ID: 25753
Comment by: rover at tob dot ru
Reported By: [EMAIL PROTECTED]
Status: Critical
Bug Type: Apache related
Operating System: *
PHP Version: 4CVS, 5CVS
New Comment:
We examine source files more carefull and remake a patch:
diff -udr php-4.3.3/sapi/apache/mod_php4.c
php-4.3.3.patched/sapi/apache/mod_php4.c
--- php-4.3.3/sapi/apache/mod_php4.c 2003-06-03 11:41:49.000000000
+0600
+++ php-4.3.3.patched/sapi/apache/mod_php4.c 2004-01-28
10:48:27.000000000 +0500
@@ -830,6 +830,9 @@
}
if(!AP(xbithack)) {
r->allowed |= (1 << METHODS) - 1;
+ zend_try {
+ zend_ini_deactivate(TSRMLS_C);
+ } zend_end_try();
return DECLINED;
}
return send_parsed_php(r);
Previous Comments:
------------------------------------------------------------------------
[2004-01-27 16:08:12] rover at tob dot ru
2 hour later....
We analyze this bug more carefully.
THIS BUG VERY CRITICAL AND HAVE HUGE SECURITY IMPACT!
message with explanation are sent to [EMAIL PROTECTED],
[EMAIL PROTECTED]
------------------------------------------------------------------------
[2004-01-27 14:20:05] rover at tob dot ru
Latest patch have a disadvantage: seems options like 'php_value engine
on' now doesn't working in .htaccess directives. But now i don't have
such annoying errors as early. Wait for developer solution. :)
------------------------------------------------------------------------
[2004-01-27 13:55:50] rover at tob dot ru
You can try this patch: (applied to 4.3.3, 4.3.4 and 4.3.5RC1
versions):
#patch -p1 -d source_dir_of_php < patch.diff
diff -udr php-4.3.3/sapi/apache/mod_php4.c
php-4.3.3.patched/sapi/apache/mod_php4.c
--- php-4.3.3/sapi/apache/mod_php4.c 2003-06-03 11:41:49.000000000
+0600
+++ php-4.3.3.patched/sapi/apache/mod_php4.c 2004-01-27
23:59:26.000000000 +0500
@@ -559,6 +559,11 @@
return DECLINED;
}
+ /* Restore default ini settings */
+ zend_try {
+ zend_ini_deactivate(TSRMLS_C);
+ } zend_end_try();
+
per_dir_conf = (HashTable *)
get_module_config(r->per_dir_config, &php4_module);
if (per_dir_conf) {
zend_hash_apply((HashTable *) per_dir_conf,
(apply_func_t) php_apache_alter_ini_entries TSRMLS_C
------------------------------------------------------------------------
[2004-01-27 13:36:14] rover at tob dot ru
It seems we have found a bug in mod_php4.c. We can 100% reproduce this
error. How to reproduce (our case):
in httpd.conf we have:
# to enable only one instance of apache process
StartServers 1
MaxClients 1
#
<Directory /var/www/info/>
php_value engine off
</Directory>
in php.ini:
Engine = On,
we enable php-scripts at all site, but disable in /info.
Let's begin:
#/usr/sbin/apache.dbg -f /etc/apache/httpd.conf
#gbd /usr/sbin/apache.gdb pid_of_child (attach to child, what serve
requests)
(gdb)p php_apache_info.engine
=1 ! php-engine ENABLED
(gdb)watch php_apache_info.engine ! VERY IMPORTANT
(gdb)break send_php ! bug in this func.
(gdb)c
1) Request a usual file from http://our.site/info/index.html:
Because we define 'php_value off' for this directory - at line 829 in
function php_xbithack_handler(remember - we process text/html) we call
zend_hash_apply((HashTable *) per_dir_conf, (apply_func_t)
php_apache_alter_ini_entries TSRMLS_CC);
and change our 'engine' value to 0.
backtrace for this call (don't look at line number - they shifted
because i insert debug lines in source files):
Hardware watchpoint 1: php_apache_info.engine
Old value = 1
New value = 0
#0 OnUpdateInt (entry=0x80dc778, new_value=0x80d3cc4 "off",
new_value_length=3, mh_arg1=0x0, mh_arg2=0x4057f92c,
mh_arg3=0x0, stage=4) at
/usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_ini.c:453
#1 0x4051110a in zend_alter_ini_entry (name=0x80de170 "engine",
name_length=7, new_value=0x80de180 "off",
new_value_length=3, modify_type=2, stage=4) at
/usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_ini.c:212
#2 0x40519fc6 in php_apache_alter_ini_entries
(per_dir_entry=0x812c598)
at
/usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:511
#3 0x4050b8f9 in zend_hash_apply (ht=0x809fc98, apply_func=0x40519f40
<php_apache_alter_ini_entries>)
at /usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_hash.c:698
#4 0x4051ad1b in php_xbithack_handler (r=0x81367ec)
at
/usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:850
#5 0x080551c3 in ap_invoke_handler (r=0x81367ec) at http_config.c:518
#6 0x08067e28 in process_request_internal (r=0x81367ec) at
http_request.c:1332
#7 0x08067fd4 in ap_process_request (r=0x81367ec) at
http_request.c:1348
#8 0x08060644 in child_main (child_num_arg=0) at http_main.c:4719
#9 0x080607f7 in make_child (s=0x0, slot=0, now=0) at
http_main.c:4898
#10 0x08060920 in startup_children (number_to_start=1) at
http_main.c:4925
#11 0x0806149a in standalone_main (argc=1, argv=0xbffffdf4) at
http_main.c:5244
#12 0x08061a08 in main (argc=1, argv=0xbffffdf4) at http_main.c:5601
Result of 1): we process http://our.site/info/index.html succefull and
set global var 'engine'=0!
Now we try to access http://our.site/index.php
2) breakpoint 2 executed:
Breakpoint 2, send_php (r=0x81367ec, display_source_mode=0,
filename=0x0)
at
/usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:544
544 fh.free_filename = 0;
#0 send_php (r=0x81367ec, display_source_mode=0, filename=0x0)
at
/usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:544
#1 0x4051a6eb in send_parsed_php (r=0x81367ec) at
/usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:655
#2 0x080551c3 in ap_invoke_handler (r=0x81367ec) at http_config.c:518
#3 0x08067e28 in process_request_internal (r=0x81367ec) at
http_request.c:1332
#4 0x08067fd4 in ap_process_request (r=0x81367ec) at
http_request.c:1348
#5 0x08060644 in child_main (child_num_arg=135489516) at
http_main.c:4719
#6 0x080607f7 in make_child (s=0x81367ec, slot=0, now=135489516) at
http_main.c:4898
#7 0x08060920 in startup_children (number_to_start=1) at
http_main.c:4925
#8 0x0806149a in standalone_main (argc=1, argv=0xbffffdf4) at
http_main.c:5244
#9 0x08061a08 in main (argc=1, argv=0xbffffdf4) at http_main.c:5601
But look at 'engine' - IT HAVE OLD VALUE = 0! What happend next:
In mod_php4.c at line 570(original file from 4.3.3,4.3.4,4.3.5RC1) we
have:
if (!AP(engine)) {
r->content_type = php_apache_get_default_mimetype(r
TSRMLS_CC);
r->allowed |= (1 << METHODS) - 1;
zend_try {
zend_ini_deactivate(TSRMLS_C);
} zend_end_try();
return DECLINED;
}
and instead serve index.php as x-application-php we only return
DECLINE. Continue:
3)(gdb)c
Hardware watchpoint 1: php_apache_info.engine
Old value = 0
New value = 1
OnUpdateInt (entry=0x80dc778, new_value=0x80b53e0 "1",
new_value_length=1, mh_arg1=0x0, mh_arg2=0x4057f92c,
mh_arg3=0x0, stage=8) at
/usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_ini.c:453
453
1: php_apache_info = {engine = 1, last_modified = 0, xbithack = 0,
terminate_child = 0, in_request = 0 '\0'}
(gdb) bt
#0 OnUpdateInt (entry=0x80dc778, new_value=0x80b53e0 "1",
new_value_length=1, mh_arg1=0x0, mh_arg2=0x4057f92c,
mh_arg3=0x0, stage=8) at
/usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_ini.c:453
#1 0x40510bcf in zend_restore_ini_entry_cb (ini_entry=0x80dc778,
stage=8)
at /usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_ini.c:51
#2 0x4050b990 in zend_hash_apply_with_argument (ht=0x80b4f48,
apply_func=0x40510b40 <zend_restore_ini_entry_cb>,
argument=0x8) at
/usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_hash.c:717
#3 0x40510cdb in zend_ini_deactivate () at
/usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_ini.c:89
#4 0x40510b40 in zend_remove_ini_entries (ini_entry=0x90,
module_number=0x0)
at /usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_ini.c:44
This only happend at line 574 where we RESET all variables to default
value.
To solve this bug we must RESET all ini_entries to default values in
send_php function. Maybe authors suggest better method to restore
default values instead using zend_ini_deactivate(TSRMLS_C);
------------------------------------------------------------------------
[2004-01-26 02:15:14] paul at vanbrouwershaven dot com
Same problem with apache 2.0.48 and PHP 4.3.4
We "solved" the problem by downgrading tot PHP 4.3.1
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/25753
--
Edit this bug report at http://bugs.php.net/?id=25753&edit=1
