php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #51688 php_cgi_ini_activate_user_config() crashes when given apache-rewritten URL
Submitted: 2010-04-28 23:33 UTC Modified: 2010-04-30 10:15 UTC
From: marcusmarch at gmail dot com Assigned: pajoye
Status: Closed Package: Reproducible crash
PHP Version: 5.3.2 OS: Linux
Private report: No CVE-ID:
 [2010-04-28 23:33 UTC] marcusmarch at gmail dot com
Description:
------------
Using php-5.3.2 as a cgi executable with Apache on Linux (though this bug looks to exist in the trunk branch as well).

We have an apache RewriteRule that turned the URL requested into another location (that unfortunately does not exist on the file system).

Here is a source change I made to find the error:
Index: sapi/cgi/cgi_main.c                                                      
=================================================================== 
diff -p -u -r1.5 cgi_main.c
--- sapi/cgi/cgi_main.c 16 Apr 2010 19:15:31 -0000  1.5
+++ sapi/cgi/cgi_main.c 28 Apr 2010 20:12:25 -0000
@@ -750,8 +750,10 @@ static void php_cgi_ini_activate_user_co
        zend_hash_clean(entry->user_config);

        if (!IS_ABSOLUTE_PATH(path, path_len)) {
+            fprintf(stderr, "MZ1 2.3, path is %s\n", path);
            real_path = tsrm_realpath(path, NULL TSRMLS_CC);
-           real_path_len = strlen(real_path);
+            fprintf(stderr, "MZ1 2.4, real_path is %s\n", real_path ? real_path : "(MZ nil)");
+           real_path_len = real_path ? strlen(real_path) : 0;
            path = real_path;
            path_len = real_path_len;
        }
========================================================
And here is the resultant error_log info from Apache:
----------------------
[Wed Apr 28 14:13:29 2010] [error] [client 192.168.6.63] MZ1 2.3, path is redirect:/per_site_html_root/mzoellerapache/euf/application/gonow/widgets/standard/navigation/NavigationTab2/logic.js/gonow/widgets/standard/navigation/NavigationTab2/
[Wed Apr 28 14:13:29 2010] [error] [client 192.168.6.63] MZ1 2.4, real_path is (MZ nil)
--------------

The process would fail on the call to strlen(real_path), as real_path was a NULL pointer. This might also be classified as Junk In, Junk Out, as we were passing a messed up path due to the Apache rewrite rule.

It looks like this error was introduced by pajoye with Revision 282336 : https://cvs.php.net/viewvc/php/php-src/branches/PHP_5_3/sapi/cgi/cgi_main.c?r1=282335&r2=282336&




Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-04-29 01:52 UTC] johannes@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: pajoye
 [2010-04-30 09:45 UTC] pajoye@php.net
While php should not crash it seems to be a bug in mod_fcgid (or whatever you use with php's cgi with apache). The path actually comes from the document root server environment variable, which must be a valid path.

However I will add the sanity check and simply bail out of this function when realpath fails.
 [2010-04-30 10:15 UTC] pajoye@php.net
Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&revision=298794
Log: - Fix #51688, ini per dir crashes when invalid document root  are given
 [2010-04-30 10:15 UTC] pajoye@php.net
-Status: Assigned +Status: Closed
 [2010-04-30 10:15 UTC] pajoye@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2010-04-30 10:20 UTC] tony2001@php.net
Automatic comment from SVN on behalf of tony2001
Revision: http://svn.php.net/viewvc/?view=revision&revision=298795
Log: merge the fix for #51688
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 25 07:02:14 2014 UTC