|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2006-04-21 22:02 UTC] askalski at gmail dot com
Description: ------------ The FastCGI version of PHP does not perform the force-cgi-redirect check for page requests. If I request http://localhost/cgi-bin/php, PHP tries to parse the PHP binary in /cgi-bin as if it was a script. If cgi.fix_pathinfo is turned off, users can bypass .htaccess security. See also bug #22846. Reproduce code: --------------- PHP was configured with: ./configure --enable-fastcgi --enable-force-cgi-redirect My /cgi-bin/php is a wrapper script that sets up FastCGI environment variables: #! /bin/sh export PHPRC=/etc/apache export PHP_FCGI_CHILDREN=4 export PHP_FCGI_MAX_REQUESTS=512 exec /usr/local/bin/php Expected result: ---------------- Security Alert! The PHP CGI cannot be accessed directly. This PHP CGI binary was compiled with force-cgi-redirect enabled. This means that a page will only be served up if the REDIRECT_STATUS CGI variable is set, e.g. via an Apache Action directive. For more information as to why this behaviour exists, see the manual page for CGI security. For more information about changing this behaviour or re-enabling this webserver, consult the installation file that came with this distribution, or visit the manual page. Actual result: -------------- export PHPRC=/etc/apache export PHP_FCGI_CHILDREN=4 export PHP_FCGI_MAX_REQUESTS=512 exec /usr/local/bin/php PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Mon Apr 29 08:01:29 2024 UTC |
Yes. I've been through the cgi_main source code, which goes something like this: main() { ... /* this check here doesn't help in fastcgi mode */ do_force_redirect_check(); ... while (accept_fastcgi_connection()) { import_cgi_environment(); /* but here it would */ } ... }