php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70757 $_SERVER["PHP_SELF"] is malformed with PHP-FPM and Apache 2.4.17
Submitted: 2015-10-21 10:17 UTC Modified: -
Votes:6
Avg. Score:4.3 ± 0.9
Reproduced:5 of 5 (100.0%)
Same Version:4 (80.0%)
Same OS:2 (40.0%)
From: admin at franceserv dot fr Assigned:
Status: Open Package: *Directory/Filesystem functions
PHP Version: Irrelevant OS: Linux Debian
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2015-10-21 10:17 UTC] admin at franceserv dot fr
Description:
------------
With a simple : <?php phpinfo(); ?>

If we look the variable $_SERVER["PHP_SELF"], when the website is running with :

Apache 2.4.16 + suPHP : OK
Apache 2.4.16 + PHP-FPM : OK
Apache 2.4.17 + suPHP : OK
Apache 2.4.17 + PHP-FPM : WRONG

To obtain the error and check with my webserver in Apache 2.4.17, you need to change your hosts file on this way : 195.154.164.142 www.franceserv.fr

And when you go to http://www.franceserv.fr/data/phpinfo/, if the System name is "web2", you will see this : $_SERVER["PHP_SELF"] = http://www.franceserv.fr/data/phpinfo/ and it's WRONG, because there are no domain name and protocol in a PHP_SELF variable.

If you take off the line from your hosts file, go to the same address and refresh the page (check your cache, you need to be on System name web1 or web3, not web2), you will see that : $_SERVER["PHP_SELF"] = /data/phpinfo/index.php which is correct.

The problem exist only with Apache 2.4.17 + PHP-FPM. When i test with 2.4.16 + PHP-FPM all is GOOD.

php.ini are same between PHP 5.4.16 and 5.4.17 and httpd.conf are same between Apache 2.4.16 and 2.4.17.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-10-22 15:33 UTC] fullermd+php at over-yonder dot net
This is a presumably a result of the REDIRECT_URL change in 2.4.17.

http://article.gmane.org/gmane.comp.apache.user/108460
 [2015-10-22 16:13 UTC] fullermd+php at over-yonder dot net
Note that it also includes the query string (if any), as well as the scheme/host.
 [2015-10-22 16:30 UTC] admin at franceserv dot fr
The problem is a website could use this variable and don't work anymore with a simple update between 2 tiny sub-version of Apache.

And a biger problem with this change is : several website were broke because the url rewrite wasn't working correctly.

At the moment, it's not possible for me to update Apache about this problem, except if i find a way with PHP-FPM to solve the problem.

I would like know if i'm alone with this bug with Apache 2.4.17 and PHP-FPM :) And the more important, how to solve the problem. I don't know if the solution need to come from Apache or PHP side.

Between, thank you a lot for your tints.
 [2015-10-22 17:25 UTC] fullermd+php at over-yonder dot net
Well, no, you're not the only one; I see it too, or I wouldn't be here   :)

I would presume it probably needs a PHP fix to follow the Apache change.  I've hacked around it in the places it's bitten me with parse_url:

-$self = $_SERVER['PHP_SELF'];
+$self = parse_url($_SERVER['PHP_SELF'], PHP_URL_PATH);

AFAICT from the docs, it Should(tm) work with the bare path as well as a fuller URL, and testing shows it currently does, so that D'sTRT for either behavior.  

That's enough to get me through the night at least, though if you're directly ref'ing PHP_SELF through the code rather than having a single choke point (or possibly using some other _SERVER var that's affected by the change), you'll have a harder time...
 [2015-11-04 19:16 UTC] alec at alec dot pl
Looks like $_SERVER['SCRIPT_NAME'] is wrong too. http://trac.roundcube.net/ticket/1490582
 [2015-11-05 09:41 UTC] fullermd+php at over-yonder dot net
It seems that Apache is going to revert that change for 2.4.18.  x-ref

https://bz.apache.org/bugzilla/show_bug.cgi?id=57785

http://svn.apache.org/viewvc?view=revision&revision=1712268

Or rather, not quite revert it, but make it configurable, with the default off.  Applying the patch from SVN on top of 2.4.17 (doesn't apply cleanly to CHANGES and manual, but the code does fine) puts things back to normal.

Doesn't really help until the .18 release, of course.  And since it's configurable, PHP probably still needs to handle it for cases where it's turned on.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Wed Aug 21 13:01:35 2019 UTC