Re: www-sql cgi prog overrides .htaccess restrictions.

Zeev Suraski (bourbon@NETVISION.NET.IL)
Thu, 19 Feb 1998 18:20:08 -0500

This is a resend - I don't know if the original message was filtered out or
lost due to the netspace quirks...

At 11:57 10/02/98 +0100, Sebastian Andersson wrote:
>I use PHP/FI as a cgi program with Apache and Apache's Action
>directive. To stop this bug, I added this to php/fi 2.0b12's main.c
>file (around line 45):
>
>#if PHPFASTCGI
> while(FCGI_Accept() >= 0) {
>#endif
>
>+ s = getenv("REDIRECT_STATUS");
>+ if(!s) {
>+ puts("Content-type: text/plain\r\n\r\nPHP/FI detected an
internal error. Please inform sa@hogia.net of what you just did.\n");
>+ exit(1);
>+ }
>
> s = getenv("PATH_TRANSLATED");
>
>
>This prevents the script from being called directly via an URL since
>that wouldn't set the REDIRECT_STATUS variable. I believe I sent this to
>the PHP/FI development list, but I never heard anything from them
>(probably because they were going to drop the cgi support).

Hi,

CGI support isn't going away anytime soon. It's supported in the new
version (PHP 3.0) and isn't scheduled to be discontinued.

Note that even with your patch, people on your machine with permissions to
use PHP scripts will still be able to access files with the same
permissions as the user running the web server (or the CGI, if you use
suexec), possibly overriding any apache .htaccess restrictions. However,
you can configure this using safe mode.

In any case, your patch does give some extra security to the CGI version of
PHP when using apache's Action feature, so I added it to the source tree of
PHP 3. Thanks for the suggestion.

Zeev

---
Zeev Suraski  <zeev@php.net>
Web programmer, System administrator, Netvision LTD
http://bourbon.netvision.net.il/   ICQ: 1450980
For a PGP public key, finger bourbon@netvision.net.il