php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60928 php crash after http post without content type header set
Submitted: 2012-01-29 22:31 UTC Modified: 2012-03-10 14:04 UTC
From: bardobakker at gmail dot com Assigned:
Status: Not a bug Package: Apache2 related
PHP Version: 5.3.9 OS: Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: bardobakker at gmail dot com
New email:
PHP Version: OS:

 

 [2012-01-29 22:31 UTC] bardobakker at gmail dot com
Description:
------------
I wrote some software which post a binary (image) to our server.
phplib crashes at the end of a http post without the content type header set.




Version apache:
[root@www ~]# /usr/sbin/httpd -V
Server version: Apache/2.2.3
Server built:   Oct 20 2011 17:00:12
Server's Module Magic Number: 20051115:3
Server loaded:  APR 1.2.7, APR-Util 1.2.7
Compiled using: APR 1.2.7, APR-Util 1.2.7
Architecture:   64-bit
Server MPM:     Prefork
  threaded:     no
    forked:     yes (variable process count)
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/prefork"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=128
 -D HTTPD_ROOT="/etc/httpd"
 -D SUEXEC_BIN="/usr/sbin/suexec"
 -D DEFAULT_PIDLOG="run/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_LOCKFILE="logs/accept.lock"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

On kill/error/fault I found in error_log:

Sat Jan 28 12:56:09 2012] [notice] child pid 17077 exit signal Segmentation fault (11), possible coredump in /tmp

So made a coredump: gdb: bt all:
[sorry, no debug mode, its commercial server, can't recompile etc]

Core was generated by `/usr/sbin/httpd -k start'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007fe25c5696c0 in zend_hash_num_elements () from /etc/httpd/modules/libphp5.so
(gdb) bt full
#0  0x00007fe25c5696c0 in zend_hash_num_elements () from /etc/httpd/modules/libphp5.so
No symbol table info available.
#1  0x00007fe25c519606 in php_register_variable_ex () from /etc/httpd/modules/libphp5.so
No symbol table info available.
#2  0x00007fe25c432625 in ?? () from /etc/httpd/modules/libphp5.so
No symbol table info available.
#3  0x00007fe25c51a0e9 in php_std_post_handler () from /etc/httpd/modules/libphp5.so
No symbol table info available.
#4  0x00007fe25c513dd3 in sapi_handle_post () from /etc/httpd/modules/libphp5.so
No symbol table info available.
#5  0x00007fe25c519d2b in php_default_treat_data () from /etc/httpd/modules/libphp5.so
No symbol table info available.
#6  0x00007fe257248134 in mbstr_treat_data () from /usr/lib64/php/modules/mbstring.so
No symbol table info available.
#7  0x00007fe25c51a2a1 in ?? () from /etc/httpd/modules/libphp5.so
No symbol table info available.
#8  0x00007fe25c50ab65 in php_request_startup () from /etc/httpd/modules/libphp5.so
No symbol table info available.
#9  0x00007fe25c5e66d8 in ?? () from /etc/httpd/modules/libphp5.so
No symbol table info available.
#10 0x00007fe268e89aca in ap_run_handler ()
No symbol table info available.
#11 0x00007fe268e8cf58 in ap_invoke_handler ()
No symbol table info available.
#12 0x00007fe268e97a18 in ap_process_request ()
No symbol table info available.
#13 0x00007fe268e94c50 in ?? ()
No symbol table info available.
#14 0x00007fe268e90d52 in ap_run_process_connection ()
No symbol table info available.
#15 0x00007fe268e9be49 in ?? ()
No symbol table info available.
#16 0x00007fe268e9c0da in ?? ()
No symbol table info available.
#17 0x00007fe268e9c190 in ?? ()
No symbol table info available.
#18 0x00007fe268e9ce7b in ap_mpm_run ()
No symbol table info available.
#19 0x00007fe268e76e48 in main ()
No symbol table info available.

Test script:
---------------
Qt source for posting binary without content type set:

QString filename = QFileDialog::getOpenFileName(this);

QFile* f = new QFile(filename);
f->open(QFile::ReadOnly);

QNetworkAccessManager* manager = new QNetworkAccessManager(this);

QNetworkRequest req(QUrl("http://www.server.com/post.php"));

// uncomment line below for bypassing error
// req.setHeader(QNetworkRequest::ContentTypeHeader,"image/jpeg");

QNetworkReply* rep = manager->post(req,f);
f->setParent(rep);


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-01-29 23:48 UTC] pajoye@php.net
-Status: Open +Status: Feedback
 [2012-01-29 23:48 UTC] pajoye@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.


 [2012-01-30 06:46 UTC] bardobakker at gmail dot com
I already posted the c++ code (Qt) I use to do the post without content type header. I do not know a second way to do a similar post.
One can use a empty php file to post to, even than it will crash:

<?php
?>

But the lines i use to read the raw post data:

<?php
//load raw post
$data = file_get_contents("php://input");
//(current dir is writable) 
$handle = fopen("./file.jpg", "w");
fwrite($handle, $data);
fclose($handle);
?>
 [2012-01-30 06:46 UTC] bardobakker at gmail dot com
-Status: Feedback +Status: Open
 [2012-01-30 08:31 UTC] pajoye@php.net
That's what I mean by "reproduce script", what crashes is not the client (your QT 
app) but the server side (php), so we need a reproduce script to know how it 
crases :)
 [2012-01-30 12:46 UTC] pajoye@php.net
-Status: Open +Status: Feedback
 [2012-01-30 12:46 UTC] pajoye@php.net
hi

Could you post a link to the file you use to upload please? We connot reproduce 
this problem.
 [2012-01-30 20:04 UTC] bardobakker at gmail dot com
-Status: Feedback +Status: Open
 [2012-01-30 20:04 UTC] bardobakker at gmail dot com
1 - Forgot to mention, I need to post a big file. For example a image larger than 5MB. If I post for example a small xml file everything works fine.

2 - I tried to reproduce with the following php script, but everything seems to work here; strange. Maybe the feature is in Qt, which I can rule out since everything used to work, and after upgrade to php 5.3.9 the behaviour started.

<?php
// Get contents of a file into a string
$filename = "./image.jpg";
$handle = fopen($filename, "r");
$contents = fread($handle, filesize($filename));
fclose($handle);

// Make post request params
$params = array('http' => array(
	'method' => 'POST',
	'content' => $data
));

// Create a streams context
$ctx = stream_context_create($params);

// Do post
$url = "http://www.server.com/post.php";
$fp = @fopen($url, 'rb', false, $ctx);
if(!$fp) echo "Problem with $url, $php_errormsg";

// Read response
$response = @stream_get_contents($fp);
if($response === false) echo "Problem reading data from $url, $php_errormsg";

// Echo response
echo $response;
?>
 [2012-01-31 06:36 UTC] pajoye@php.net
-Status: Open +Status: Feedback
 [2012-01-31 06:36 UTC] pajoye@php.net
Can you post a link to the data you use to upload?

Please try to do a tcpdump as well on the client side to see what you send 
actually and post a link to the dump here as well.

We still cannot reproduce it, even with large data.
 [2012-01-31 21:04 UTC] bardobakker at gmail dot com
Hi,

First of all, a surprising header in tcp dump (for me), I thought content type was not set, but:

POST /tup/up.php HTTP/1.1
Content-Length: 1038349
Connection: Keep-Alive
Accept-Encoding: gzip
Accept-Language: nl-NL,en,*
User-Agent: Mozilla/5.0
Host: www.mymoza.com
Content-Type: application/x-www-form-urlencoded

URL of tcpdump (libpcap format): http://www.mymoza.com/tup/tcpdump.data
URL of test image: http://www.mymoza.com/tup/image.jpg

With the following headers set no seg. fault will occur:

POST /tup/up.php HTTP/1.1
Content-Type: image/jpeg
Content-Length: 1038349
Connection: Keep-Alive
Accept-Encoding: gzip
Accept-Language: nl-NL,en,*
User-Agent: Mozilla/5.0
Host: www.mymoza.com
 [2012-01-31 21:04 UTC] bardobakker at gmail dot com
-Status: Feedback +Status: Open
 [2012-01-31 21:54 UTC] cataphract@php.net
I can't reproduce the error. Could you try disabling mbstring? And if, after 
disabling mbstring, there's no segfault, please tell us your configuration for 
mbstring.* ini options (those active for the script that receives the POST 
request).
 [2012-01-31 21:54 UTC] cataphract@php.net
-Status: Open +Status: Feedback
 [2012-01-31 22:31 UTC] bardobakker at gmail dot com
php.ini has the default mbstring options = everything commented out
mbstring.ini has only the line:

extension=mbstring.so

In a local .htaccess file I added:

php_value mbstring.http_input pass
php_value mbstring.http_output pass
php_value mbstring.encoding_translation 0

which doesn't change anything in the output of phpinfo()

How would you disable mbstring?
Can it have something to do with mime type stuff or so?

Output phpinfo: http://www.mymoza.com/tup/info.php
 [2012-01-31 22:31 UTC] bardobakker at gmail dot com
-Status: Feedback +Status: Open
 [2012-02-02 08:46 UTC] cataphract@php.net
You can disable mbstring by commenting out the "extension=mbstring.so" line from the configuration file and restarting Apache (and then confirm "mbstring" doesn't show up in phpinfo()).
 [2012-02-02 08:47 UTC] cataphract@php.net
-Status: Open +Status: Feedback
 [2012-02-03 16:57 UTC] bardobakker at gmail dot com
-Status: Feedback +Status: Open
 [2012-02-03 16:57 UTC] bardobakker at gmail dot com
Hi again,
Sorry for late reply...
So, I disabled mbstring as you asked, and no seg. fault now!
Where is this leading to? Should I switch it back on? What is it doing?
tanx
 [2012-02-03 17:06 UTC] bardobakker at gmail dot com
I've installed plesk on my server. Last night it has automatic updated php from 5.3.9 to 5.3.10.
Now I can't even reproduce the bug!
I can't downgrade, since plesk gets deinstalled in the first place during the downgrade.
Let close it and not waste our time?
 [2012-03-10 14:04 UTC] cataphract@php.net
-Status: Open +Status: Not a bug
 [2012-03-10 14:04 UTC] cataphract@php.net
I'm closing this as it's apparently not a problem in the latest version. If the problem resurfaces, please report it again.
 [2012-06-07 18:24 UTC] rolando dot umana at gmail dot com
hi! I'm getting a similar error (seg fault)
what is the purpose of disabling mbstring? in my case, I can't disable it because 
my entire application depends on it. 

what is mbstring causing to produce this issue?

thanks!
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Fri Jul 10 01:01:27 2020 UTC