PHP :: Bug #62606 :: PHP as fastCgi traverses directory up to the root / permission issues

Bug #62606

PHP as fastCgi traverses directory up to the root / permission issues

Submitted:

2012-07-19 06:07 UTC

Modified:

Votes:	2
Avg. Score:	3.5 ± 0.5
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

thomas dot hoffmann at speed4trade dot com

Assigned:

Status:

Open

Package:

Performance problem

PHP Version:

5.3.14

OS:

Win2008 R2

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	thomas dot hoffmann at speed4trade dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2012-07-19 06:07 UTC] thomas dot hoffmann at speed4trade dot com

Description:
------------
I use PHP via FastCGI on Win2008R2 IIS 7.5
Via "Process Monitor" I can see that the first time I access a php page, the
PHP-CGI.exe opens the php-file and then walks up the directory tree up to the
root.
It traverses/opens all directories till it reaches the Root-Folder (e.g. d:\)
This causes a huge performance impact when the PHP process doesnt have
permissions to travers the root-folder (or a folder outside the webroot).

Starting a webpage with redaxo e.g. lasts about 50 seconds instead of 1 or 2 seconds as many file includes/(accesses take place.

user_ini.filename is disabled (but PHP should anyway stop at the webroot).
safe_mode and open_basedir are off / not used

Test script:
---------------
- Create test.php with just one echo line
- Use PHP-CGI.exe via FastCGI on Windows 2008R2
- Open "Process monitor" and apply filter for php-cgi.exe
- Open test.php via browser
- See in process monitor how the process accesses not only test.php
  but also walks up the directory tree and traverses all parent folders
  till it reaches the root
- To test the performance impact you can delete the folder permission
  on the parent folders of the webroot and open the page several times
  (e.g. via curl and a loop)

Expected result:
----------------
PHP-cgi.exe should not travers folders outside the webroot.

Actual result:
--------------
PHP-cgi.exe opens/traverses all parent folders of the webroot up to the root.

Patches

Pull Requests

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Feb 12 17:01:29 2025 UTC