php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60677 CGI doesn't properly validate shebang line contains #!
Submitted: 2012-01-07 02:39 UTC Modified: 2015-04-13 13:31 UTC
Votes:3
Avg. Score:3.7 ± 1.2
Reproduced:3 of 3 (100.0%)
Same Version:2 (66.7%)
Same OS:3 (100.0%)
From: pasamio at gmail dot com Assigned:
Status: Verified Package: CGI/CLI related
PHP Version: PHP 5.6.7 OS: N/A
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2012-01-07 02:39 UTC] pasamio at gmail dot com
Description:
------------
When running in CGI, PHP attempts to look for a shebang. However there is a bug 
where if the first character of the first line is a hash character/pound 
character (#), PHP doesn't validate that the next character is an exclamation 
mark and thus a properly formed shebang line (e.g. #!). Instead PHP just skips 
the entire line ignoring any PHP code that might be on that line.

The code in question from a quick examination appears to be here in trunk:
http://svn.php.net/viewvc/php/php-src/trunk/sapi/cgi/cgi_main.c?
revision=321634&view=markup

On lines 2361, 2379 and 2396.

And on the PHP 5.4 branch:
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_4/sapi/cgi/cgi_main.c?
revision=321634&view=markup

On lines 2362, 2380 and 2397.

This has been replicated on PHP 5.3.3 and PHP 5.3.5 as well as being in current 
trunk.

Test script:
---------------
#<?php echo "Hello World\n"; ?>
Second line.

Expected result:
----------------
X-Powered-By: PHP/5.3.3-7+squeeze3
Content-type: text/html

#Hello World
Second line.

Actual result:
--------------
X-Powered-By: PHP/5.3.3-7+squeeze3
Content-type: text/html

Second line.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-01-07 02:43 UTC] pasamio at gmail dot com
This appears to have been introduced with this change:

http://svn.php.net/viewvc/php/php-src/trunk/sapi/cgi/cgi_main.c?
r1=288080&r2=288081&
 [2012-01-07 05:20 UTC] dtajchreber@php.net
-Status: Open +Status: Bogus
 [2012-01-07 05:20 UTC] dtajchreber@php.net
Lines that begin with a hash tag can also be comments... 

# This is a comment... <?php echo 'None of this will appear!' ?>

http://us.php.net/manual/en/language.basic-syntax.comments.php
 [2012-01-07 05:37 UTC] dtajchreber@php.net
-Status: Bogus +Status: Verified
 [2012-01-07 05:37 UTC] dtajchreber@php.net
I completely misunderstood what you were saying... forgive me. :) Taking a second 
look, you're right... the logic only checks the first character when 
cgi.check_shebang_line = 1.
 [2012-01-07 06:47 UTC] pasamio at gmail dot com
The Apache 2 Handler appears to work properly though I can't find the code.

Additionally the PHP CLI handles this correctly:
http://svn.php.net/viewvc/php/php-src/trunk/sapi/cli/php_cli.c?
revision=321634&view=markup

Line 633 with:
if (c == '#' && (c = fgetc(file_handle->handle.fp)) == '!') {

And a later rewind. Should be sufficient for some of the CGI stuff but not all 
three of the instances in question.
 [2015-04-13 13:31 UTC] cmb@php.net
-PHP Version: trunk-SVN-2012-01-07 (SVN) +PHP Version: PHP 5.6.7
 [2015-04-13 13:31 UTC] cmb@php.net
The SVN related links are outdated. The relevant code is now:
<https://github.com/php/php-src/blob/PHP-5.6.7/sapi/cgi/cgi_main.c#L2388-L2461>
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Sun Sep 23 02:01:25 2018 UTC