php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60659 FPM does not clear auth_user on request accept
Submitted: 2012-01-04 20:14 UTC Modified: 2012-01-04 21:19 UTC
From: bonbons at linux-vserver dot org Assigned: fat
Status: Closed Package: FPM related
PHP Version: 5.3.8 OS: Linux
Private report: No CVE-ID:
 [2012-01-04 20:14 UTC] bonbons at linux-vserver dot org
Description:
------------
Multiple requests hitting the same FPM worker process will get logged (by php-fpm) with the last authenticated user seen instead of empty when there is no authenticated user for the current request.

Attached patch clears auth_user field (and also clears query_string), those two being the only char arrays not seeing initialization in fpm_request_accepting().

Test script:
---------------
# configure php-fpm to use only one worker and log access
restart php-fpm
curl -u user $php_fpm_page_via_nginx
curl $php_fpm_page_via_nginx
curl $php_fpm_page_via_nginx
# All logged access lines will show remote user to be "user"


Patches

php-fpm-clear-auth_user-on-accept.patch (last revision 2012-01-04 20:22 UTC) by bonbons at linux-vserver dot org)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-01-04 21:17 UTC] fat@php.net
Automatic comment from SVN on behalf of fat
Revision: http://svn.php.net/viewvc/?view=revision&revision=321770
Log: - Fixed bug #60659 (FPM does not clear auth_user on request accept)
 [2012-01-04 21:19 UTC] fat@php.net
Automatic comment from SVN on behalf of fat
Revision: http://svn.php.net/viewvc/?view=revision&revision=321771
Log: - Fixed credits for bug #60659
 [2012-01-04 21:19 UTC] fat@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: fat
 [2012-01-04 21:19 UTC] fat@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

Thanks you very much for this fix.
 [2012-04-18 09:46 UTC] laruence@php.net
Automatic comment on behalf of fat
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0a67d26633c73471b506d2642d4b19baa9b53c8a
Log: - Fixed bug #60659 (FPM does not clear auth_user on request accept)
 [2012-07-24 23:37 UTC] rasmus@php.net
Automatic comment on behalf of fat
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0a67d26633c73471b506d2642d4b19baa9b53c8a
Log: - Fixed bug #60659 (FPM does not clear auth_user on request accept)
 [2013-11-17 09:34 UTC] laruence@php.net
Automatic comment on behalf of fat
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0a67d26633c73471b506d2642d4b19baa9b53c8a
Log: - Fixed bug #60659 (FPM does not clear auth_user on request accept)
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 16 16:02:23 2014 UTC