|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60677 CGI doesn't properly validate shebang line contains #!
Submitted: 2012-01-07 02:39 UTC Modified: 2019-07-15 14:31 UTC
Avg. Score:3.7 ± 1.2
Reproduced:3 of 3 (100.0%)
Same Version:2 (66.7%)
Same OS:3 (100.0%)
From: pasamio at gmail dot com Assigned: nikic (profile)
Status: Closed Package: CGI/CLI related
PHP Version: PHP 5.6.7 OS: N/A
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: pasamio at gmail dot com
New email:
PHP Version: OS:


 [2012-01-07 02:39 UTC] pasamio at gmail dot com
When running in CGI, PHP attempts to look for a shebang. However there is a bug 
where if the first character of the first line is a hash character/pound 
character (#), PHP doesn't validate that the next character is an exclamation 
mark and thus a properly formed shebang line (e.g. #!). Instead PHP just skips 
the entire line ignoring any PHP code that might be on that line.

The code in question from a quick examination appears to be here in trunk:

On lines 2361, 2379 and 2396.

And on the PHP 5.4 branch:

On lines 2362, 2380 and 2397.

This has been replicated on PHP 5.3.3 and PHP 5.3.5 as well as being in current 

Test script:
#<?php echo "Hello World\n"; ?>
Second line.

Expected result:
X-Powered-By: PHP/5.3.3-7+squeeze3
Content-type: text/html

#Hello World
Second line.

Actual result:
X-Powered-By: PHP/5.3.3-7+squeeze3
Content-type: text/html

Second line.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2012-01-07 02:43 UTC] pasamio at gmail dot com
This appears to have been introduced with this change:
 [2012-01-07 05:20 UTC]
-Status: Open +Status: Bogus
 [2012-01-07 05:20 UTC]
Lines that begin with a hash tag can also be comments... 

# This is a comment... <?php echo 'None of this will appear!' ?>
 [2012-01-07 05:37 UTC]
-Status: Bogus +Status: Verified
 [2012-01-07 05:37 UTC]
I completely misunderstood what you were saying... forgive me. :) Taking a second 
look, you're right... the logic only checks the first character when 
cgi.check_shebang_line = 1.
 [2012-01-07 06:47 UTC] pasamio at gmail dot com
The Apache 2 Handler appears to work properly though I can't find the code.

Additionally the PHP CLI handles this correctly:

Line 633 with:
if (c == '#' && (c = fgetc(file_handle->handle.fp)) == '!') {

And a later rewind. Should be sufficient for some of the CGI stuff but not all 
three of the instances in question.
 [2015-04-13 13:31 UTC]
-PHP Version: trunk-SVN-2012-01-07 (SVN) +PHP Version: PHP 5.6.7
 [2015-04-13 13:31 UTC]
The SVN related links are outdated. The relevant code is now:
 [2019-07-15 14:31 UTC]
-Status: Verified +Status: Closed -Assigned To: +Assigned To: nikic
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Jun 14 00:01:33 2024 UTC