php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75712 php-fpm's import_environment_variables impl should not copy $_ENV, $_SERVER
Submitted: 2017-12-20 13:18 UTC Modified: 2018-02-11 05:20 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: adam at lavoaster dot co dot uk Assigned:
Status: Open Package: FPM related
PHP Version: 7.1.12 OS: linux
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2017-12-20 13:18 UTC] adam at lavoaster dot co dot uk
Description:
------------
This came out of looking into an issue here - https://github.com/symfony/symfony/issues/25511

If $_SERVER['argv'] exists anywhere in the code, it doesn't matter if it isn't called, just as long it's included, it will add 'argv' and 'argc' to the return of 'getenv()' when called without any parameters.

Just a note: If you have xdebug installed, this issue will not present itself.

Test script:
---------------
<?php

var_dump(getenv());

function notcalled()
{
    $_SERVER['argv'];
}

Expected result:
----------------
It shouldn't return 'argv' or 'argc' in the return array, especially as 'argv' is an array which would break scripts that would directly use getenv(), like Symfony process did, straight into proc_open.

Actual result:
--------------
It returns 'argv' and 'argc' in the returning array.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-12-20 13:34 UTC] requinix@php.net
-Status: Open +Status: Feedback
 [2017-12-20 13:34 UTC] requinix@php.net
I haven't been able to reproduce with the CLI or the embedded server.

Which SAPIs? (Apache module, FastCGI, etc.)
Does it happen if you reference $_SERVER at all and not just with ['argv'], as in

function notcalled() {
  $_SERVER;
}
 [2017-12-20 13:55 UTC] adam at lavoaster dot co dot uk
-Status: Feedback +Status: Open
 [2017-12-20 13:55 UTC] adam at lavoaster dot co dot uk
Huh, yeah. If I just reference $_SERVER it will populate the return of getenv() with 'argv' and 'argc'.

I'm running an nginx / php-fpm (fpm-fcgi?) setup here.
 [2018-02-11 05:20 UTC] requinix@php.net
-Summary: If $_SERVER['argv'] exists in code, calls to getenv() will return argv and argc +Summary: php-fpm's import_environment_variables impl should not copy $_ENV, $_SERVER -Package: *General Issues +Package: FPM related
 [2018-02-11 05:20 UTC] requinix@php.net
So I did some more digging and this behavior is caused by php-fpm specifically: PHP core has an implementation to list environment variables as an array, and php-fpm is necessarily overriding it. What it does is copy $_ENV if defined, or else $_SERVER if defined, or else fall back to the original implementation plus some FastCGI values.
https://github.com/php/php-src/blob/PHP-7.1.12/sapi/fpm/fpm/fpm_main.c#L563

The ironic thing is that this started with request #69359 which wanted getenv to return an array because $_ENV is not always accessible and because it won't reflect changes made during runtime, but php-fpm's implementation (written years before when it was first introduced) does the opposite of that.

So you're getting argc/v because referencing $_SERVER instructs PHP to create that variable (see the auto_globals_jit setting) which naturally includes those two, and php-fpm is giving you a copy of that array.

I don't know why php-fpm wants to copy $_ENV/SERVER? Without knowing the reason for that, or exactly where else it gets used, I would think those two bits should be removed entirely...
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Tue Nov 12 07:01:37 2019 UTC