php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #46366 bad cwd with / as pathinfo
Submitted: 2008-10-22 16:07 UTC Modified: 2008-11-28 11:57 UTC
From: courtois at nouvo dot com Assigned: dmitry
Status: Closed Package: CGI/CLI related
PHP Version: 5.2CVS-2008-10-24 OS: windows XP
Private report: No CVE-ID:
 [2008-10-22 16:07 UTC] courtois at nouvo dot com
Description:
------------
when / is passed as pathinfo to a script current working directory is set to the php-cgi.exe directory instead of script directory

http://localhost/foo/bar.php gives: 
cwd===>C:\Program Files\Apache Group\Apache2\htdocs\foo<=== which is ok

http://localhost/foo/bar.php/x gives:
cwd===>C:\Program Files\Apache Group\Apache2\htdocs\foo<=== which is ok

http://localhost/foo/bar.php/ gives:
cwd===>C:\Program Files\PHP<=== which is obviously not ok, therefore all includes in scripts fail

apache 2 config:

ScriptAlias /php/ "C:/Program Files/PHP/"
Action application/x-httpd-php "/php/php-cgi.exe"

php.ini:

 cgi.fix_pathinfo=1



Reproduce code:
---------------
<?php

print "cwd===>".getcwd()."<===";

?>


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-10-25 04:52 UTC] courtois at nouvo dot com
I tested PHP Version 5.2.7RC2-dev (2008-Oct-24 20:00:00)

with the thread safe version the problem is the same.

with the non thread safe version I get:
No input file specified. 

with both versions calling the script without pathinfo or with a pathinfo other than /  is still ok
 [2008-10-25 09:53 UTC] jani@php.net
What if you don't set this in your php.ini:
cgi.fix_pathinfo=1

(or set it to 0)
 [2008-10-25 14:53 UTC] courtois at nouvo dot com
when cgi.fix_pathinfo=0

I get "No input file specified." for
http://localhost/foo/bar.php/ and
http://localhost/foo/bar.php/x

works for
http://localhost/foo/bar.php
 [2008-11-28 11:57 UTC] dmitry@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 17 01:01:56 2014 UTC