|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #51688 php_cgi_ini_activate_user_config() crashes when given apache-rewritten URL
Submitted: 2010-04-28 23:33 UTC Modified: 2010-04-30 10:15 UTC
From: marcusmarch at gmail dot com Assigned: pajoye
Status: Closed Package: Reproducible crash
PHP Version: 5.3.2 OS: Linux
Private report: No CVE-ID:
 [2010-04-28 23:33 UTC] marcusmarch at gmail dot com
Using php-5.3.2 as a cgi executable with Apache on Linux (though this bug looks to exist in the trunk branch as well).

We have an apache RewriteRule that turned the URL requested into another location (that unfortunately does not exist on the file system).

Here is a source change I made to find the error:
Index: sapi/cgi/cgi_main.c                                                      
diff -p -u -r1.5 cgi_main.c
--- sapi/cgi/cgi_main.c 16 Apr 2010 19:15:31 -0000  1.5
+++ sapi/cgi/cgi_main.c 28 Apr 2010 20:12:25 -0000
@@ -750,8 +750,10 @@ static void php_cgi_ini_activate_user_co

        if (!IS_ABSOLUTE_PATH(path, path_len)) {
+            fprintf(stderr, "MZ1 2.3, path is %s\n", path);
            real_path = tsrm_realpath(path, NULL TSRMLS_CC);
-           real_path_len = strlen(real_path);
+            fprintf(stderr, "MZ1 2.4, real_path is %s\n", real_path ? real_path : "(MZ nil)");
+           real_path_len = real_path ? strlen(real_path) : 0;
            path = real_path;
            path_len = real_path_len;
And here is the resultant error_log info from Apache:
[Wed Apr 28 14:13:29 2010] [error] [client] MZ1 2.3, path is redirect:/per_site_html_root/mzoellerapache/euf/application/gonow/widgets/standard/navigation/NavigationTab2/logic.js/gonow/widgets/standard/navigation/NavigationTab2/
[Wed Apr 28 14:13:29 2010] [error] [client] MZ1 2.4, real_path is (MZ nil)

The process would fail on the call to strlen(real_path), as real_path was a NULL pointer. This might also be classified as Junk In, Junk Out, as we were passing a messed up path due to the Apache rewrite rule.

It looks like this error was introduced by pajoye with Revision 282336 :


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2010-04-29 01:52 UTC]
-Status: Open +Status: Assigned -Assigned To: +Assigned To: pajoye
 [2010-04-30 09:45 UTC]
While php should not crash it seems to be a bug in mod_fcgid (or whatever you use with php's cgi with apache). The path actually comes from the document root server environment variable, which must be a valid path.

However I will add the sanity check and simply bail out of this function when realpath fails.
 [2010-04-30 10:15 UTC]
Automatic comment from SVN on behalf of pajoye
Log: - Fix #51688, ini per dir crashes when invalid document root  are given
 [2010-04-30 10:15 UTC]
-Status: Assigned +Status: Closed
 [2010-04-30 10:15 UTC]
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

 [2010-04-30 10:20 UTC]
Automatic comment from SVN on behalf of tony2001
Log: merge the fix for #51688
PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Thu Oct 08 16:01:42 2015 UTC