php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #41628 php settings leak between vhosts on apache 1.3
Submitted: 2007-06-07 15:54 UTC Modified: 2007-06-18 15:54 UTC
Votes:4
Avg. Score:5.0 ± 0.0
Reproduced:3 of 3 (100.0%)
Same Version:3 (100.0%)
Same OS:3 (100.0%)
From: manuel at mausz dot at Assigned: scottmac
Status: Closed Package: Apache related
PHP Version: 4.4.7 OS: Linux
Private report: No CVE-ID:
 [2007-06-07 15:54 UTC] manuel at mausz dot at
Description:
------------
PHP ini settings leak between different vhosts under certain circumstances. This is reproduceable on FreeBSD and Linux (Gentoo with and without their patchset) with Apache 1.3 and PHP4 + PHP5 running as module. It's not reproducable with Apache 2.0.

This only occurs when putting a php_flag/value setting in a Directory-directive, which will affected two (or more) vhosts. Please note that the directive is totally unimportant.


Reproduce code:
---------------
(1) create test files
# cat /var/www/vhost1/dir1/index.php
<pre>
<?php
  echo "register_globals: " . intval(ini_get('register_globals')) . "\n";
  echo "safe_mode:        " . intval(ini_get('safe_mode')) . "\n";
  echo "pid:              " . getmypid() . "\n";
?>
</pre>

# cat /var/www/vhost1/dir2/index.php
... same as above ...

(2) change apache settings to only fork one worker
KeepAlive Off
MinSpareServers 1
MaxSpareServers 1
StartServers 1
MaxClients 1

<Directory "/var/www/vhost1">
  AllowOverride Options
  php_admin_flag engine on
</Directory>

<VirtualHost *>
  DocumentRoot /var/www/vhost1/dir1/
  ServerName vhost1.domain.tld
  php_admin_value open_basedir /var/www/vhost1/
</VirtualHost

<VirtualHost *>
  DocumentRoot /var/www/vhost1/dir2/
  ServerName vhost2.domain.tld
  php_admin_value open_basedir /var/www/vhost1/
  php_admin_value register_globals 1
</VirtualHost>

(3) open vhosts
- open vhost1
- open vhost2
- open vhost1 again

Expected result:
----------------
vhost1 (first time):
  register_globals: 0
  safe_mode: 0

vhost2:
  register_globals: 1
  safe_mode: 0

vhost1 (second time):
  register_globals: 0
  safe_mode: 0

Actual result:
--------------
vhost1 (first time):
  register_globals: 0
  safe_mode: 0

vhost2:
  register_globals: 1
  safe_mode: 0

vhost1 (second time):
  register_globals: 1
  safe_mode: 0

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-06-07 16:15 UTC] manuel at mausz dot at
As far as I have analyzed the problem is that on startup apache calls php_create_dir to create a hashtable holding the Directory-directive ("engine on" in our case). On viewing vhost1 this hashtable will get passed to php_merge_dir as addv- (target) parameter so php will merge other directives into that hashtable. On viewing vhost2 the same hashtable will get passed to php_merge_dir already containing directives from vhost1.
 [2007-06-07 21:32 UTC] tony2001@php.net
I spent quite some time on a similar problem reproducible ONLY with Apache 2.0 and it looked pretty much the same: Apache does not call the handlers required to re-initialize the environment before processing the request, so the environment is "inherited" from the previous request.
I really doubt it's PHP problem that Apache does not do its job properly, but in the same time I'm not competent enough in Apache internals, so I can't say I'm absolutely sure (just about 95%).
Your second post just confirms my conclusions.
 [2007-06-08 15:53 UTC] manuel at mausz dot at
I've found the problem quite quickly after looking at the example module shipped with apache.

Patches:
http://manuel.mausz.at/coding/patches/php/4.4.7/php4.4.7-apache-merge_dir.patch
http://manuel.mausz.at/coding/patches/php/5.2.3/php5.2.3-apache-merge_dir.patch

I think its pretty obvious what php was doing wrong here. But it's funny that the apache2 integration is correct although it's mostly the same api.
 [2007-06-09 22:53 UTC] scottmac@php.net
Can you try the patch at http://server.macvicar.net/patches/php-bug113559.patch

It appears to work with the provided test case when php_admin_value register_globals 1 is changed to php_admin_flag register_globals on

If you get no problems then I'll commit it at some point next week.
 [2007-06-09 23:00 UTC] scottmac@php.net
Never noticed your patches attached before I went and dealt with this, your fix is identical to mine so I'll apply these patches on Monday morning to all active branches.
 [2007-06-10 16:38 UTC] manuel at mausz dot at
Yep, exactly the same :)
But your cast from "HashTable *" to "HashTable *" isn't necessary.
 [2007-06-18 15:35 UTC] manuel at mausz dot at
Any progress on this?
 [2007-06-18 15:54 UTC] scottmac@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 23 07:02:14 2014 UTC