|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74689 .user.ini still effective even outside DOCUMENT_ROOT
Submitted: 2017-06-01 21:41 UTC Modified: 2020-10-04 04:22 UTC
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: lsljohn2002 at gmail dot com Assigned: cmb (profile)
Status: No Feedback Package: CGI/CLI related
PHP Version: 7.0.19 OS: alpine
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2017-06-01 21:41 UTC] lsljohn2002 at gmail dot com
My server is hosting some sites and I have some site specific settings for each site, so I put a .user.ini file under each site's document root directory.

According to PHP documentation:

In addition to the main php.ini file, PHP scans for INI files in each directory, starting with the directory of the requested PHP file, and working its way up to the current document root (as set in $_SERVER['DOCUMENT_ROOT']).
However, to my surprise, even if I placed the .user.ini file outside of a site's document_root, it's still working, as long as it's within the path of the script. For example, if I'm running a script https://A_DOMAIN_com/foo/bar/abc.php, and in the server its real path is /www/public_html/A_DOMAIN_com/foo/bar/abc.php, where the $_SERVER['DOCUMENT_ROOT'] has been set to /www/public_html/A_DOMAIN_com/.

Then even if I place the .user.ini file inside any of its path, e.g. /www/public_html/A_DOMAIN_com/, or /www/public_html/, or even /www/, the .user.ini file is still effective.

Is this a bug or expected behaivor?

I'm running PHP 7.0.15, the script is triggered by php-cgi7, the os is alpine.

I guess this bug is caused somewhere between line 851 to line 900 of cgi_main.c


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2017-06-20 07:46 UTC]
-Type: Security +Type: Bug
 [2017-09-13 15:11 UTC] pascal dot christen at hostpoint dot ch
We're facing the same issue starting with PHP >7 (it's wokring on PHP56) on FreeBSD. Do you have any solution for this?
 [2020-09-21 17:06 UTC]
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2020-09-21 17:06 UTC]
Could you please provide a request URI, and the respective values

 [2020-10-04 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Feb 26 20:01:28 2024 UTC