php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73313 over fpm does not respect in .user.ini engine off directive
Submitted: 2016-10-13 12:00 UTC Modified: 2022-01-02 04:22 UTC
Votes:6
Avg. Score:4.7 ± 0.5
Reproduced:6 of 6 (100.0%)
Same Version:3 (50.0%)
Same OS:3 (50.0%)
From: vladimir at helesic dot cz Assigned: bukka (profile)
Status: No Feedback Package: FPM related
PHP Version: Irrelevant OS: all
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2016-10-13 12:00 UTC] vladimir at helesic dot cz
Description:
------------
Over fpm isn't way to disable php over engine Off   as over mod_php(php_flag engine Off in .htaccess).   When you put engine=Off to .user.ini it's silently ignored.
I think thats mistake.  There is no way to effectively enable / disable php engine per directory as where you use mod_php over apache.
it's will be useful for all peoples.



Test script:
---------------
put to .user.ini    line engine=Off


Expected result:
----------------
where disable engine to Off in ini user file(per dir), it should not interpret php code.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-12-02 22:54 UTC] bukka@php.net
-Status: Open +Status: Wont fix -Assigned To: +Assigned To: bukka
 [2021-12-02 22:54 UTC] bukka@php.net
This is only Apache configuration - see https://www.php.net/manual/en/apache.configuration.php#ini.engine

It doesn't really make any sense for FPM because it doesn't have any use without engine...
 [2021-12-19 00:06 UTC] pb at webjoker dot net
"It doesn't really make any sense for FPM because it doesn't have any use without engine..."

Hm, interesting.

I want to create a little WordPress plugin that generates .user.ini files with memory_limit and I want to use it to add engine = Off to upload directories (e.g. contact form uploads). It is a shame that this does not (always) work, and when using nginx there is no way to do it unless I have access to the nginx configuration (not always the case).
 [2021-12-19 00:11 UTC] pb at webjoker dot net
Sorry for rambling, just saying that engine = Off seems like a neat security feature and it sucks that it does not work everywhere.

OTOH, it will be bad when people assume that it works everywhere and rely on it exclusively, because even if I convinced you to add it, at least in old versions it would not work.
 [2021-12-19 14:04 UTC] bukka@php.net
But what should happen if there's 'engine=off'? Please note that FPM handles only FastCGI requests and it doesn't server files. For each request it uses engine and that's the only things that it can do with some exceptions like status and ping. Basically it's not a web server. That's why 'engine=off' makes sense only in Apache context that can actually do other things like serving files directly to user. It seems to me that you really need access to nginx to be able to do what you want unless I'm misunderstanding it..?
 [2021-12-19 14:09 UTC] bukka@php.net
-Status: Wont fix +Status: Feedback
 [2022-01-02 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 [2022-07-30 13:11 UTC] wbe7djjw at anonaddy dot me
I'm also trying to use this, simply as a defense-in-depth measure. I have a static directory that contains user uploads, and I would like to turn off PHP parsing within - in case a user manages to sneak a .php file in there.

Of course, the proper way to do this would be to edit the server configuration, but:

a) I have no access to this, as I'm on a shared hosting setup that is graciously provided to me.

b) Even if I did, I would still like the additional insurance, in case the server configuration gets messed up somehow.



What actually happens with engine=Off is immaterial I think, at least for this use case. I don't really want anything *to* happen, I just want PHP to *not* happen.

I'm currently using a hack workaround where I use .user.ini to set auto_prepend_file to a script containing only '<?php exit;', but I tried engine=Off at first and was surprised when it did not work.
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Wed Nov 30 19:03:45 2022 UTC