|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74689 .user.ini still effective even outside DOCUMENT_ROOT
Submitted: 2017-06-01 21:41 UTC Modified: 2017-06-20 07:46 UTC
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: lsljohn2002 at gmail dot com Assigned:
Status: Open Package: CGI/CLI related
PHP Version: 7.0.19 OS: alpine
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2017-06-01 21:41 UTC] lsljohn2002 at gmail dot com
My server is hosting some sites and I have some site specific settings for each site, so I put a .user.ini file under each site's document root directory.

According to PHP documentation:

In addition to the main php.ini file, PHP scans for INI files in each directory, starting with the directory of the requested PHP file, and working its way up to the current document root (as set in $_SERVER['DOCUMENT_ROOT']).
However, to my surprise, even if I placed the .user.ini file outside of a site's document_root, it's still working, as long as it's within the path of the script. For example, if I'm running a script https://A_DOMAIN_com/foo/bar/abc.php, and in the server its real path is /www/public_html/A_DOMAIN_com/foo/bar/abc.php, where the $_SERVER['DOCUMENT_ROOT'] has been set to /www/public_html/A_DOMAIN_com/.

Then even if I place the .user.ini file inside any of its path, e.g. /www/public_html/A_DOMAIN_com/, or /www/public_html/, or even /www/, the .user.ini file is still effective.

Is this a bug or expected behaivor?

I'm running PHP 7.0.15, the script is triggered by php-cgi7, the os is alpine.

I guess this bug is caused somewhere between line 851 to line 900 of cgi_main.c


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2017-06-20 07:46 UTC]
-Type: Security +Type: Bug
 [2017-09-13 15:11 UTC] pascal dot christen at hostpoint dot ch
We're facing the same issue starting with PHP >7 (it's wokring on PHP56) on FreeBSD. Do you have any solution for this?
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sun Jul 12 23:01:26 2020 UTC