php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75302 php file downlaod
Submitted: 2017-10-01 16:59 UTC Modified: 2017-10-22 20:00 UTC
Votes:3
Avg. Score:2.3 ± 1.9
Reproduced:1 of 2 (50.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: franciszek dot witt at protonmail dot com Assigned:
Status: Open Package: Built-in web server
PHP Version: 7.1.10 OS: Windows
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2017-10-01 16:59 UTC] franciszek dot witt at protonmail dot com
Description:
------------
In some machines with FAT file system if you type file.PHP (PHP uppercase) instead of file.php it will start downloading source code. Tested on android PHP webserver but developer said that it's general php bug.


Part of email wich he sent to me
"

Hi, Yes it is a bug of PHP itself, the reason is that in file: sapi/cli/php_cli_server.c It is used 'memcmp(client->request.ext, "php", 3)' instead of 'strncasecmp(client->request.ext, "php", 3)' (it should ignore "php" case, but it does not as of now) This happens only if filesystem is case insesintive (for example FAT) 

"


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-10-01 18:19 UTC] esminis at esminis dot lt
More info - this bug is in PHP built-in server (only possible workaround without changing source code of PHP for now is to enable router script).

I am the developer who helped identify this bug (contact on email if needed).
 [2017-10-03 13:18 UTC] cmb@php.net
-Package: *General Issues +Package: Built-in web server
 [2017-10-22 20:00 UTC] ab@php.net
Thanks for the report. I don't think it's a Windows bug, as 7.1 and even since 5.5 or earlier doesn't support non NTFS based Windows versions. There are still OSes supporting FSes with no case sensitivity, though. The code in the description sounds reasonable, but I've no such system at hand to test the actual behaviors. If one would provide a patch that at least doesn't breach the current functionality, it could be evaluated.

Thanks.
 [2017-10-24 19:32 UTC] esminis at esminis dot lt
Yea it is not Windows (in this specific case it is Android app "Server for PHP" - PHP compiled for Android; btw it will happen in any system that uses case insensitive filesystem).

And I don`t think there is any need of patch cause it is simple replace of one function name in sapi/cli/php_cli_server.c:

memcmp(client->request.ext, "php", 3) should be replaced with strncasecmp(client->request.ext, "php", 3)

This should be double checked by someone who knows well PHP source code
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Tue Dec 18 22:01:26 2018 UTC