|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #41628 php settings leak between vhosts on apache 1.3
Submitted: 2007-06-07 15:54 UTC Modified: 2007-06-18 15:54 UTC
Avg. Score:5.0 ± 0.0
Reproduced:3 of 3 (100.0%)
Same Version:3 (100.0%)
Same OS:3 (100.0%)
From: manuel at mausz dot at Assigned: scottmac
Status: Closed Package: Apache related
PHP Version: 4.4.7 OS: Linux
Private report: No CVE-ID:
 [2007-06-07 15:54 UTC] manuel at mausz dot at
PHP ini settings leak between different vhosts under certain circumstances. This is reproduceable on FreeBSD and Linux (Gentoo with and without their patchset) with Apache 1.3 and PHP4 + PHP5 running as module. It's not reproducable with Apache 2.0.

This only occurs when putting a php_flag/value setting in a Directory-directive, which will affected two (or more) vhosts. Please note that the directive is totally unimportant.

Reproduce code:
(1) create test files
# cat /var/www/vhost1/dir1/index.php
  echo "register_globals: " . intval(ini_get('register_globals')) . "\n";
  echo "safe_mode:        " . intval(ini_get('safe_mode')) . "\n";
  echo "pid:              " . getmypid() . "\n";

# cat /var/www/vhost1/dir2/index.php
... same as above ...

(2) change apache settings to only fork one worker
KeepAlive Off
MinSpareServers 1
MaxSpareServers 1
StartServers 1
MaxClients 1

<Directory "/var/www/vhost1">
  AllowOverride Options
  php_admin_flag engine on

<VirtualHost *>
  DocumentRoot /var/www/vhost1/dir1/
  ServerName vhost1.domain.tld
  php_admin_value open_basedir /var/www/vhost1/

<VirtualHost *>
  DocumentRoot /var/www/vhost1/dir2/
  ServerName vhost2.domain.tld
  php_admin_value open_basedir /var/www/vhost1/
  php_admin_value register_globals 1

(3) open vhosts
- open vhost1
- open vhost2
- open vhost1 again

Expected result:
vhost1 (first time):
  register_globals: 0
  safe_mode: 0

  register_globals: 1
  safe_mode: 0

vhost1 (second time):
  register_globals: 0
  safe_mode: 0

Actual result:
vhost1 (first time):
  register_globals: 0
  safe_mode: 0

  register_globals: 1
  safe_mode: 0

vhost1 (second time):
  register_globals: 1
  safe_mode: 0


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2007-06-07 16:15 UTC] manuel at mausz dot at
As far as I have analyzed the problem is that on startup apache calls php_create_dir to create a hashtable holding the Directory-directive ("engine on" in our case). On viewing vhost1 this hashtable will get passed to php_merge_dir as addv- (target) parameter so php will merge other directives into that hashtable. On viewing vhost2 the same hashtable will get passed to php_merge_dir already containing directives from vhost1.
 [2007-06-07 21:32 UTC]
I spent quite some time on a similar problem reproducible ONLY with Apache 2.0 and it looked pretty much the same: Apache does not call the handlers required to re-initialize the environment before processing the request, so the environment is "inherited" from the previous request.
I really doubt it's PHP problem that Apache does not do its job properly, but in the same time I'm not competent enough in Apache internals, so I can't say I'm absolutely sure (just about 95%).
Your second post just confirms my conclusions.
 [2007-06-08 15:53 UTC] manuel at mausz dot at
I've found the problem quite quickly after looking at the example module shipped with apache.


I think its pretty obvious what php was doing wrong here. But it's funny that the apache2 integration is correct although it's mostly the same api.
 [2007-06-09 22:53 UTC]
Can you try the patch at

It appears to work with the provided test case when php_admin_value register_globals 1 is changed to php_admin_flag register_globals on

If you get no problems then I'll commit it at some point next week.
 [2007-06-09 23:00 UTC]
Never noticed your patches attached before I went and dealt with this, your fix is identical to mine so I'll apply these patches on Monday morning to all active branches.
 [2007-06-10 16:38 UTC] manuel at mausz dot at
Yep, exactly the same :)
But your cast from "HashTable *" to "HashTable *" isn't necessary.
 [2007-06-18 15:35 UTC] manuel at mausz dot at
Any progress on this?
 [2007-06-18 15:54 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Tue Dec 01 21:01:34 2015 UTC