ID: 25753 Comment by: rover at tob dot ru Reported By: [EMAIL PROTECTED] Status: Critical Bug Type: Apache related Operating System: * PHP Version: 4CVS, 5CVS New Comment:
We examine source files more carefull and remake a patch: diff -udr php-4.3.3/sapi/apache/mod_php4.c php-4.3.3.patched/sapi/apache/mod_php4.c --- php-4.3.3/sapi/apache/mod_php4.c 2003-06-03 11:41:49.000000000 +0600 +++ php-4.3.3.patched/sapi/apache/mod_php4.c 2004-01-28 10:48:27.000000000 +0500 @@ -830,6 +830,9 @@ } if(!AP(xbithack)) { r->allowed |= (1 << METHODS) - 1; + zend_try { + zend_ini_deactivate(TSRMLS_C); + } zend_end_try(); return DECLINED; } return send_parsed_php(r); Previous Comments: ------------------------------------------------------------------------ [2004-01-27 16:08:12] rover at tob dot ru 2 hour later.... We analyze this bug more carefully. THIS BUG VERY CRITICAL AND HAVE HUGE SECURITY IMPACT! message with explanation are sent to [EMAIL PROTECTED], [EMAIL PROTECTED] ------------------------------------------------------------------------ [2004-01-27 14:20:05] rover at tob dot ru Latest patch have a disadvantage: seems options like 'php_value engine on' now doesn't working in .htaccess directives. But now i don't have such annoying errors as early. Wait for developer solution. :) ------------------------------------------------------------------------ [2004-01-27 13:55:50] rover at tob dot ru You can try this patch: (applied to 4.3.3, 4.3.4 and 4.3.5RC1 versions): #patch -p1 -d source_dir_of_php < patch.diff diff -udr php-4.3.3/sapi/apache/mod_php4.c php-4.3.3.patched/sapi/apache/mod_php4.c --- php-4.3.3/sapi/apache/mod_php4.c 2003-06-03 11:41:49.000000000 +0600 +++ php-4.3.3.patched/sapi/apache/mod_php4.c 2004-01-27 23:59:26.000000000 +0500 @@ -559,6 +559,11 @@ return DECLINED; } + /* Restore default ini settings */ + zend_try { + zend_ini_deactivate(TSRMLS_C); + } zend_end_try(); + per_dir_conf = (HashTable *) get_module_config(r->per_dir_config, &php4_module); if (per_dir_conf) { zend_hash_apply((HashTable *) per_dir_conf, (apply_func_t) php_apache_alter_ini_entries TSRMLS_C ------------------------------------------------------------------------ [2004-01-27 13:36:14] rover at tob dot ru It seems we have found a bug in mod_php4.c. We can 100% reproduce this error. How to reproduce (our case): in httpd.conf we have: # to enable only one instance of apache process StartServers 1 MaxClients 1 # <Directory /var/www/info/> php_value engine off </Directory> in php.ini: Engine = On, we enable php-scripts at all site, but disable in /info. Let's begin: #/usr/sbin/apache.dbg -f /etc/apache/httpd.conf #gbd /usr/sbin/apache.gdb pid_of_child (attach to child, what serve requests) (gdb)p php_apache_info.engine =1 ! php-engine ENABLED (gdb)watch php_apache_info.engine ! VERY IMPORTANT (gdb)break send_php ! bug in this func. (gdb)c 1) Request a usual file from http://our.site/info/index.html: Because we define 'php_value off' for this directory - at line 829 in function php_xbithack_handler(remember - we process text/html) we call zend_hash_apply((HashTable *) per_dir_conf, (apply_func_t) php_apache_alter_ini_entries TSRMLS_CC); and change our 'engine' value to 0. backtrace for this call (don't look at line number - they shifted because i insert debug lines in source files): Hardware watchpoint 1: php_apache_info.engine Old value = 1 New value = 0 #0 OnUpdateInt (entry=0x80dc778, new_value=0x80d3cc4 "off", new_value_length=3, mh_arg1=0x0, mh_arg2=0x4057f92c, mh_arg3=0x0, stage=4) at /usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_ini.c:453 #1 0x4051110a in zend_alter_ini_entry (name=0x80de170 "engine", name_length=7, new_value=0x80de180 "off", new_value_length=3, modify_type=2, stage=4) at /usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_ini.c:212 #2 0x40519fc6 in php_apache_alter_ini_entries (per_dir_entry=0x812c598) at /usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:511 #3 0x4050b8f9 in zend_hash_apply (ht=0x809fc98, apply_func=0x40519f40 <php_apache_alter_ini_entries>) at /usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_hash.c:698 #4 0x4051ad1b in php_xbithack_handler (r=0x81367ec) at /usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:850 #5 0x080551c3 in ap_invoke_handler (r=0x81367ec) at http_config.c:518 #6 0x08067e28 in process_request_internal (r=0x81367ec) at http_request.c:1332 #7 0x08067fd4 in ap_process_request (r=0x81367ec) at http_request.c:1348 #8 0x08060644 in child_main (child_num_arg=0) at http_main.c:4719 #9 0x080607f7 in make_child (s=0x0, slot=0, now=0) at http_main.c:4898 #10 0x08060920 in startup_children (number_to_start=1) at http_main.c:4925 #11 0x0806149a in standalone_main (argc=1, argv=0xbffffdf4) at http_main.c:5244 #12 0x08061a08 in main (argc=1, argv=0xbffffdf4) at http_main.c:5601 Result of 1): we process http://our.site/info/index.html succefull and set global var 'engine'=0! Now we try to access http://our.site/index.php 2) breakpoint 2 executed: Breakpoint 2, send_php (r=0x81367ec, display_source_mode=0, filename=0x0) at /usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:544 544 fh.free_filename = 0; #0 send_php (r=0x81367ec, display_source_mode=0, filename=0x0) at /usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:544 #1 0x4051a6eb in send_parsed_php (r=0x81367ec) at /usr/local/src/apache2+php4/php4-4.3.3/sapi/apache/mod_php4.c:655 #2 0x080551c3 in ap_invoke_handler (r=0x81367ec) at http_config.c:518 #3 0x08067e28 in process_request_internal (r=0x81367ec) at http_request.c:1332 #4 0x08067fd4 in ap_process_request (r=0x81367ec) at http_request.c:1348 #5 0x08060644 in child_main (child_num_arg=135489516) at http_main.c:4719 #6 0x080607f7 in make_child (s=0x81367ec, slot=0, now=135489516) at http_main.c:4898 #7 0x08060920 in startup_children (number_to_start=1) at http_main.c:4925 #8 0x0806149a in standalone_main (argc=1, argv=0xbffffdf4) at http_main.c:5244 #9 0x08061a08 in main (argc=1, argv=0xbffffdf4) at http_main.c:5601 But look at 'engine' - IT HAVE OLD VALUE = 0! What happend next: In mod_php4.c at line 570(original file from 4.3.3,4.3.4,4.3.5RC1) we have: if (!AP(engine)) { r->content_type = php_apache_get_default_mimetype(r TSRMLS_CC); r->allowed |= (1 << METHODS) - 1; zend_try { zend_ini_deactivate(TSRMLS_C); } zend_end_try(); return DECLINED; } and instead serve index.php as x-application-php we only return DECLINE. Continue: 3)(gdb)c Hardware watchpoint 1: php_apache_info.engine Old value = 0 New value = 1 OnUpdateInt (entry=0x80dc778, new_value=0x80b53e0 "1", new_value_length=1, mh_arg1=0x0, mh_arg2=0x4057f92c, mh_arg3=0x0, stage=8) at /usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_ini.c:453 453 1: php_apache_info = {engine = 1, last_modified = 0, xbithack = 0, terminate_child = 0, in_request = 0 '\0'} (gdb) bt #0 OnUpdateInt (entry=0x80dc778, new_value=0x80b53e0 "1", new_value_length=1, mh_arg1=0x0, mh_arg2=0x4057f92c, mh_arg3=0x0, stage=8) at /usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_ini.c:453 #1 0x40510bcf in zend_restore_ini_entry_cb (ini_entry=0x80dc778, stage=8) at /usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_ini.c:51 #2 0x4050b990 in zend_hash_apply_with_argument (ht=0x80b4f48, apply_func=0x40510b40 <zend_restore_ini_entry_cb>, argument=0x8) at /usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_hash.c:717 #3 0x40510cdb in zend_ini_deactivate () at /usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_ini.c:89 #4 0x40510b40 in zend_remove_ini_entries (ini_entry=0x90, module_number=0x0) at /usr/local/src/apache2+php4/php4-4.3.3/Zend/zend_ini.c:44 This only happend at line 574 where we RESET all variables to default value. To solve this bug we must RESET all ini_entries to default values in send_php function. Maybe authors suggest better method to restore default values instead using zend_ini_deactivate(TSRMLS_C); ------------------------------------------------------------------------ [2004-01-26 02:15:14] paul at vanbrouwershaven dot com Same problem with apache 2.0.48 and PHP 4.3.4 We "solved" the problem by downgrading tot PHP 4.3.1 ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/25753 -- Edit this bug report at http://bugs.php.net/?id=25753&edit=1