PHP :: Bug #60928 :: php crash after http post without content type header set

Bug #60928	php crash after http post without content type header set
Submitted:	2012-01-29 22:31 UTC	Modified:	2012-03-10 14:04 UTC
From:	bardobakker at gmail dot com	Assigned:
Status:	Not a bug	Package:	Apache2 related
PHP Version:	5.3.9	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	bardobakker at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2012-01-29 22:31 UTC] bardobakker at gmail dot com

Description:
------------
I wrote some software which post a binary (image) to our server.
phplib crashes at the end of a http post without the content type header set.




Version apache:
[root@www ~]# /usr/sbin/httpd -V
Server version: Apache/2.2.3
Server built:   Oct 20 2011 17:00:12
Server's Module Magic Number: 20051115:3
Server loaded:  APR 1.2.7, APR-Util 1.2.7
Compiled using: APR 1.2.7, APR-Util 1.2.7
Architecture:   64-bit
Server MPM:     Prefork
  threaded:     no
    forked:     yes (variable process count)
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/prefork"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=128
 -D HTTPD_ROOT="/etc/httpd"
 -D SUEXEC_BIN="/usr/sbin/suexec"
 -D DEFAULT_PIDLOG="run/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_LOCKFILE="logs/accept.lock"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

On kill/error/fault I found in error_log:

Sat Jan 28 12:56:09 2012] [notice] child pid 17077 exit signal Segmentation fault (11), possible coredump in /tmp

So made a coredump: gdb: bt all:
[sorry, no debug mode, its commercial server, can't recompile etc]

Core was generated by `/usr/sbin/httpd -k start'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007fe25c5696c0 in zend_hash_num_elements () from /etc/httpd/modules/libphp5.so
(gdb) bt full
#0  0x00007fe25c5696c0 in zend_hash_num_elements () from /etc/httpd/modules/libphp5.so
No symbol table info available.
#1  0x00007fe25c519606 in php_register_variable_ex () from /etc/httpd/modules/libphp5.so
No symbol table info available.
#2  0x00007fe25c432625 in ?? () from /etc/httpd/modules/libphp5.so
No symbol table info available.
#3  0x00007fe25c51a0e9 in php_std_post_handler () from /etc/httpd/modules/libphp5.so
No symbol table info available.
#4  0x00007fe25c513dd3 in sapi_handle_post () from /etc/httpd/modules/libphp5.so
No symbol table info available.
#5  0x00007fe25c519d2b in php_default_treat_data () from /etc/httpd/modules/libphp5.so
No symbol table info available.
#6  0x00007fe257248134 in mbstr_treat_data () from /usr/lib64/php/modules/mbstring.so
No symbol table info available.
#7  0x00007fe25c51a2a1 in ?? () from /etc/httpd/modules/libphp5.so
No symbol table info available.
#8  0x00007fe25c50ab65 in php_request_startup () from /etc/httpd/modules/libphp5.so
No symbol table info available.
#9  0x00007fe25c5e66d8 in ?? () from /etc/httpd/modules/libphp5.so
No symbol table info available.
#10 0x00007fe268e89aca in ap_run_handler ()
No symbol table info available.
#11 0x00007fe268e8cf58 in ap_invoke_handler ()
No symbol table info available.
#12 0x00007fe268e97a18 in ap_process_request ()
No symbol table info available.
#13 0x00007fe268e94c50 in ?? ()
No symbol table info available.
#14 0x00007fe268e90d52 in ap_run_process_connection ()
No symbol table info available.
#15 0x00007fe268e9be49 in ?? ()
No symbol table info available.
#16 0x00007fe268e9c0da in ?? ()
No symbol table info available.
#17 0x00007fe268e9c190 in ?? ()
No symbol table info available.
#18 0x00007fe268e9ce7b in ap_mpm_run ()
No symbol table info available.
#19 0x00007fe268e76e48 in main ()
No symbol table info available.

Test script:
---------------
Qt source for posting binary without content type set:

QString filename = QFileDialog::getOpenFileName(this);

QFile* f = new QFile(filename);
f->open(QFile::ReadOnly);

QNetworkAccessManager* manager = new QNetworkAccessManager(this);

QNetworkRequest req(QUrl("http://www.server.com/post.php"));

// uncomment line below for bypassing error
// req.setHeader(QNetworkRequest::ContentTypeHeader,"image/jpeg");

QNetworkReply* rep = manager->post(req,f);
f->setParent(rep);

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-01-29 23:48 UTC] pajoye@php.net

-Status: Open +Status: Feedback

[2012-01-29 23:48 UTC] pajoye@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

[2012-01-30 06:46 UTC] bardobakker at gmail dot com

I already posted the c++ code (Qt) I use to do the post without content type header. I do not know a second way to do a similar post.
One can use a empty php file to post to, even than it will crash:

<?php
?>

But the lines i use to read the raw post data:

<?php
//load raw post
$data = file_get_contents("php://input");
//(current dir is writable) 
$handle = fopen("./file.jpg", "w");
fwrite($handle, $data);
fclose($handle);
?>

[2012-01-30 06:46 UTC] bardobakker at gmail dot com

-Status: Feedback +Status: Open

[2012-01-30 08:31 UTC] pajoye@php.net

That's what I mean by "reproduce script", what crashes is not the client (your QT 
app) but the server side (php), so we need a reproduce script to know how it 
crases :)

[2012-01-30 12:46 UTC] pajoye@php.net

-Status: Open +Status: Feedback

[2012-01-30 12:46 UTC] pajoye@php.net

hi

Could you post a link to the file you use to upload please? We connot reproduce 
this problem.

[2012-01-30 20:04 UTC] bardobakker at gmail dot com

-Status: Feedback +Status: Open

[2012-01-30 20:04 UTC] bardobakker at gmail dot com

1 - Forgot to mention, I need to post a big file. For example a image larger than 5MB. If I post for example a small xml file everything works fine.

2 - I tried to reproduce with the following php script, but everything seems to work here; strange. Maybe the feature is in Qt, which I can rule out since everything used to work, and after upgrade to php 5.3.9 the behaviour started.

<?php
// Get contents of a file into a string
$filename = "./image.jpg";
$handle = fopen($filename, "r");
$contents = fread($handle, filesize($filename));
fclose($handle);

// Make post request params
$params = array('http' => array(
	'method' => 'POST',
	'content' => $data
));

// Create a streams context
$ctx = stream_context_create($params);

// Do post
$url = "http://www.server.com/post.php";
$fp = @fopen($url, 'rb', false, $ctx);
if(!$fp) echo "Problem with $url, $php_errormsg";

// Read response
$response = @stream_get_contents($fp);
if($response === false) echo "Problem reading data from $url, $php_errormsg";

// Echo response
echo $response;
?>

[2012-01-31 06:36 UTC] pajoye@php.net

-Status: Open +Status: Feedback

[2012-01-31 06:36 UTC] pajoye@php.net

Can you post a link to the data you use to upload?

Please try to do a tcpdump as well on the client side to see what you send 
actually and post a link to the dump here as well.

We still cannot reproduce it, even with large data.

[2012-01-31 21:04 UTC] bardobakker at gmail dot com

Hi,

First of all, a surprising header in tcp dump (for me), I thought content type was not set, but:

POST /tup/up.php HTTP/1.1
Content-Length: 1038349
Connection: Keep-Alive
Accept-Encoding: gzip
Accept-Language: nl-NL,en,*
User-Agent: Mozilla/5.0
Host: www.mymoza.com
Content-Type: application/x-www-form-urlencoded

URL of tcpdump (libpcap format): http://www.mymoza.com/tup/tcpdump.data
URL of test image: http://www.mymoza.com/tup/image.jpg

With the following headers set no seg. fault will occur:

POST /tup/up.php HTTP/1.1
Content-Type: image/jpeg
Content-Length: 1038349
Connection: Keep-Alive
Accept-Encoding: gzip
Accept-Language: nl-NL,en,*
User-Agent: Mozilla/5.0
Host: www.mymoza.com

[2012-01-31 21:04 UTC] bardobakker at gmail dot com

-Status: Feedback +Status: Open

[2012-01-31 21:54 UTC] cataphract@php.net

I can't reproduce the error. Could you try disabling mbstring? And if, after 
disabling mbstring, there's no segfault, please tell us your configuration for 
mbstring.* ini options (those active for the script that receives the POST 
request).

[2012-01-31 21:54 UTC] cataphract@php.net

-Status: Open +Status: Feedback

[2012-01-31 22:31 UTC] bardobakker at gmail dot com

php.ini has the default mbstring options = everything commented out
mbstring.ini has only the line:

extension=mbstring.so

In a local .htaccess file I added:

php_value mbstring.http_input pass
php_value mbstring.http_output pass
php_value mbstring.encoding_translation 0

which doesn't change anything in the output of phpinfo()

How would you disable mbstring?
Can it have something to do with mime type stuff or so?

Output phpinfo: http://www.mymoza.com/tup/info.php

[2012-01-31 22:31 UTC] bardobakker at gmail dot com

-Status: Feedback +Status: Open

[2012-02-02 08:46 UTC] cataphract@php.net

You can disable mbstring by commenting out the "extension=mbstring.so" line from the configuration file and restarting Apache (and then confirm "mbstring" doesn't show up in phpinfo()).

[2012-02-02 08:47 UTC] cataphract@php.net

-Status: Open +Status: Feedback

[2012-02-03 16:57 UTC] bardobakker at gmail dot com

-Status: Feedback +Status: Open

[2012-02-03 16:57 UTC] bardobakker at gmail dot com

Hi again,
Sorry for late reply...
So, I disabled mbstring as you asked, and no seg. fault now!
Where is this leading to? Should I switch it back on? What is it doing?
tanx

[2012-02-03 17:06 UTC] bardobakker at gmail dot com

I've installed plesk on my server. Last night it has automatic updated php from 5.3.9 to 5.3.10.
Now I can't even reproduce the bug!
I can't downgrade, since plesk gets deinstalled in the first place during the downgrade.
Let close it and not waste our time?

[2012-03-10 14:04 UTC] cataphract@php.net

-Status: Open +Status: Not a bug

[2012-03-10 14:04 UTC] cataphract@php.net

I'm closing this as it's apparently not a problem in the latest version. If the problem resurfaces, please report it again.

[2012-06-07 18:24 UTC] rolando dot umana at gmail dot com

hi! I'm getting a similar error (seg fault)
what is the purpose of disabling mbstring? in my case, I can't disable it because 
my entire application depends on it. 

what is mbstring causing to produce this issue?

thanks!

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Apr 23 00:01:28 2025 UTC