#27110 [Com]: php_value|flag / php_admin_* settings "leak" from .htaccess files
ID: 27110 Comment by: fabian-php at spline dot de Reported By: walter at brunner dot at Status: No Feedback Bug Type: Apache2 related Operating System: Linux (Gentoo) PHP Version: 4CVS-2004-02-01 Assigned To: iliaa New Comment: I can reproduce this error with the following Configuration: SuSE 9.1 apache2 - 2.0.49 php4 4.3.4 In my setup with basically two virtual hosts I have the configuration directives auto_prepend, open_basedir and safe_mode indeterministically leaping from one virtual host to the other one. The frequency of such incidents is changing highly. Sometimes it happens in 1% of the requests and sometimes in 40% of the requests. I did't used .htaccess configuration, just php_admin_value in httpd.conf. It makes no difference if the php setting is in a virtual host or directory context. Previous Comments: [2004-11-02 11:05:55] lami at geocities dot com I want to add that this bug isn't relatod to auto_prepend_file only. PHP 4.3.9, Apache 2.0.52, Linux (Gentoo), kernel 2.4.25 My setup: Global apache config has php_engine off. Several virtual hosts override this in their part of config file. I also set open_basedir for each virtual host. It behaves similar like several people wrote (seems like thread keeps config from before), but doesn't seems to me to be dependent on specific configuration, only different vhosts. If I keep reloading same PHP page, sometimes it gets executed, sometimes it returns source code. Sometimes PHP gets executed, but fails with: Warning: Unknown(): open_basedir restriction in effect. File(file from one vhost) is not within the allowed path(s): (path from other vhost) in Unknown on line 0 [2004-07-07 15:45:04] j dot svoboda at phoenix dot cz The problem still manifests when the directive auto_prepend_file and the Directory container are used together. Please see the reproduce code at http://www.p-i-n.cz/doc/phpbug.txt. [2004-04-19 13:16:19] j dot svoboda at phoenix dot cz I am sorry, I stripped part of configure command. The full command is: './configure' '--with-apxs2=/usr/local/apache2/bin/apxs' '--with-mysql=/usr/local/mysql' '--with-imap=/usr/local/src/imap' [2004-04-19 13:08:13] j dot svoboda at phoenix dot cz I can 100% reproduce this error. How to reproduce (my case): We use the supplied Apache configuration (with several insignificant changes, listed at the bottom) and these local settings (included from separate file httpd-test-local.conf): - StartServers 1 MaxClients 1 DocumentRoot "/www" AddType application/x-httpd-php .php Order allow,deny Allow from all php_value include_path ".:/usr/local/lib/php:/www/lib" # Development php_value include_path ".:/usr/local/lib/php:/www/libv:/www/lib" # Authentication php_value auto_prepend_file a.php - In /www, we have four directories, ep, epv, lib, libv. (ep* is for PHP scripts, lib* is for PHP libraries; versions with 'v' stand for 'deVelopment'). In ep*, we have simple script i.php containing the command In lib, I have the empty file a.php. 1. I restart apache 2. I open the file /ep/i.php in my browser, and it prints ".:/usr/local/lib/php:/www/lib" 3. I open the file /epv/i.php in my browser, and it prints ".:/usr/local/lib/php:/www/lib" where it should print ".:/usr/local/lib/php:/www/libv:/www/lib" It seems that the problem manifests only in combination with auto_prepend_file. - "Insignificant changes" in apache configuration: diff httpd-std.conf httpd-test.conf 81c81 < PidFile logs/httpd.pid > PidFile logs/httpd-8080.pid 219c219 < Listen 80 > Listen 8080 231a232 > LoadModule php4_modulemodules/libphp4.so 1049a1051 > Include /usr/local/apache2/conf/httpd-test-local.conf - System settings: System: FreeBSD www.p-i-n.cz 4.2-RELEASE FreeBSD 4.2-RELEASE #0: Wed Jan i386 Configure Command: './configure' '--with-apxs2=/usr/local/apache2/bin/apxs' '--with-mysql SERVER_SOFTWARE: Apache/2.0.49 (Unix) PHP/4.3.5 - [2004-03-24 17:24:24] [EMAIL PROTECTED] It's fixed for me in 4.3.5RC3 Try the latest 4.3.5 RC, or CVS snapshot The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/27110 -- Edit this bug report at http://bugs.php.net/?id=27110&edit=1
#27110 [Com]: php_value|flag / php_admin_* settings "leak" from .htaccess files
ID: 27110 Comment by: lami at geocities dot com Reported By: walter at brunner dot at Status: No Feedback Bug Type: Apache2 related Operating System: Linux (Gentoo) PHP Version: 4CVS-2004-02-01 Assigned To: iliaa New Comment: I want to add that this bug isn't relatod to auto_prepend_file only. PHP 4.3.9, Apache 2.0.52, Linux (Gentoo), kernel 2.4.25 My setup: Global apache config has php_engine off. Several virtual hosts override this in their part of config file. I also set open_basedir for each virtual host. It behaves similar like several people wrote (seems like thread keeps config from before), but doesn't seems to me to be dependent on specific configuration, only different vhosts. If I keep reloading same PHP page, sometimes it gets executed, sometimes it returns source code. Sometimes PHP gets executed, but fails with: Warning: Unknown(): open_basedir restriction in effect. File(file from one vhost) is not within the allowed path(s): (path from other vhost) in Unknown on line 0 Previous Comments: [2004-07-07 15:45:04] j dot svoboda at phoenix dot cz The problem still manifests when the directive auto_prepend_file and the Directory container are used together. Please see the reproduce code at http://www.p-i-n.cz/doc/phpbug.txt. [2004-04-19 13:16:19] j dot svoboda at phoenix dot cz I am sorry, I stripped part of configure command. The full command is: './configure' '--with-apxs2=/usr/local/apache2/bin/apxs' '--with-mysql=/usr/local/mysql' '--with-imap=/usr/local/src/imap' [2004-04-19 13:08:13] j dot svoboda at phoenix dot cz I can 100% reproduce this error. How to reproduce (my case): We use the supplied Apache configuration (with several insignificant changes, listed at the bottom) and these local settings (included from separate file httpd-test-local.conf): - StartServers 1 MaxClients 1 DocumentRoot "/www" AddType application/x-httpd-php .php Order allow,deny Allow from all php_value include_path ".:/usr/local/lib/php:/www/lib" # Development php_value include_path ".:/usr/local/lib/php:/www/libv:/www/lib" # Authentication php_value auto_prepend_file a.php - In /www, we have four directories, ep, epv, lib, libv. (ep* is for PHP scripts, lib* is for PHP libraries; versions with 'v' stand for 'deVelopment'). In ep*, we have simple script i.php containing the command In lib, I have the empty file a.php. 1. I restart apache 2. I open the file /ep/i.php in my browser, and it prints ".:/usr/local/lib/php:/www/lib" 3. I open the file /epv/i.php in my browser, and it prints ".:/usr/local/lib/php:/www/lib" where it should print ".:/usr/local/lib/php:/www/libv:/www/lib" It seems that the problem manifests only in combination with auto_prepend_file. - "Insignificant changes" in apache configuration: diff httpd-std.conf httpd-test.conf 81c81 < PidFile logs/httpd.pid > PidFile logs/httpd-8080.pid 219c219 < Listen 80 > Listen 8080 231a232 > LoadModule php4_modulemodules/libphp4.so 1049a1051 > Include /usr/local/apache2/conf/httpd-test-local.conf - System settings: System: FreeBSD www.p-i-n.cz 4.2-RELEASE FreeBSD 4.2-RELEASE #0: Wed Jan i386 Configure Command: './configure' '--with-apxs2=/usr/local/apache2/bin/apxs' '--with-mysql SERVER_SOFTWARE: Apache/2.0.49 (Unix) PHP/4.3.5 - [2004-03-24 17:24:24] [EMAIL PROTECTED] It's fixed for me in 4.3.5RC3 Try the latest 4.3.5 RC, or CVS snapshot [2004-03-24 11:19:57] bfriday at lasierra dot edu Installed php-4.3.4 and this bug continues to be a problem moved to the latest RC2 when it came out last week and the bug while listed in other reports as "fixed" continues to be a problem. I've got a virtual host situation in which the following is occuring: 1) primary hostname is fine it is not using php so there is no error 2) this virtual host is fine but is using php and it has some additional information which is set over and above our default settings in the php.ini via .htaccess files. 3) this virtual host is using just html so is fine as well 4) this virtual host would like to use php but cannot as php demands to look for setting which is not defined in the global .htaccess but rather in the .htaccess of virtual host 2. PHP consistently errors out and is unusable on this host as no program gets past the php_value auto_prepend_file line which is located in virtual host 2's .htaccess file. Please let me know if you have need of further information I can provide the domain names to a developer to do a look see but would need to do that privately. I'd really
#27110 [Com]: php_value|flag / php_admin_* settings "leak" from .htaccess files
ID: 27110 Comment by: j dot svoboda at phoenix dot cz Reported By: walter at brunner dot at Status: No Feedback Bug Type: Apache2 related Operating System: Linux (Gentoo) PHP Version: 4CVS-2004-02-01 Assigned To: iliaa New Comment: The problem still manifests when the directive auto_prepend_file and the Directory container are used together. Please see the reproduce code at http://www.p-i-n.cz/doc/phpbug.txt. Previous Comments: [2004-04-19 13:16:19] j dot svoboda at phoenix dot cz I am sorry, I stripped part of configure command. The full command is: './configure' '--with-apxs2=/usr/local/apache2/bin/apxs' '--with-mysql=/usr/local/mysql' '--with-imap=/usr/local/src/imap' [2004-04-19 13:08:13] j dot svoboda at phoenix dot cz I can 100% reproduce this error. How to reproduce (my case): We use the supplied Apache configuration (with several insignificant changes, listed at the bottom) and these local settings (included from separate file httpd-test-local.conf): - StartServers 1 MaxClients 1 DocumentRoot "/www" AddType application/x-httpd-php .php Order allow,deny Allow from all php_value include_path ".:/usr/local/lib/php:/www/lib" # Development php_value include_path ".:/usr/local/lib/php:/www/libv:/www/lib" # Authentication php_value auto_prepend_file a.php - In /www, we have four directories, ep, epv, lib, libv. (ep* is for PHP scripts, lib* is for PHP libraries; versions with 'v' stand for 'deVelopment'). In ep*, we have simple script i.php containing the command In lib, I have the empty file a.php. 1. I restart apache 2. I open the file /ep/i.php in my browser, and it prints ".:/usr/local/lib/php:/www/lib" 3. I open the file /epv/i.php in my browser, and it prints ".:/usr/local/lib/php:/www/lib" where it should print ".:/usr/local/lib/php:/www/libv:/www/lib" It seems that the problem manifests only in combination with auto_prepend_file. - "Insignificant changes" in apache configuration: diff httpd-std.conf httpd-test.conf 81c81 < PidFile logs/httpd.pid > PidFile logs/httpd-8080.pid 219c219 < Listen 80 > Listen 8080 231a232 > LoadModule php4_modulemodules/libphp4.so 1049a1051 > Include /usr/local/apache2/conf/httpd-test-local.conf - System settings: System: FreeBSD www.p-i-n.cz 4.2-RELEASE FreeBSD 4.2-RELEASE #0: Wed Jan i386 Configure Command: './configure' '--with-apxs2=/usr/local/apache2/bin/apxs' '--with-mysql SERVER_SOFTWARE: Apache/2.0.49 (Unix) PHP/4.3.5 - [2004-03-24 17:24:24] [EMAIL PROTECTED] It's fixed for me in 4.3.5RC3 Try the latest 4.3.5 RC, or CVS snapshot [2004-03-24 11:19:57] bfriday at lasierra dot edu Installed php-4.3.4 and this bug continues to be a problem moved to the latest RC2 when it came out last week and the bug while listed in other reports as "fixed" continues to be a problem. I've got a virtual host situation in which the following is occuring: 1) primary hostname is fine it is not using php so there is no error 2) this virtual host is fine but is using php and it has some additional information which is set over and above our default settings in the php.ini via .htaccess files. 3) this virtual host is using just html so is fine as well 4) this virtual host would like to use php but cannot as php demands to look for setting which is not defined in the global .htaccess but rather in the .htaccess of virtual host 2. PHP consistently errors out and is unusable on this host as no program gets past the php_value auto_prepend_file line which is located in virtual host 2's .htaccess file. Please let me know if you have need of further information I can provide the domain names to a developer to do a look see but would need to do that privately. I'd really appreciate it if this is fixed as it makes using php in a virtual host setting impossible. [2004-02-16 01:19:35] [EMAIL PROTECTED] No feedback was provided. The bug is being suspended because we assume that you are no longer experiencing the problem. If this is not the case and you are able to provide the information that was requested earlier, please do so and change the status of the bug back to "Open". Thank you. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/27110 -- Edit this bug report at http://bugs.php.net/?id=27110&edit=1
#27110 [Com]: php_value|flag / php_admin_* settings "leak" from .htaccess files
ID: 27110 Comment by: j dot svoboda at phoenix dot cz Reported By: walter at brunner dot at Status: No Feedback Bug Type: Apache2 related Operating System: Linux (Gentoo) PHP Version: 4CVS-2004-02-01 Assigned To: iliaa New Comment: I can 100% reproduce this error. How to reproduce (my case): We use the supplied Apache configuration (with several insignificant changes, listed at the bottom) and these local settings (included from separate file httpd-test-local.conf): - StartServers 1 MaxClients 1 DocumentRoot "/www" AddType application/x-httpd-php .php Order allow,deny Allow from all php_value include_path ".:/usr/local/lib/php:/www/lib" # Development php_value include_path ".:/usr/local/lib/php:/www/libv:/www/lib" # Authentication php_value auto_prepend_file a.php - In /www, we have four directories, ep, epv, lib, libv. (ep* is for PHP scripts, lib* is for PHP libraries; versions with 'v' stand for 'deVelopment'). In ep*, we have simple script i.php containing the command In lib, I have the empty file a.php. 1. I restart apache 2. I open the file /ep/i.php in my browser, and it prints ".:/usr/local/lib/php:/www/lib" 3. I open the file /epv/i.php in my browser, and it prints ".:/usr/local/lib/php:/www/lib" where it should print ".:/usr/local/lib/php:/www/libv:/www/lib" It seems that the problem manifests only in combination with auto_prepend_file. - "Insignificant changes" in apache configuration: diff httpd-std.conf httpd-test.conf 81c81 < PidFile logs/httpd.pid > PidFile logs/httpd-8080.pid 219c219 < Listen 80 > Listen 8080 231a232 > LoadModule php4_modulemodules/libphp4.so 1049a1051 > Include /usr/local/apache2/conf/httpd-test-local.conf - System settings: System: FreeBSD www.p-i-n.cz 4.2-RELEASE FreeBSD 4.2-RELEASE #0: Wed Jan i386 Configure Command: './configure' '--with-apxs2=/usr/local/apache2/bin/apxs' '--with-mysql SERVER_SOFTWARE: Apache/2.0.49 (Unix) PHP/4.3.5 - Previous Comments: [2004-03-24 17:24:24] [EMAIL PROTECTED] It's fixed for me in 4.3.5RC3 Try the latest 4.3.5 RC, or CVS snapshot [2004-03-24 11:19:57] bfriday at lasierra dot edu Installed php-4.3.4 and this bug continues to be a problem moved to the latest RC2 when it came out last week and the bug while listed in other reports as "fixed" continues to be a problem. I've got a virtual host situation in which the following is occuring: 1) primary hostname is fine it is not using php so there is no error 2) this virtual host is fine but is using php and it has some additional information which is set over and above our default settings in the php.ini via .htaccess files. 3) this virtual host is using just html so is fine as well 4) this virtual host would like to use php but cannot as php demands to look for setting which is not defined in the global .htaccess but rather in the .htaccess of virtual host 2. PHP consistently errors out and is unusable on this host as no program gets past the php_value auto_prepend_file line which is located in virtual host 2's .htaccess file. Please let me know if you have need of further information I can provide the domain names to a developer to do a look see but would need to do that privately. I'd really appreciate it if this is fixed as it makes using php in a virtual host setting impossible. [2004-02-16 01:19:35] [EMAIL PROTECTED] No feedback was provided. The bug is being suspended because we assume that you are no longer experiencing the problem. If this is not the case and you are able to provide the information that was requested earlier, please do so and change the status of the bug back to "Open". Thank you. [2004-02-11 12:47:16] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php4-STABLE-latest.tar.gz For Windows: http://snaps.php.net/win32/php4-win32-STABLE-latest.zip Unable to replicate with latest CVS. [2004-02-01 15:48:14] walter at brunner dot at I did additional experiments. The error occurs only in one specific virtual host. I am not able to reproduce the error within the same server (other virtual hosts) or on another server. The only difference between the vhost with error and the others is, that this vhost hast a designated ip-address, the other vhost share all the same ip address. The other parameters in the apache-config for the faulty vhost are: DocumentRoot /some/dir/web ServerName server.name.com ErrorLog /some/dir/logs/error_log CustomLog /some/dir/logs/access_log extended php_admin_value upload_tmp_dir "/some/dir/web/tmp"
#27110 [Com]: php_value|flag / php_admin_* settings "leak" from .htaccess files
ID: 27110 Comment by: j dot svoboda at phoenix dot cz Reported By: walter at brunner dot at Status: No Feedback Bug Type: Apache2 related Operating System: Linux (Gentoo) PHP Version: 4CVS-2004-02-01 Assigned To: iliaa New Comment: I am sorry, I stripped part of configure command. The full command is: './configure' '--with-apxs2=/usr/local/apache2/bin/apxs' '--with-mysql=/usr/local/mysql' '--with-imap=/usr/local/src/imap' Previous Comments: [2004-04-19 13:08:13] j dot svoboda at phoenix dot cz I can 100% reproduce this error. How to reproduce (my case): We use the supplied Apache configuration (with several insignificant changes, listed at the bottom) and these local settings (included from separate file httpd-test-local.conf): - StartServers 1 MaxClients 1 DocumentRoot "/www" AddType application/x-httpd-php .php Order allow,deny Allow from all php_value include_path ".:/usr/local/lib/php:/www/lib" # Development php_value include_path ".:/usr/local/lib/php:/www/libv:/www/lib" # Authentication php_value auto_prepend_file a.php - In /www, we have four directories, ep, epv, lib, libv. (ep* is for PHP scripts, lib* is for PHP libraries; versions with 'v' stand for 'deVelopment'). In ep*, we have simple script i.php containing the command In lib, I have the empty file a.php. 1. I restart apache 2. I open the file /ep/i.php in my browser, and it prints ".:/usr/local/lib/php:/www/lib" 3. I open the file /epv/i.php in my browser, and it prints ".:/usr/local/lib/php:/www/lib" where it should print ".:/usr/local/lib/php:/www/libv:/www/lib" It seems that the problem manifests only in combination with auto_prepend_file. - "Insignificant changes" in apache configuration: diff httpd-std.conf httpd-test.conf 81c81 < PidFile logs/httpd.pid > PidFile logs/httpd-8080.pid 219c219 < Listen 80 > Listen 8080 231a232 > LoadModule php4_modulemodules/libphp4.so 1049a1051 > Include /usr/local/apache2/conf/httpd-test-local.conf - System settings: System: FreeBSD www.p-i-n.cz 4.2-RELEASE FreeBSD 4.2-RELEASE #0: Wed Jan i386 Configure Command: './configure' '--with-apxs2=/usr/local/apache2/bin/apxs' '--with-mysql SERVER_SOFTWARE: Apache/2.0.49 (Unix) PHP/4.3.5 - [2004-03-24 17:24:24] [EMAIL PROTECTED] It's fixed for me in 4.3.5RC3 Try the latest 4.3.5 RC, or CVS snapshot [2004-03-24 11:19:57] bfriday at lasierra dot edu Installed php-4.3.4 and this bug continues to be a problem moved to the latest RC2 when it came out last week and the bug while listed in other reports as "fixed" continues to be a problem. I've got a virtual host situation in which the following is occuring: 1) primary hostname is fine it is not using php so there is no error 2) this virtual host is fine but is using php and it has some additional information which is set over and above our default settings in the php.ini via .htaccess files. 3) this virtual host is using just html so is fine as well 4) this virtual host would like to use php but cannot as php demands to look for setting which is not defined in the global .htaccess but rather in the .htaccess of virtual host 2. PHP consistently errors out and is unusable on this host as no program gets past the php_value auto_prepend_file line which is located in virtual host 2's .htaccess file. Please let me know if you have need of further information I can provide the domain names to a developer to do a look see but would need to do that privately. I'd really appreciate it if this is fixed as it makes using php in a virtual host setting impossible. [2004-02-16 01:19:35] [EMAIL PROTECTED] No feedback was provided. The bug is being suspended because we assume that you are no longer experiencing the problem. If this is not the case and you are able to provide the information that was requested earlier, please do so and change the status of the bug back to "Open". Thank you. [2004-02-11 12:47:16] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php4-STABLE-latest.tar.gz For Windows: http://snaps.php.net/win32/php4-win32-STABLE-latest.zip Unable to replicate with latest CVS. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/27110 -- Edit this bug report at http://bugs.php.net/?id=27110&edit=1
#27110 [Com]: php_value|flag / php_admin_* settings "leak" from .htaccess files
ID: 27110 Comment by: bfriday at lasierra dot edu Reported By: walter at brunner dot at Status: No Feedback Bug Type: Apache2 related Operating System: Linux (Gentoo) PHP Version: 4CVS-2004-02-01 Assigned To: iliaa New Comment: Installed php-4.3.4 and this bug continues to be a problem moved to the latest RC2 when it came out last week and the bug while listed in other reports as "fixed" continues to be a problem. I've got a virtual host situation in which the following is occuring: 1) primary hostname is fine it is not using php so there is no error 2) this virtual host is fine but is using php and it has some additional information which is set over and above our default settings in the php.ini via .htaccess files. 3) this virtual host is using just html so is fine as well 4) this virtual host would like to use php but cannot as php demands to look for setting which is not defined in the global .htaccess but rather in the .htaccess of virtual host 2. PHP consistently errors out and is unusable on this host as no program gets past the php_value auto_prepend_file line which is located in virtual host 2's .htaccess file. Please let me know if you have need of further information I can provide the domain names to a developer to do a look see but would need to do that privately. I'd really appreciate it if this is fixed as it makes using php in a virtual host setting impossible. Previous Comments: [2004-02-16 01:19:35] [EMAIL PROTECTED] No feedback was provided. The bug is being suspended because we assume that you are no longer experiencing the problem. If this is not the case and you are able to provide the information that was requested earlier, please do so and change the status of the bug back to "Open". Thank you. [2004-02-11 12:47:16] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php4-STABLE-latest.tar.gz For Windows: http://snaps.php.net/win32/php4-win32-STABLE-latest.zip Unable to replicate with latest CVS. [2004-02-01 15:48:14] walter at brunner dot at I did additional experiments. The error occurs only in one specific virtual host. I am not able to reproduce the error within the same server (other virtual hosts) or on another server. The only difference between the vhost with error and the others is, that this vhost hast a designated ip-address, the other vhost share all the same ip address. The other parameters in the apache-config for the faulty vhost are: DocumentRoot /some/dir/web ServerName server.name.com ErrorLog /some/dir/logs/error_log CustomLog /some/dir/logs/access_log extended php_admin_value upload_tmp_dir "/some/dir/web/tmp" php_value session.save_path /some/dir/tmp php_admin_flag safe_mode off AllowOverride All php_admin_value max_execution_time 1800 AllowOverride All The .htaccess of the /-directory: php_value include_path ".:/usr/local/lib/php:/some/dir/web/php" [2004-02-01 05:48:20] [EMAIL PROTECTED] Please read the bug #25753 comments. You have to come up with better information how we can reproduce this ourselves.. [2004-02-01 01:56:48] walter at brunner dot at The problem is still alive with php4-STABLE-200402010630. The solution for me was to transfer the include_path to apache-config, but this solution is is not suitable for standard users, as they don't have access to this config-file. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/27110 -- Edit this bug report at http://bugs.php.net/?id=27110&edit=1
