|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #39927 server variable names are silently changed
Submitted: 2006-12-22 00:28 UTC Modified: 2008-08-30 16:54 UTC
From: to_devnull at yahoo dot com Assigned:
Status: Closed Package: Apache related
PHP Version: 5.2.0 OS: all
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: to_devnull at yahoo dot com
New email:
PHP Version: OS:


 [2006-12-22 00:28 UTC] to_devnull at yahoo dot com
I'm "reopening" Bug #13961 since some moron marked it as "bogus" and I can't comment on it:

Apache module mod_setenvif sets variables in 
r->subprocess_env. If variable name contains character ".", then sapi_apache_register_server_variables() will
replace it with "_". This breaks internal
variables like force-response-1.0 (php changes it to

I hit this bug with PHP4.4.3/PHP5 and latest Apache 1.3.37. Spent several hours tracing in debugger why "downgrade-1.0" becomes "downgrade-1_0". This is a serious bug -- basically it's impossible to downgrade client request/server response to HTTP 1.0 (or disable chunking) if php is involved. What a shame!

Reproduce code:
I actually traced it by shoving a static string containing '.' in r->subprocess_env and thus getting Apache to core dump when php tries to write to read-only memory in php_register_variable_ex().


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2006-12-22 03:34 UTC]
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at and the instructions on how to report
a bug at

This is legacy of register_globals, as long as it exists . and 
spaces in input var names will be converted to underscores.
 [2006-12-22 21:58 UTC] to_devnull at yahoo dot com
This a strange reply ("Read a manual, this is not a bug").
Am I doing anything wrong here? I'm using default php installation and register_globals is Off in php.ini. Is there a way to configure php not to touch values in r->subprocess_env?
My point is that php silently breaks Apache behavior by modifying specific data that is supposed to be read-only.
If Apache allows "force-response-1.0" in its subprocess_env table, why php changes it? If php wants to modify input var names, it should make a copy.
I may be totally wrong and miss some important configuration issue. In this case I'd greatly appreciate if you point me in the right direction. But canned response is not an answer.
 [2006-12-23 00:58 UTC] judas dot iscariote at gmail dot com

This behaviour is pretty much broken, why it does not check when register_globals is disabled and behaves correctly ?
(and maybe drop register_globals in 5.3 or asap will be nice too ;) )
 [2006-12-23 01:26 UTC]
I think the answer to that should be pretty obvious.  We don't want to change behaviour of the code with and without register_globals.  An app would have to check the register_globals setting in order to determine what the variable is called.  That's even more confusing than the current situation where it is simply consistently changed.  Once you realize that server variables may not contain spaces or dots, it is quite straightforward to write code against that.

In fact, even when register_globals is completely removed, I doubt this will change since it would break backward compatibility with all existing apps.
 [2008-08-30 16:54 UTC]
Fixed in 5.2, 5.3 and 6 CVS
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Jul 16 10:01:28 2024 UTC