Patch php-cgi-disable-argv for CGI/CLI related Bug #61910
Patch version 2012-05-06 00:14 UTC
Return to Bug #61910 |
Download this patch
Patch Revisions:
Developer: neweracracker@gmail.com
Disable argument parsing when invoked as CGI (and NOT when invoked as
FastCGI.) This to prevent programs from passing arguments to php-cgi
via the query string as specified by RFC 3875. [1]
This patch may break CGI scripts that depend on arguments passed via
shebang arguments, eg. '#!/usr/bin/php-cgi -dmagic_quotes_gpc=Off',
but this is inherently unsafe, since these arguments may have come from
the network.
Backward compatibility could theoretically be faked by parsing the
shebang arguments from the file itself, but this leads to a circular
dependency since the script filename depends on the configuration which
may be changed in the shebang line of the file (due to cgi.fix-pathinfo.)
[1] http://www.ietf.org/rfc/rfc3875
Index: sapi/cgi/cgi_main.c
===================================================================
--- sapi/cgi/cgi_main.c (revision 322984)
+++ sapi/cgi/cgi_main.c (working copy)
@@ -1552,7 +1552,7 @@
}
}
- while ((c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 0, 2)) != -1) {
+ if (!cgi) while ((c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 0, 2)) != -1) {
switch (c) {
case 'c':
if (cgi_sapi_module.php_ini_path_override) {
@@ -1801,7 +1801,7 @@
}
zend_first_try {
- while ((c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 1, 2)) != -1) {
+ if (!cgi) while ((c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 1, 2)) != -1) {
switch (c) {
case 'T':
benchmark = 1;
|