php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #52293 $_SERVER['PATH_INFO'] doesn't accept single quote in filename
Submitted: 2010-07-08 20:41 UTC Modified: 2010-07-20 20:19 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: brouard at ined dot fr Assigned:
Status: Not a bug Package: PHP options/info functions
PHP Version: 5.3.2 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: brouard at ined dot fr
New email:
PHP Version: OS:

 

 [2010-07-08 20:41 UTC] brouard at ined dot fr 
Description:
------------
 $_SERVER['PATH_INFO'] doesn't return single quote in filename.
Although single quote in filenames were used frequently in French while using mediawiki server. But in recent versions of mediawiki (svn) we can upload images or pdf files having quotes in their name, like "Rapport d'activité.pdf" but we can't retrieve any more because the $_SERVER['PATH_INFO'] is returning a question mark instead of a quote "/6/6e/Rapport_d?activité.pdf". It has been working for years and now it says "Access denied, you must log in".

It doesn't affect all wiki servers but only servers where access to files is granted via the img_auth.php (which means that only logged users can access to uploaded images).

The orginal code of img_auth.php was:
  $path = $_SERVER['PATH_INFO'];
  $filename = realpath( $wgUploadDirectory . $_SERVER['PATH_INFO'] );
  wfDebugLog( 'img_auth', "\$path is {$path}" );

and the log output contains a question mark instead of the quote.

I decided to patch by replacing the question mark with a single quote:
 
 $path = preg_replace('/\?/','\'', $_SERVER['PATH_INFO']);

and it works but it is not very clean.

What is wrong with having single quote in the PATH_INFO as long as filenames can have single quote?

Many thanks for any information.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-07-11 01:10 UTC] jinmoku at hotmail dot com 
use utf8_(de|en)code, it's the browser and/or the server who's write this
 [2010-07-16 07:18 UTC] aharvey@php.net
-Status: Open +Status: Bogus
 [2010-07-16 07:18 UTC] aharvey@php.net 
PHP gets the value of PATH_INFO from the Web server, so it's much more
likely to be a problem there.
 [2010-07-20 20:19 UTC] brouard at ined dot fr 
testi.cgi
Many thanks for your answer. In fact I tested an URL adding "that's it"
in the pathinfo using a perl standard cgi and a php script on the same
server. The perl script output the single quote but the php script
changed it to a question mark:

testi.cgi:
#!/usr/bin/perl
print "Content-type: text/html\n\n";

print "<p>PATH_INFO=".$ENV{"PATH_INFO"}."</p>\n";


URL http://myweb/cgi-bin/testi.cgi/that's it
outputs:
  PATH_INFO = /that's it
which is correct.

PHP phpinfoi.php script:
<?php
echo "PATH_INFO=".$SERVER['PATH_INFO']."<p/>\n";

URL: http://myweb/w/phpinfoi.php/that's it
 outputs
PATH_INFO=/that?s it

which is wrong.

I suspect a defect in the apache php module. And you?
 [2011-02-18 20:36 UTC] vadim at rkmail dot ru 
this is a suhosin feature, disable it

; When set to On the dangerous characters <>"'` are replaced with ? in
; the server variables PHP_SELF, PATH_TRANSLATED and PATH_INFO. This will
; protect against some XSS vulnerabilities.
suhosin.server.strip = 0
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Wed Apr 24 21:01:29 2024 UTC