php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #79417 PHP-FPM: php_admin_value can be overwritten in .htaccess
Submitted: 2020-03-26 15:34 UTC Modified: 2021-12-04 18:18 UTC
From: tk at all-inkl dot com Assigned: bukka (profile)
Status: Assigned Package: FPM related
PHP Version: Irrelevant OS: linux ubuntu18,
Private report: No CVE-ID: None
View Developer Edit
 [2020-03-26 15:34 UTC] tk at all-inkl dot com 
Description:
------------
you can overwrite php_admin_value's with SetEnv in .htaccess in PHP-FPM. I tested it with a fresh installed ubuntu18.04, apache2.4 from official repo and latest compiled PHP7.4 with default settings

System : Linux test 5.3.0-28-generic #30~18.04.1-Ubuntu SMP Fri Jan 17 06:14:09 UTC 2020 x86_64 
Build Date : Mar 26 2020 14:36:24 
Configure Command : './configure' '--prefix=/opt/php-7.4' '--enable-fpm' 
Server API : FPM/FastCGI
Virtual Directory Support : disabled 
Configuration File (php.ini) Path : /opt/php-7.4/lib 
Loaded Configuration File : /opt/php-7.4/lib/php.ini 
Scan this dir for additional .ini files : (none) 
Additional .ini files parsed : (none) 

I also tested with 5.6.38, 7.0.33, 7.1.33, 7.2.24,  7.3.11 and it's always the same strange unexpected behavior

Test script:
---------------
/etc/apache2/apache2.conf:
AllowOverride All

DocRoot .htaccess:
SetEnv PHP_ADMIN_VALUE "sendmail_path = /bin/true"

phpinfo.php results:
sendmail_path	/bin/true	/bin/true

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-03-27 06:49 UTC] tk at all-inkl dot com
-Package: *Configuration Issues +Package: FPM related
 [2020-03-27 06:49 UTC] tk at all-inkl dot com 
FPM related
 [2020-03-27 09:22 UTC] cmb@php.net 
Might be related to bug #77190.
 [2020-04-14 03:54 UTC] stas@php.net 
Isn't that what PHP_ADMIN_VALUE is for? If it's not intended, do not set AllowOverride All for these directories.
 [2020-04-14 11:01 UTC] tk at all-inkl dot com 
no it's not. it should not be able to be overwritten at all.

see documentation https://www.php.net/manual/en/configuration.changes.php:

php_admin_value name value
 Sets the value of the specified directive. This _can not_ be used in .htaccess files. Any directive type set with php_admin_value can not be overridden by .htaccess or ini_set(). To clear a previously set value use none as the value.


it will also trigger an error when you try to use php_admin_value in same directory:

[core:alert] [pid 14623:tid 140080005994240] [client 172.16.16.252:0] /var/www/test1/.htaccess: php_admin_value not allowed here, referer: http://localhost/

but with SetEnv you can bypass this setup
 [2020-04-14 20:06 UTC] stas@php.net
-Assigned To: +Assigned To: bukka
 [2020-04-14 20:06 UTC] stas@php.net 
Would be nice to hear from FPM maintainers as the code as I see it directly uses this variable so I have hard time imagining how it could be unintentional... maybe there's some confusion going on between code, documentation and intentions.
 [2020-04-26 19:52 UTC] bukka@php.net 
The linked documentation is for running PHP as an Apache module which has nothing to do with FPM and php_admin_value in FPM config.

I guess the reason why you can overwrite it is just that SetEnv in Apache adds FCGI env. The PHP_ADMIN_VALUE and PHP_VALUE is something that allows overwriting PHP ini on the server and it's been always there. It's on purpose and we can't change it as it would likely break some applications.
 [2020-05-06 07:53 UTC] tk at all-inkl dot com 
okay, I got it. However, then it should be more clear that the PHP_INI_* modes are only reliable for PHP as an apache mod:
https://www.php.net/manual/en/configuration.changes.modes.php
 [2021-12-04 18:18 UTC] bukka@php.net
-Type: Security +Type: Feature/Change Request
 [2021-12-04 18:18 UTC] bukka@php.net 
This is well known and it's on purpose and there are already requests about this so nothing secret about it. I will keep it open as feature request until planned mitigations (e.g. configurable disabling of PHP_ADMIN_VALUE) are implemented.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Tue Nov 04 12:00:01 2025 UTC