From: askalski at gmail dot com Operating system: Linux PHP version: 5CVS-2006-04-21 (snap) PHP Bug Type: CGI related Bug description: force-cgi-redirect is not checked under FastCGI
Description: ------------ The FastCGI version of PHP does not perform the force-cgi-redirect check for page requests. If I request http://localhost/cgi-bin/php, PHP tries to parse the PHP binary in /cgi-bin as if it was a script. If cgi.fix_pathinfo is turned off, users can bypass .htaccess security. See also bug #22846. Reproduce code: --------------- PHP was configured with: ./configure --enable-fastcgi --enable-force-cgi-redirect My /cgi-bin/php is a wrapper script that sets up FastCGI environment variables: #! /bin/sh export PHPRC=/etc/apache export PHP_FCGI_CHILDREN=4 export PHP_FCGI_MAX_REQUESTS=512 exec /usr/local/bin/php Expected result: ---------------- Security Alert! The PHP CGI cannot be accessed directly. This PHP CGI binary was compiled with force-cgi-redirect enabled. This means that a page will only be served up if the REDIRECT_STATUS CGI variable is set, e.g. via an Apache Action directive. For more information as to why this behaviour exists, see the manual page for CGI security. For more information about changing this behaviour or re-enabling this webserver, consult the installation file that came with this distribution, or visit the manual page. Actual result: -------------- export PHPRC=/etc/apache export PHP_FCGI_CHILDREN=4 export PHP_FCGI_MAX_REQUESTS=512 exec /usr/local/bin/php -- Edit bug report at http://bugs.php.net/?id=37157&edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=37157&r=trysnapshot44 Try a CVS snapshot (PHP 5.1): http://bugs.php.net/fix.php?id=37157&r=trysnapshot51 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=37157&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=37157&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=37157&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=37157&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=37157&r=needscript Try newer version: http://bugs.php.net/fix.php?id=37157&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=37157&r=support Expected behavior: http://bugs.php.net/fix.php?id=37157&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=37157&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=37157&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=37157&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=37157&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=37157&r=dst IIS Stability: http://bugs.php.net/fix.php?id=37157&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=37157&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=37157&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=37157&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=37157&r=mysqlcfg