|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #63231 force-cgi-redirect does not works under FastCGI
Submitted: 2012-10-07 00:14 UTC Modified: 2012-10-08 08:45 UTC
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: phodur at zoznam dot sk Assigned:
Status: Open Package: CGI/CLI related
PHP Version: 5.3.17 OS: FreeBSD (all UNIX like OS)
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2012-10-07 00:14 UTC] phodur at zoznam dot sk
This is same as #37157. But may be I will better describe the problem. Because Dmitry closed #37157 as NOT A BUG.

Ok, test environment is Apache 2.2.X with PHP 5.3.X. Base Apache config is:

--- CUT ---

Alias /php-bin/                        /www/php-bin/php5

<Directory /www/php-bin/>

   Options ExecCGI
   SetHandler fastcgi-script


AddHandler                              php5-script     .php
Action                                  php5-script     /php-bin/php5

--- CUT ---

FastCGI (mod_fastcgi) related config is (this is not important for reproducing this bug, it is provided only FYI):

--- CUT ---

FastCgiIpcDir                           /var/run/apache22/fastcgi/
FastCgiWrapper                          On
FastCgiConfig                           -idle-timeout 30 -killInterval 300 -maxClassProcesses 1 -maxProcesses 100 -minProcesses 0 -pass-header HTTP_AUTHORIZATION -restart-delay 2 -singleThreshold 100

--- CUT ---

PHP was compiled only with CGI SAPI support and is run with following wrapper (it's /www/php-bin/php5 file mentioned earlier):

--- CUT ---




exec $PHP_CGI

--- CUT ---

Ok, last but not least the PHP's FastCGI config:

--- CUT ---

cgi.force_redirect = 1
cgi.fix_pathinfo = 0

--- CUT ---

Ok, so when you hit:


it works, the Apache translates this request according to Action directive to


and you will see the results.

When you hit http://[domain]/php-bin/php5/index.php directly, it will also works (FastCGI PHP SAPI incorrectly does not check the REDIRECT_STATUS environmental variable for value of 200).

When you change PHP cgi.fix_pathinfo to 1 (so the environmental variables conforms to FastCGI/CGI specs), the last request incorrectly determine the /www/php-bin/php5 as the PHP script and executes it. This is because one of the main jobs of FastCGI/CGI SAPI is to determine WHAT to execute. When fix_pathinfo is set to 1, it uses also REDIRECT_URL env variable, which is not set when you access directly interpreter with passed script as PATH_INFO (http://[domain]/php-bin/php5/index.php).

The only workaround at this time is use mod_rewrite and disable access to the interpreter:

RewriteEngine on
RewriteCond %{ENV:REDIRECT_STATUS} !200
RewriteRule ^/php-bin/php5 - [F]

Conclusion, this is NOT actually mod_fastcgi and/or configuration issue, this is really bug in FastCGI/CGI SAPI of PHP (in opossite what Dmitry says in #37157)

Test script:
See above

Expected result:
See above

Actual result:
See above


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2012-10-08 08:45 UTC] phodur at zoznam dot sk
Just a quick followup to the original post.

I have discovered, that force cgi redirect mechanism does not works because another 
bug in mod_fastcgi.

Mod_fastcgi by defaul do not pass any env variables from PHP process when executing 
PHP (not only PHP). It clears ENV simillary to suexec wrapper. There is flag you can 
pass to FastCGIConfig directive, but it do not works as expected. By inspecting the 
source of mod_fastcgi, I can state, that when you pass ENV to FastCGI process using 
this directive, mod_fastcgi uses it's value as it is in the stage the Apache process 
was started (not when the request is actually executed).

PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Jul 15 06:01:29 2024 UTC