ID: 40419 Updated by: [EMAIL PROTECTED] Reported By: samuele dot diella at gmail dot com -Status: Open +Status: Feedback Bug Type: CGI related Operating System: Slackware 10.2 PHP Version: 5.2.1 -Assigned To: +Assigned To: dmitry New Comment:
Check that cgi.fix_pathinfo in php.ini is set to 1. I cannot reproduce the behavior and cannot understand how patch can fix it. Previous Comments: ------------------------------------------------------------------------ [2007-05-21 10:45:08] jankorichter at yahoo dot de SCRIPT_FILENAME fixed. --- php-5.2.2/sapi/cgi/cgi_main.c 2007-04-17 22:00:53.000000000 +0200 +++ php-5.2.2.new/sapi/cgi/cgi_main.c 2007-05-21 12:24:31.000000000 +0200 @@ -961,7 +961,15 @@ /* some server configurations allow '..' to slip through in the translated path. We'll just refuse to handle such a path. */ if (script_path_translated && !strstr(script_path_translated, "..")) { - SG(request_info).path_translated = estrdup(script_path_translated); + char * real_path = tsrm_realpath(script_path_translated, NULL TSRMLS_CC); + if ( real_path ) + { + SG(request_info).path_translated = estrdup(real_path); + script_path_translated = _sapi_cgibin_putenv("SCRIPT_FILENAME", real_path TSRMLS_CC); + free(real_path); + } else { + SG(request_info).path_translated = estrdup(script_path_translated); + } } SG(request_info).content_type = (content_type ? content_type : "" ); SG(request_info).content_length = (content_length ? atoi(content_length) : 0); ------------------------------------------------------------------------ [2007-05-18 11:41:26] bugs at spuetz dot ath dot cx Oh, it isn't, partially. with patch applied, SCRIPT_FILENAME has still a trailing slash. On a working system (without the patch, too) a url /test.php/ results in a SCRIPT_FILENAME => /path/to/test.php with patch: SCRIPT_FILENAME => /path/to/test.php/ ------------------------------------------------------------------------ [2007-05-18 11:29:32] bugs at spuetz dot ath dot cx I can confirm this for RHES3, 32bit, Apache 2.2.4 and fastcgi with suexec. The patch is working. ------------------------------------------------------------------------ [2007-05-15 16:17:12] jankorichter at yahoo dot de I have created a small patch as a workaround. Should be checked and approved. --- sapi/cgi/cgi_main.c.org 2007-04-17 22:00:53.000000000 +0200 +++ sapi/cgi/cgi_main.c 2007-05-15 17:35:39.000000000 +0200 @@ -961,7 +961,14 @@ /* some server configurations allow '..' to slip through in the translated path. We'll just refuse to handle such a path. */ if (script_path_translated && !strstr(script_path_translated, "..")) { - SG(request_info).path_translated = estrdup(script_path_translated); + char * real_path = tsrm_realpath(script_path_translated, NULL TSRMLS_CC); + if ( real_path ) + { + SG(request_info).path_translated = estrdup(real_path); + free(real_path); + } else { + SG(request_info).path_translated = estrdup(script_path_translated); + } } SG(request_info).content_type = (content_type ? content_type : "" ); SG(request_info).content_length = (content_length ? atoi(content_length) : 0); ------------------------------------------------------------------------ [2007-02-13 12:24:38] hacker at ee dot ethz dot ch i can confirm this issue on sarge/amd64 (gcc), whereas it works just fine on solaris8/sparc (gcc) with the same extensions enabled and the same php.ini settings. i am running fastcgi with apache2.0.59. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/40419 -- Edit this bug report at http://bugs.php.net/?id=40419&edit=1