php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #41783 some bad urls produce a mangled page
Submitted: 2007-06-22 23:05 UTC Modified: 2007-06-23 09:01 UTC
From: gs06897 at yahoo dot com Assigned:
Status: Not a bug Package: URL related
PHP Version: 4.4.7 OS: linux and windows
Private report: No CVE-ID: None
 [2007-06-22 23:05 UTC] gs06897 at yahoo dot com
Description:
------------
URLs like: http://www.mywebsite/mypage.php/mypage.php produce a mangled version of the 'mypage.php' page where 'mypage.php' is not a directory containing a page called 'mypage.php', but where 'mypage.php' is a real and accessible php script on the web site.

Please don't hit the following URL frequently as the mangled pages are destroying us in bandwith usage: http://www[dot]seaoftranquility[dot]org/reviews.php/reviews.php

Sorry about the [dot] edit.

Actually, it doesn't really matter what you type after the last slash. Somehow PHP is realising that there is a page called 'reviews.php', or whatever--as long as the page is valid--and trying to return the page, but not being terribly successful about it. It's like the 'directory' cyclically resolves the script, but them PHP gets throroughly confused about what to serve.

The header returned is 200 (Ok), and this is what becoming a problem with search engines linking to the bad URLs.

I've been able to produce this on three different versions of PHP, and on servers running two different versions of Apache and PHP on Linux, as well as a Microsoft IIS server with PHP. All using different web sites and different PHP code. 

Truly non-existent pages are correctly rejected with 404 Not Found. 

Expected result:
----------------
404 Not Found should be sent in the header, instead of PHP sending a partial page.

Actual result:
--------------
Web server returns status 200 (Ok) along with PHP decoding and producing only a partial, mangled version of the actual PHP-generated page.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-06-23 09:01 UTC] rasmus@php.net
This is normal behaviour and known as PATH_INFO.  Thousands of sites out there rely on it heavily and it is working exactly as it should.  If you don't want PATH_INFO URLs to work on your server, turn them off in your Apache config or check for them in your PHP code.  Apache2 has an AcceptPathInfo directive that controls this.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Mon Dec 06 09:03:34 2021 UTC