php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74689 .user.ini still effective even outside DOCUMENT_ROOT
Submitted: 2017-06-01 21:41 UTC Modified: 2020-10-04 04:22 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: lsljohn2002 at gmail dot com Assigned: cmb (profile)
Status: No Feedback Package: CGI/CLI related
PHP Version: 7.0.19 OS: alpine
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: lsljohn2002 at gmail dot com
New email:
PHP Version: OS:

 

 [2017-06-01 21:41 UTC] lsljohn2002 at gmail dot com
Description:
------------
My server is hosting some sites and I have some site specific settings for each site, so I put a .user.ini file under each site's document root directory.

According to PHP documentation:

In addition to the main php.ini file, PHP scans for INI files in each directory, starting with the directory of the requested PHP file, and working its way up to the current document root (as set in $_SERVER['DOCUMENT_ROOT']).
However, to my surprise, even if I placed the .user.ini file outside of a site's document_root, it's still working, as long as it's within the path of the script. For example, if I'm running a script https://A_DOMAIN_com/foo/bar/abc.php, and in the server its real path is /www/public_html/A_DOMAIN_com/foo/bar/abc.php, where the $_SERVER['DOCUMENT_ROOT'] has been set to /www/public_html/A_DOMAIN_com/.

Then even if I place the .user.ini file inside any of its path, e.g. /www/public_html/A_DOMAIN_com/, or /www/public_html/, or even /www/, the .user.ini file is still effective.

Is this a bug or expected behaivor?

I'm running PHP 7.0.15, the script is triggered by php-cgi7, the os is alpine.

I guess this bug is caused somewhere between line 851 to line 900 of cgi_main.c




Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-06-20 07:46 UTC] stas@php.net
-Type: Security +Type: Bug
 [2017-09-13 15:11 UTC] pascal dot christen at hostpoint dot ch
We're facing the same issue starting with PHP >7 (it's wokring on PHP56) on FreeBSD. Do you have any solution for this?
 [2020-09-21 17:06 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2020-09-21 17:06 UTC] cmb@php.net
Could you please provide a request URI, and the respective values
of

- $_SERVER['DOCUMENT_ROOT']
- $_SERVER['PATH_TRANSLATED']
- $_SERVER['SCRIPT_FILENAME']
 [2020-10-04 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sat Oct 24 17:01:24 2020 UTC