php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77783 getenv affected by auto_globals_jit in fpm-fcgi SAPI
Submitted: 2019-03-22 21:41 UTC Modified: 2019-03-28 10:32 UTC
From: matt at mattallan dot me Assigned:
Status: Open Package: *Configuration Issues
PHP Version: 7.3.3 OS: macOs Mojave 10.14
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: matt at mattallan dot me
New email:
PHP Version: OS:

 

 [2019-03-22 21:41 UTC] matt at mattallan dot me
Description:
------------
If the auto_globals_jit directive is enabled the getenv function does not return all of the environment variables.

The test script below must be executed with the fpm sapi.  I personally tested this with both Nginx and Caddy + php-fpm.  It doesn't seem

If you access a superglobal anywhere in the script (even after the getenv call), the environment variables are loaded as expected.

The value of the fpm directive clear_env does not seem to matter.

PHP version:

PHP 7.3.3 (cli) (built: Mar  8 2019 16:40:07) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.3, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.3.3, Copyright (c) 1999-2018, by Zend Technologies

(installed with Homebrew)

Relevant ini params:

variables_order = "EGPCS"
auto_globals_jit = On

Test script:
---------------
<?php

var_dump(getenv());

// Uncomment this and the environment variables are returned above
// $whatever = $_ENV['SOMETHING'] ?? false;

Expected result:
----------------
When I execute `curl localhost` I see the output:

array(28) {
  ["USER"]=>
  string(4) "matt"
  ["HOME"]=>
  string(11) "/Users/matt"
  ["HTTP_CONNECTION"]=>
  string(10) "keep-alive"
  ["HTTP_ACCEPT"]=>
  string(3) "*/*"
  ["HTTP_ACCEPT_ENCODING"]=>
  string(13) "gzip, deflate"
  ["HTTP_USER_AGENT"]=>
  string(12) "HTTPie/0.9.9"
  // lots more keys ....
}

Actual result:
--------------
When I execute `curl localhost` I see the output:

array(2) {
  ["USER"]=>
  string(4) "matt"
  ["HOME"]=>
  string(11) "/Users/matt"
}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-03-23 03:43 UTC] danack@php.net
-Status: Open +Status: Not a bug
 [2019-03-23 03:43 UTC] danack@php.net
I'm going to close this is as a duplicate of https://bugs.php.net/bug.php?id=77782 as I strongly suspect they are the same issue you're seeing.

This ticket can be re-opened if they aren't related.


> the getenv function does not return all of the environment variables.
> Expected result:
> ["HTTP_CONNECTION"]

Those are not environment variables. They are CGI variables and shouldn't be showing up in environment variables...
 [2019-03-23 03:43 UTC] danack@php.net
-Status: Not a bug +Status: Duplicate
 [2019-03-26 14:38 UTC] matt at mattallan dot me
> Those are not environment variables. They are CGI variables and shouldn't be showing up in environment variables...

As far as I know CGI variables are supposed to be returned from `getenv` when using the FPM SAPI.  If that were not the case the https://httpoxy.org exploit would not be possible (https://bugs.php.net/bug.php?id=72573).

I reported this as a separate bug for a few reasons:

- #77782 happens when auto_globals_jit is Off.  This bug only happens when auto_globals_jit is On.
- #77782 is only caused by variables defined by the webserver (i.e. NGINX fastcgi_param).  This issue occurs with all CGI variables (including fastcgi_param).

I pushed a docker-compose setup that reproduces the issue here: https://github.com/matt-allan/PhpTest/tree/77783
 [2019-03-28 10:32 UTC] danack@php.net
-Status: Duplicate +Status: Open
 [2019-03-28 10:32 UTC] danack@php.net
I'll set it back to open then.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 03 18:01:30 2024 UTC