php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #62606 PHP as fastCgi traverses directory up to the root / permission issues
Submitted: 2012-07-19 06:07 UTC Modified: -
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: thomas dot hoffmann at speed4trade dot com Assigned:
Status: Open Package: Performance problem
PHP Version: 5.3.14 OS: Win2008 R2
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
MUST BE VALID
Solve the problem:
34 + 31 = ?
Subscribe to this entry?

 
 [2012-07-19 06:07 UTC] thomas dot hoffmann at speed4trade dot com
Description:
------------
I use PHP via FastCGI on Win2008R2 IIS 7.5
Via "Process Monitor" I can see that the first time I access a php page, the
PHP-CGI.exe opens the php-file and then walks up the directory tree up to the
root.
It traverses/opens all directories till it reaches the Root-Folder (e.g. d:\)
This causes a huge performance impact when the PHP process doesnt have
permissions to travers the root-folder (or a folder outside the webroot).

Starting a webpage with redaxo e.g. lasts about 50 seconds instead of 1 or 2 seconds as many file includes/(accesses take place.

user_ini.filename is disabled (but PHP should anyway stop at the webroot).
safe_mode and open_basedir are off / not used

Test script:
---------------
- Create test.php with just one echo line
- Use PHP-CGI.exe via FastCGI on Windows 2008R2
- Open "Process monitor" and apply filter for php-cgi.exe
- Open test.php via browser
- See in process monitor how the process accesses not only test.php
  but also walks up the directory tree and traverses all parent folders
  till it reaches the root
- To test the performance impact you can delete the folder permission
  on the parent folders of the webroot and open the page several times
  (e.g. via curl and a loop)

Expected result:
----------------
PHP-cgi.exe should not travers folders outside the webroot.

Actual result:
--------------
PHP-cgi.exe opens/traverses all parent folders of the webroot up to the root.

Patches

Add a Patch

Pull Requests

Add a Pull Request

 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sat Dec 14 16:01:23 2019 UTC