|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75302 php file downlaod
Submitted: 2017-10-01 16:59 UTC Modified: 2021-07-22 07:58 UTC
Avg. Score:2.3 ± 1.9
Reproduced:1 of 2 (50.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: franciszek dot witt at protonmail dot com Assigned: cmb (profile)
Status: Duplicate Package: Built-in web server
PHP Version: 7.1.10 OS: Windows
Private report: No CVE-ID: None
 [2017-10-01 16:59 UTC] franciszek dot witt at protonmail dot com
In some machines with FAT file system if you type file.PHP (PHP uppercase) instead of file.php it will start downloading source code. Tested on android PHP webserver but developer said that it's general php bug.

Part of email wich he sent to me

Hi, Yes it is a bug of PHP itself, the reason is that in file: sapi/cli/php_cli_server.c It is used 'memcmp(client->request.ext, "php", 3)' instead of 'strncasecmp(client->request.ext, "php", 3)' (it should ignore "php" case, but it does not as of now) This happens only if filesystem is case insesintive (for example FAT) 



Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2017-10-01 18:19 UTC] esminis at esminis dot lt
More info - this bug is in PHP built-in server (only possible workaround without changing source code of PHP for now is to enable router script).

I am the developer who helped identify this bug (contact on email if needed).
 [2017-10-03 13:18 UTC]
-Package: *General Issues +Package: Built-in web server
 [2017-10-22 20:00 UTC]
Thanks for the report. I don't think it's a Windows bug, as 7.1 and even since 5.5 or earlier doesn't support non NTFS based Windows versions. There are still OSes supporting FSes with no case sensitivity, though. The code in the description sounds reasonable, but I've no such system at hand to test the actual behaviors. If one would provide a patch that at least doesn't breach the current functionality, it could be evaluated.

 [2017-10-24 19:32 UTC] esminis at esminis dot lt
Yea it is not Windows (in this specific case it is Android app "Server for PHP" - PHP compiled for Android; btw it will happen in any system that uses case insensitive filesystem).

And I don`t think there is any need of patch cause it is simple replace of one function name in sapi/cli/php_cli_server.c:

memcmp(client->request.ext, "php", 3) should be replaced with strncasecmp(client->request.ext, "php", 3)

This should be double checked by someone who knows well PHP source code
 [2021-07-22 07:58 UTC]
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2021-07-22 07:58 UTC]
Closing as duplicate of bug #77932 (which is fixed as of PHP
7.3.22 and 7.4.10, respectively).
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Tue Jun 06 00:03:36 2023 UTC