ID: 39927 Updated by: [EMAIL PROTECTED] Reported By: to_devnull at yahoo dot com -Status: Bogus +Status: Closed Bug Type: Apache related Operating System: all PHP Version: 5.2.0 New Comment:
Fixed in 5.2, 5.3 and 6 CVS Previous Comments: ------------------------------------------------------------------------ [2006-12-23 01:26:07] [EMAIL PROTECTED] I think the answer to that should be pretty obvious. We don't want to change behaviour of the code with and without register_globals. An app would have to check the register_globals setting in order to determine what the variable is called. That's even more confusing than the current situation where it is simply consistently changed. Once you realize that server variables may not contain spaces or dots, it is quite straightforward to write code against that. In fact, even when register_globals is completely removed, I doubt this will change since it would break backward compatibility with all existing apps. ------------------------------------------------------------------------ [2006-12-23 00:58:32] judas dot iscariote at gmail dot com Ilia: This behaviour is pretty much broken, why it does not check when register_globals is disabled and behaves correctly ? (and maybe drop register_globals in 5.3 or asap will be nice too ;) ) ------------------------------------------------------------------------ [2006-12-22 21:58:27] to_devnull at yahoo dot com This a strange reply ("Read a manual, this is not a bug"). Am I doing anything wrong here? I'm using default php installation and register_globals is Off in php.ini. Is there a way to configure php not to touch values in r->subprocess_env? My point is that php silently breaks Apache behavior by modifying specific data that is supposed to be read-only. If Apache allows "force-response-1.0" in its subprocess_env table, why php changes it? If php wants to modify input var names, it should make a copy. I may be totally wrong and miss some important configuration issue. In this case I'd greatly appreciate if you point me in the right direction. But canned response is not an answer. ------------------------------------------------------------------------ [2006-12-22 03:34:42] [EMAIL PROTECTED] Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php This is legacy of register_globals, as long as it exists . and spaces in input var names will be converted to underscores. ------------------------------------------------------------------------ [2006-12-22 00:28:27] to_devnull at yahoo dot com Description: ------------ I'm "reopening" Bug #13961 since some moron marked it as "bogus" and I can't comment on it: http://bugs.php.net/bug.php?id=13961 Apache module mod_setenvif sets variables in r->subprocess_env. If variable name contains character ".", then sapi_apache_register_server_variables() will replace it with "_". This breaks internal variables like force-response-1.0 (php changes it to force-response-1_0). I hit this bug with PHP4.4.3/PHP5 and latest Apache 1.3.37. Spent several hours tracing in debugger why "downgrade-1.0" becomes "downgrade-1_0". This is a serious bug -- basically it's impossible to downgrade client request/server response to HTTP 1.0 (or disable chunking) if php is involved. What a shame! Reproduce code: --------------- I actually traced it by shoving a static string containing '.' in r->subprocess_env and thus getting Apache to core dump when php tries to write to read-only memory in php_register_variable_ex(). ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=39927&edit=1