submitted: 2005-11-17 15:26 UTC Modified: 2005-11-18 12:58 UTC
From: maddog2k at maddog2k dot net Assigned:
Status: Closed Package: Apache2 related
PHP Version: 5CVS, 4CVS (2005-11-17) (snap) OS: Linux
Private report: No CVE-ID:
 [2005-11-17 15:26 UTC] maddog2k at maddog2k dot net
Description:
------------
This is somewhat a copy of bug #35029 (segmentation faults with multiple include virtual requests).

The problem here is that at least with php4-STABLE-200511160748 (combined with at least Apache 2.0.54/.55) either it segfaults or a safe_mode error pops up.

This has worked in PHP 4.4.0 and below with same Apache-versions...

Here are the conditions:

.shtml page with 1 or more .php includes : OK
.shtml page with 1 or more .html includes : OK
.shtml page with 1 or more .php includes and 1 or more .html includes : ERROR, but ONLY if the .html appears as first include (thus before the first .php include).

If the .html is placed after the first .php include, no errors show (see: Actual result)
However, if I place a .cgi above the first .php, no problem occurs either for some strange reason.

Also, the UID mentioned by the PHP message occasionaly differs, and is NEVER the actual UID... looks like some process mixup or so. (UID 978 mentioned changes sometimes, and UID 1027 is the actual UID).

But, as mentioned, you don't get PHP warning but the Apache child process just exists with Segmentation fault (11).

Tried this on a lot (> 10) of machines.

Reproduce code:
---------------
test.shtml:

<html>
<body>
<!--#include virtual="/t1.html" -->
<!--#include virtual="/t1.php" -->
<!-- optionally more virtuals //-->
</body>
</html>

t1.html:
<pre>TEST1-HTML</pre>
<br>

t1.php:
<?php
print "TEST1-PHP\n<br>\n";
?>

Expected result:
----------------
<html>
<body>
OUTPUT_OF: /t1.html
OUTPUT_OF: /t1.php
</body>
</html>

Actual result:
--------------
<html>
<body>
OUTPUT OF: /t1.html

Warning: Unknown(): SAFE MODE Restriction in effect. The script whose uid is 978 is not allowed to access /opt/guide/www.some-domain.nl/HTML/t1.php owned by uid 1027 in Unknown on line 0

Warning: Unknown/opt/guide/www.some-domain.nl/HTML/t1.php): failed to open stream: No such file or directory in Unknown on line 0

Warning: Unknown(): SAFE MODE Restriction in effect. The script whose uid is 978 is not allowed to access /opt/guide/www.some-domain.nl/HTML/t1.php owned by uid 1027 in Unknown on line 0

Warning: Unknown(/opt/guide/www.some-domain.nl/HTML/t1.php): failed to open stream: No such file or directory in Unknown on line 0

Warning: (null)(): Failed opening '/opt/guide/www.some-domain.nl/HTML/t1.php' for inclusion (include_path='.:/usr/local/php4/lib/php') in Unknown on line 0


---
With segfault: [Thu Nov 17 15:22:57 2005] [notice] child pid 20071 exit signal Segmentation fault (11)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-11-17 15:27 UTC] sniper@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip


 [2005-11-17 15:58 UTC] maddog2k at maddog2k dot net
No segfault (as of yet), but still the safe mode errors show, that aren't there in <= 4.4.0

This is snapshot php5-200511171330

Warning: Unknown: SAFE MODE Restriction in effect. The script whose uid is 3185 is not allowed to access /opt/guide/www.deventerijsclub.nl/HTML/content/langebaan/uitslagen/t1.php owned by uid 1027 in Unknown on line 0

Warning: Unknown: failed to open stream: No such file or directory in Unknown on line 0

Warning: Unknown: Failed opening '/opt/guide/www.deventerijsclub.nl/HTML/content/langebaan/uitslagen/t1.php' for inclusion (include_path='.:/usr/local/php5/lib/php') in Unknown on line 0
 [2005-11-17 16:00 UTC] maddog2k at maddog2k dot net
(Nevermind the different path shown in the output, it's a 2nd test-site)
 [2005-11-17 16:14 UTC] sniper@php.net
Then turn off the safe-mode? Or make sure the script is owned by correct user id.
 [2005-11-17 16:15 UTC] sniper@php.net
There really is no bug here. If it didn't complain before, THAT was the bug.

 [2005-11-17 16:30 UTC] maddog2k at maddog2k dot net
Like I said :) the script DOES work when FIRST including the .php and THEN the .html. All UID's are correct, cause otherwise the above wouldn't work either.

For some reason there seems to be a UID mix-up when calling the .html first to be included...
 [2005-11-17 16:56 UTC] iliaa@php.net
Is the HTML file owned by user with a UID of 3185?
 [2005-11-17 17:07 UTC] maddog2k at maddog2k dot net
No, by the uid 1027.
All files & directories requested are owned by user 1027, not 3185.

3185 came falling out of the sky...

When I modify the file a bit, 3185 suddenly becomes for example UID 1307. 

Apparantly it goes wrong somewhere with UID-checking, I guess it's taking UID from a different process or so instead of the executing process.

Like I said, it works when swapping the two <!--#include lines...
4.4.0 and below do not show this behaviour..
 [2005-11-17 22:26 UTC] iliaa@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip

Apache 2 patch was just applied and there is a good chance it will fix the problem.
 [2005-11-18 12:42 UTC] maddog2k at maddog2k dot net
Allrighty, this fixes most of the problems.
Thank you ! :)

However, still sometimes a problem when PHP is mixed with SSI, that seems related to output_buffering. If I set output_buffering to a value < 16384 on a specific site, Apache2 child segfaults (again). When I set output_buffering = 0 or Off, no change.

In the scripts itself there is no output_buffering used at all.

Hopefully you can fix this too, as this worked again correctly with PHP 4.4.0 and below :)
 [2005-11-18 12:58 UTC] tony2001@php.net
Fixed -> closed.
I have any other problems - please fill seperate report and provide all the information required to reproduce the issue.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 16 04:02:11 2014 UTC