php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74689 .user.ini still effective even outside DOCUMENT_ROOT
Submitted: 2017-06-01 21:41 UTC Modified: 2017-06-20 07:46 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: lsljohn2002 at gmail dot com Assigned:
Status: Open Package: CGI/CLI related
PHP Version: 7.0.19 OS: alpine
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: lsljohn2002 at gmail dot com
New email:
PHP Version: OS:

 

 [2017-06-01 21:41 UTC] lsljohn2002 at gmail dot com
Description:
------------
My server is hosting some sites and I have some site specific settings for each site, so I put a .user.ini file under each site's document root directory.

According to PHP documentation:

In addition to the main php.ini file, PHP scans for INI files in each directory, starting with the directory of the requested PHP file, and working its way up to the current document root (as set in $_SERVER['DOCUMENT_ROOT']).
However, to my surprise, even if I placed the .user.ini file outside of a site's document_root, it's still working, as long as it's within the path of the script. For example, if I'm running a script https://A_DOMAIN_com/foo/bar/abc.php, and in the server its real path is /www/public_html/A_DOMAIN_com/foo/bar/abc.php, where the $_SERVER['DOCUMENT_ROOT'] has been set to /www/public_html/A_DOMAIN_com/.

Then even if I place the .user.ini file inside any of its path, e.g. /www/public_html/A_DOMAIN_com/, or /www/public_html/, or even /www/, the .user.ini file is still effective.

Is this a bug or expected behaivor?

I'm running PHP 7.0.15, the script is triggered by php-cgi7, the os is alpine.

I guess this bug is caused somewhere between line 851 to line 900 of cgi_main.c




Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-06-20 07:46 UTC] stas@php.net
-Type: Security +Type: Bug
 [2017-09-13 15:11 UTC] pascal dot christen at hostpoint dot ch
We're facing the same issue starting with PHP >7 (it's wokring on PHP56) on FreeBSD. Do you have any solution for this?
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Mon Jun 24 15:01:26 2019 UTC