|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74689 .user.ini still effective even outside DOCUMENT_ROOT
Submitted: 2017-06-01 21:41 UTC Modified: 2020-10-04 04:22 UTC
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: lsljohn2002 at gmail dot com Assigned: cmb (profile)
Status: No Feedback Package: CGI/CLI related
PHP Version: 7.0.19 OS: alpine
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
Solve the problem:
50 - 22 = ?
Subscribe to this entry?

 [2017-06-01 21:41 UTC] lsljohn2002 at gmail dot com
My server is hosting some sites and I have some site specific settings for each site, so I put a .user.ini file under each site's document root directory.

According to PHP documentation:

In addition to the main php.ini file, PHP scans for INI files in each directory, starting with the directory of the requested PHP file, and working its way up to the current document root (as set in $_SERVER['DOCUMENT_ROOT']).
However, to my surprise, even if I placed the .user.ini file outside of a site's document_root, it's still working, as long as it's within the path of the script. For example, if I'm running a script https://A_DOMAIN_com/foo/bar/abc.php, and in the server its real path is /www/public_html/A_DOMAIN_com/foo/bar/abc.php, where the $_SERVER['DOCUMENT_ROOT'] has been set to /www/public_html/A_DOMAIN_com/.

Then even if I place the .user.ini file inside any of its path, e.g. /www/public_html/A_DOMAIN_com/, or /www/public_html/, or even /www/, the .user.ini file is still effective.

Is this a bug or expected behaivor?

I'm running PHP 7.0.15, the script is triggered by php-cgi7, the os is alpine.

I guess this bug is caused somewhere between line 851 to line 900 of cgi_main.c


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2017-06-20 07:46 UTC]
-Type: Security +Type: Bug
 [2017-09-13 15:11 UTC] pascal dot christen at hostpoint dot ch
We're facing the same issue starting with PHP >7 (it's wokring on PHP56) on FreeBSD. Do you have any solution for this?
 [2020-09-21 17:06 UTC]
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2020-09-21 17:06 UTC]
Could you please provide a request URI, and the respective values

 [2020-10-04 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Fri Dec 08 10:01:28 2023 UTC