|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #62606 PHP as fastCgi traverses directory up to the root / permission issues
Submitted: 2012-07-19 06:07 UTC Modified: -
Avg. Score:3.5 ± 0.5
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: thomas dot hoffmann at speed4trade dot com Assigned:
Status: Open Package: Performance problem
PHP Version: 5.3.14 OS: Win2008 R2
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: thomas dot hoffmann at speed4trade dot com
New email:
PHP Version: OS:


 [2012-07-19 06:07 UTC] thomas dot hoffmann at speed4trade dot com
I use PHP via FastCGI on Win2008R2 IIS 7.5
Via "Process Monitor" I can see that the first time I access a php page, the
PHP-CGI.exe opens the php-file and then walks up the directory tree up to the
It traverses/opens all directories till it reaches the Root-Folder (e.g. d:\)
This causes a huge performance impact when the PHP process doesnt have
permissions to travers the root-folder (or a folder outside the webroot).

Starting a webpage with redaxo e.g. lasts about 50 seconds instead of 1 or 2 seconds as many file includes/(accesses take place.

user_ini.filename is disabled (but PHP should anyway stop at the webroot).
safe_mode and open_basedir are off / not used

Test script:
- Create test.php with just one echo line
- Use PHP-CGI.exe via FastCGI on Windows 2008R2
- Open "Process monitor" and apply filter for php-cgi.exe
- Open test.php via browser
- See in process monitor how the process accesses not only test.php
  but also walks up the directory tree and traverses all parent folders
  till it reaches the root
- To test the performance impact you can delete the folder permission
  on the parent folders of the webroot and open the page several times
  (e.g. via curl and a loop)

Expected result:
PHP-cgi.exe should not travers folders outside the webroot.

Actual result:
PHP-cgi.exe opens/traverses all parent folders of the webroot up to the root.


Add a Patch

Pull Requests

Add a Pull Request

PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Jul 16 03:01:27 2024 UTC