php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77783 getenv affected by auto_globals_jit in fpm-fcgi SAPI
Submitted: 2019-03-22 21:41 UTC Modified: 2019-03-28 10:32 UTC
From: matt at mattallan dot me Assigned:
Status: Open Package: *Configuration Issues
PHP Version: 7.3.3 OS: macOs Mojave 10.14
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2019-03-22 21:41 UTC] matt at mattallan dot me
Description:
------------
If the auto_globals_jit directive is enabled the getenv function does not return all of the environment variables.

The test script below must be executed with the fpm sapi.  I personally tested this with both Nginx and Caddy + php-fpm.  It doesn't seem

If you access a superglobal anywhere in the script (even after the getenv call), the environment variables are loaded as expected.

The value of the fpm directive clear_env does not seem to matter.

PHP version:

PHP 7.3.3 (cli) (built: Mar  8 2019 16:40:07) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.3, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.3.3, Copyright (c) 1999-2018, by Zend Technologies

(installed with Homebrew)

Relevant ini params:

variables_order = "EGPCS"
auto_globals_jit = On

Test script:
---------------
<?php

var_dump(getenv());

// Uncomment this and the environment variables are returned above
// $whatever = $_ENV['SOMETHING'] ?? false;

Expected result:
----------------
When I execute `curl localhost` I see the output:

array(28) {
  ["USER"]=>
  string(4) "matt"
  ["HOME"]=>
  string(11) "/Users/matt"
  ["HTTP_CONNECTION"]=>
  string(10) "keep-alive"
  ["HTTP_ACCEPT"]=>
  string(3) "*/*"
  ["HTTP_ACCEPT_ENCODING"]=>
  string(13) "gzip, deflate"
  ["HTTP_USER_AGENT"]=>
  string(12) "HTTPie/0.9.9"
  // lots more keys ....
}

Actual result:
--------------
When I execute `curl localhost` I see the output:

array(2) {
  ["USER"]=>
  string(4) "matt"
  ["HOME"]=>
  string(11) "/Users/matt"
}

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-03-23 03:43 UTC] danack@php.net
-Status: Open +Status: Not a bug
 [2019-03-23 03:43 UTC] danack@php.net
I'm going to close this is as a duplicate of https://bugs.php.net/bug.php?id=77782 as I strongly suspect they are the same issue you're seeing.

This ticket can be re-opened if they aren't related.


> the getenv function does not return all of the environment variables.
> Expected result:
> ["HTTP_CONNECTION"]

Those are not environment variables. They are CGI variables and shouldn't be showing up in environment variables...
 [2019-03-23 03:43 UTC] danack@php.net
-Status: Not a bug +Status: Duplicate
 [2019-03-26 14:38 UTC] matt at mattallan dot me
> Those are not environment variables. They are CGI variables and shouldn't be showing up in environment variables...

As far as I know CGI variables are supposed to be returned from `getenv` when using the FPM SAPI.  If that were not the case the https://httpoxy.org exploit would not be possible (https://bugs.php.net/bug.php?id=72573).

I reported this as a separate bug for a few reasons:

- #77782 happens when auto_globals_jit is Off.  This bug only happens when auto_globals_jit is On.
- #77782 is only caused by variables defined by the webserver (i.e. NGINX fastcgi_param).  This issue occurs with all CGI variables (including fastcgi_param).

I pushed a docker-compose setup that reproduces the issue here: https://github.com/matt-allan/PhpTest/tree/77783
 [2019-03-28 10:32 UTC] danack@php.net
-Status: Duplicate +Status: Open
 [2019-03-28 10:32 UTC] danack@php.net
I'll set it back to open then.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Tue Jul 23 18:01:25 2019 UTC