php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69250 PHP FPM status report produces invalid JSON and XML
Submitted: 2015-03-17 19:27 UTC Modified: 2023-06-16 17:50 UTC
From: s dot greiner at cadenas dot de Assigned: bukka (profile)
Status: Closed Package: FPM related
PHP Version: 5.5.22 OS: any
Private report: No CVE-ID: None
 [2015-03-17 19:27 UTC] s dot greiner at cadenas dot de
Description:
------------
Open the Status Page of FPM, for example:
http://my.server.ip/status-php-fpm?json&full&testparam=\a\b\c

Take the "json" output of it and validate it -> it will fail because any backslash is not escaped in the "request uri" property.

According to http://json.org/string.gif every unicode character is allowed in a string but no " or \ or a control character. They have to be escaped.
The same problem may occur with the "script" property.

Regarding XML output: the text nodes of <request-uri> and <script> should be wrapped in CDATA sections.

This erroneous behavior applies to every request not only the ones to the status page, for example a request to http://my.server.ip/mywebsite/something?path=foo\bar will make the status page to produce invalid output.

Expected result:
----------------
"processes":[
{
  "pid":2432,
  "state":"Idle",
  "start time":1425579888,
  "start since":1039595,
  "requests":1523,
  "request duration":614,
  "request method":"GET",
  "request uri":"/php-status?json&full&testparam=\\a\\b\\c",
  "content length":0,
  "user":"-",
  "script":"-",
  "last request cpu":0.00,
  "last request memory":262144
},
...

Actual result:
--------------
"processes":[
{
  "pid":2432,
  "state":"Idle",
  "start time":1425579888,
  "start since":1039595,
  "requests":1523,
  "request duration":614,
  "request method":"GET",
  "request uri":"/php-status?json&full&testparam=\a\b\c",
  "content length":0,
  "user":"-",
  "script":"-",
  "last request cpu":0.00,
  "last request memory":262144
},
...

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2023-06-16 17:50 UTC] bukka@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: bukka
 [2023-06-16 17:50 UTC] bukka@php.net
So the JSON request uri escaping was implemented in https://github.com/php/php-src/commit/5e64ead64ab5eaba5d62847483c847c1836171d7 and it is part of just released PHP 8.1.20.

I left this open before to also check the XML part which I just did. This is already escaped for request-uri in the same way as HTML format. Using CDATA is not necessary here and cannot be considered as a bug and escaping result is the same for the parsers.

The only part that actually is worth to look at more into is the mentioned script. This applies on JSON as well and I have just created a ticket specifically for that: https://github.com/php/php-src/issues/11464 and will be looked at later as it is not a major issue really.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Apr 20 16:01:29 2024 UTC