php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73099 if php.ini is incorrect, php-fpm starts with default values
Submitted: 2016-09-16 10:58 UTC Modified: 2016-09-16 13:20 UTC
Votes:5
Avg. Score:4.0 ± 1.1
Reproduced:4 of 4 (100.0%)
Same Version:3 (75.0%)
Same OS:3 (75.0%)
From: selivan5 at yandex dot ru Assigned:
Status: Open Package: *Configuration Issues
PHP Version: 7.0.11 OS: Ubuntu 14.04 trusty
Private report: No CVE-ID: None
 [2016-09-16 10:58 UTC] selivan5 at yandex dot ru
Description:
------------
If php.ini syntax is incorrect and it can not be loaded, php-fpm starts with default values.

This can lead to functional and security problems. For example, "post_max_size" becomes 8m, breaking uploading of large files. "disable_functions", used to restrict potentially dangerous functions, becomes empty. "display_errors" is 1 and visitors will see a full stacktrace on error pages.

Test script:
---------------
php-fpm.conf:

[global]
pid = /run/php/php7.0-fpm.pid
error_log = /var/log/php7.0-fpm.log
include=/etc/php/7.0/fpm/pool.d/*.conf

pool.d/www.conf:

[www]
php_admin_value[error_reporting] = E_ALL & ~E_NOTICE
user = www-data
group = www-data
listen = /run/php/php7.0-fpm.sock
listen.owner = www-data
listen.group = www-data
listen.mode = 0660

php.ini:

# This comment breaks ini file (it starts with hash and parenthsis are used)
expose_php = Off


Now start it:

root@xenial:~# /usr/sbin/php-fpm7.0 --fpm-config  /etc/php/7.0/fpm/php-fpm.conf --php-ini /etc/php/7.0/fpm/php.ini
PHP:  syntax error, unexpected '(' in /etc/php/7.0/fpm/php.ini on line 6
[14-Sep-2016 14:24:46] NOTICE: configuration file /etc/php/7.0/fpm/php-fpm.conf test is successful

It noticed an error, but started anyway. Run phpinfo() - you will see, that expose_php is "ON"

Expected result:
----------------
If php.ini is incorrect, php-fpm should fail with error.

Actual result:
--------------
If php.ini is incorrect, php-fpm starts using default values.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-16 11:01 UTC] selivan5 at yandex dot ru
Also I reported this bug in Ubuntu: https://bugs.launchpad.net/ubuntu/+source/php7.0/+bug/1623540
Ubuntu guys confirmed it (status: Triaged).
 [2016-09-16 13:20 UTC] selivan5 at yandex dot ru
Forgot to copy one line in php.ini:

[PHP]
# This comment breaks ini file (it starts with hash and parenthsis are used)
expose_php = Off
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 15:01:30 2024 UTC