ID: 40419 Comment by: bugs at spuetz dot ath dot cx Reported By: samuele dot diella at gmail dot com Status: Open Bug Type: CGI related Operating System: Slackware 10.2 PHP Version: 5.2.1 New Comment:
I can confirm this for RHES3, 32bit, Apache 2.2.4 and fastcgi with suexec. The patch is working. Previous Comments: ------------------------------------------------------------------------ [2007-05-15 16:17:12] jankorichter at yahoo dot de I have created a small patch as a workaround. Should be checked and approved. --- sapi/cgi/cgi_main.c.org 2007-04-17 22:00:53.000000000 +0200 +++ sapi/cgi/cgi_main.c 2007-05-15 17:35:39.000000000 +0200 @@ -961,7 +961,14 @@ /* some server configurations allow '..' to slip through in the translated path. We'll just refuse to handle such a path. */ if (script_path_translated && !strstr(script_path_translated, "..")) { - SG(request_info).path_translated = estrdup(script_path_translated); + char * real_path = tsrm_realpath(script_path_translated, NULL TSRMLS_CC); + if ( real_path ) + { + SG(request_info).path_translated = estrdup(real_path); + free(real_path); + } else { + SG(request_info).path_translated = estrdup(script_path_translated); + } } SG(request_info).content_type = (content_type ? content_type : "" ); SG(request_info).content_length = (content_length ? atoi(content_length) : 0); ------------------------------------------------------------------------ [2007-02-13 12:24:38] hacker at ee dot ethz dot ch i can confirm this issue on sarge/amd64 (gcc), whereas it works just fine on solaris8/sparc (gcc) with the same extensions enabled and the same php.ini settings. i am running fastcgi with apache2.0.59. ------------------------------------------------------------------------ [2007-02-09 17:37:50] samuele dot diella at gmail dot com Description: ------------ In php-5.2.1 compiled as CGI under Apache 1.3.37, when i enter an url with a trailing slash, with no params after, i get a "No input file specified.". If i don't write the slash, or if i write a single character after the slash, the request is handled correctly. es.: http://www.myserver.com/phpinfo.php5 ---> works http://www.myserver.com/phpinfo.php5/ ---> No input file specified. http://www.myserver.com/phpinfo.php5/test ---> works In php-5.2.0, compiled with the same config, the request is handled correctly. This is my config line: ./configure --prefix=/usr --with-xsl --sysconfdir=/etc --enable-discard-path --with-config-file-path=/etc/apache/php5 --enable-safe-mode --with-openssl --with-mhash --enable-bcmath --with-bz2 --with-pic --enable-calendar --enable-ctype --with-gdbm --with-db3 --with-imap-ssl=/usr/local/lib/c-client --with-imap=/usr/local/lib/c-client --enable-dbase --enable-ftp --with-iconv --with-dom --with-exif --enable-exif --with-gd --enable-gd-native-ttf --with-freetype-dir=/usr --with-t1lib=/usr --with-jpeg-dir=/usr --with-png --with-gmp --enable-mbstring --with-curl=/usr --with-pcre-regex=/usr --with-mysql --with-mysql-sock=/var/run/mysql --with-mysqli --with-gettext=shared,/usr --with-expat-dir=/usr --with-xml --with-tsrm-pthreads --with-mm=/usr --enable-trans-sid --enable-shmop --enable-sockets --with-regex=php --with-mime-magic --enable-sysvsem --enable-sysvshm --enable-yp --enable-memory-limit --enable-shared --disable-debug --with-zlib=/usr --with-mcrypt --with-ttf --enable-force-cgi-redirect This is my Apache configuration: AddType application/x-httpd-php5 .php5 Action application/x-httpd-php5 "/cgi-bin/php5" ScriptAlias /cgi-bin/ "/var/www/cgi-bin/" I tryed many configuration options in php.ini and in configure command, but i was not able to get it works as before. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=40419&edit=1