Edit report at https://bugs.php.net/bug.php?id=60677&edit=1
ID: 60677
Comment by: pasamio at gmail dot com
Reported by: pasamio at gmail dot com
Summary: CGI doesn't properly validate shebang line contains
#!
Status: Verified
Type: Bug
Package: CGI/CLI related
Operating System: N/A
PHP Version: trunk-SVN-2012-01-07 (SVN)
Block user comment: N
Private report: N
New Comment:
The Apache 2 Handler appears to work properly though I can't find the code.
Additionally the PHP CLI handles this correctly:
http://svn.php.net/viewvc/php/php-src/trunk/sapi/cli/php_cli.c?
revision=321634&view=markup
Line 633 with:
if (c == '#' && (c = fgetc(file_handle->handle.fp)) == '!') {
And a later rewind. Should be sufficient for some of the CGI stuff but not all
three of the instances in question.
Previous Comments:
------------------------------------------------------------------------
[2012-01-07 05:37:11] [email protected]
I completely misunderstood what you were saying... forgive me. :) Taking a
second
look, you're right... the logic only checks the first character when
cgi.check_shebang_line = 1.
------------------------------------------------------------------------
[2012-01-07 05:20:05] [email protected]
Lines that begin with a hash tag can also be comments...
# This is a comment... <?php echo 'None of this will appear!' ?>
http://us.php.net/manual/en/language.basic-syntax.comments.php
------------------------------------------------------------------------
[2012-01-07 02:43:13] pasamio at gmail dot com
This appears to have been introduced with this change:
http://svn.php.net/viewvc/php/php-src/trunk/sapi/cgi/cgi_main.c?
r1=288080&r2=288081&
------------------------------------------------------------------------
[2012-01-07 02:39:51] pasamio at gmail dot com
Description:
------------
When running in CGI, PHP attempts to look for a shebang. However there is a bug
where if the first character of the first line is a hash character/pound
character (#), PHP doesn't validate that the next character is an exclamation
mark and thus a properly formed shebang line (e.g. #!). Instead PHP just skips
the entire line ignoring any PHP code that might be on that line.
The code in question from a quick examination appears to be here in trunk:
http://svn.php.net/viewvc/php/php-src/trunk/sapi/cgi/cgi_main.c?
revision=321634&view=markup
On lines 2361, 2379 and 2396.
And on the PHP 5.4 branch:
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_4/sapi/cgi/cgi_main.c?
revision=321634&view=markup
On lines 2362, 2380 and 2397.
This has been replicated on PHP 5.3.3 and PHP 5.3.5 as well as being in current
trunk.
Test script:
---------------
#<?php echo "Hello World\n"; ?>
Second line.
Expected result:
----------------
X-Powered-By: PHP/5.3.3-7+squeeze3
Content-type: text/html
#Hello World
Second line.
Actual result:
--------------
X-Powered-By: PHP/5.3.3-7+squeeze3
Content-type: text/html
Second line.
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=60677&edit=1
