Public bug reported:
Binary package hint: libapache2-mod-php5
To reproduce:
Put a phpinfo.php with following contents in the server www root:
<?php header("Content-Type: text/html; charset=iso-8859-1"); phpinfo(); ?>
The location of the PHP script must have Apache setting "AcceptPathInfo
On", but if I've understood correctly, this is the default
configuration.
Open location http://localhost/phpinfo.php/123/456//789/0
(notice the double slash between "456" and "789".
Look for "SCRIPT_NAME".
Expected value: "/phpinfo.php"
Actual value: "/phpinfo.php/123/456"
Look for "PATH_INFO".
Expected value: "/123/456//789/0"
Actual value: "/123/456/789/0" (no double slash)
At least the SCRIPT_NAME issue should be fixed. PATH_INFO issue could be
side-stepped by parsing REQUEST_URI in PHP code but SCRIPT_NAME has no
suitable, correctly functioning replacement (I think that I have to use
a hardcoded value instead of simply trusting SCRIPT_NAME because of this
issue).
Note that if I insert any character (but a slash) between the double
slashes, these variables contain correct values again. For example
http://localhost/phpinfo.php/123/456/x/789/0
$ cat /etc/issue.net
Ubuntu 6.06.1 LTS
$ dpkg --status libapache2-mod-php5 | grep Version
Version: 5.1.2-1ubuntu3.8
I haven't checked if this problem exists in official PHP releases.
I cannot think a situation where this bug causes a security problem.
** Affects: php5 (Ubuntu)
Importance: Undecided
Status: New
--
libapache2-mod-php5: SCRIPT_NAME and PATH_INFO are incorrect if path info
contains double slash
https://bugs.launchpad.net/bugs/123758
You received this bug notification because you are a member of Ubuntu
Bugs, which is the bug contact for Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
