Edit report at http://bugs.php.net/bug.php?id=51983&edit=1
ID: 51983
Comment by: slim at inbox dot lv
Reported by: konstantin at symbi dot org
Summary: [fpm sapi] pm.status_path not working when
cgi.fix_pathinfo=1
Status: Assigned
Type: Bug
Package: FPM related
Operating System: Any
PHP Version: 5.3SVN-2010-06-03 (snap)
Assigned To: fat
Block user comment: N
Private report: N
New Comment:
after applying the patch php compiled with debug complain on every
request:
Feb 01 14:26:38.214800 [WARNING] [pool www] child 16257 said into
stderr: "[Tue Feb 1 14:26:38 2011] Script: '-'"
Feb 01 14:26:38.214846 [WARNING] [pool www] child 16257 said into
stderr:
"/var/tmp/portage/dev-lang/php-5.3.5-r100/work/sapis-build/fpm/sapi/fpm/fpm/fpm_main.c(1116)
: Freeing 0x08B95CBC (23 bytes), script=-"
Feb 01 14:26:38.214857 [WARNING] [pool www] child 16257 said into
stderr: "=== Total 1 memory leaks detected ==="
Feb 01 14:26:40.535416 [WARNING] [pool www] child 16258 said into
stderr: "[Tue Feb 1 14:26:40 2011] Script: '-'"
Feb 01 14:26:40.535466 [WARNING] [pool www] child 16258 said into
stderr:
"/var/tmp/portage/dev-lang/php-5.3.5-r100/work/sapis-build/fpm/sapi/fpm/fpm/fpm_main.c(1116)
: Freeing 0x08B95EA4 (23 bytes), script=-"
Feb 01 14:26:40.535477 [WARNING] [pool www] child 16258 said into
stderr: "=== Total 1 memory leaks detected ==="
a line at fpm_main.c(1116) causing this is
SG(request_info).request_uri = request_uri ? estrndup(request_uri,
strcspn(request_uri, "?")) : NULL;
Previous Comments:
------------------------------------------------------------------------
[2010-08-04 17:07:20] konstantin at symbi dot org
btw, current fix_pathinfo implementation has security problems:
http://habrahabr.ru/blogs/sysadm/100961/
http://www.80sec.com/nginx-securit.html
If a site has uploads (say, images), one can upload an image containing
executable php code and append /something.php to the image url (say,
/uploads/1.jpg/test.php). When fix_pathinfo=1, init_request_info would
use
/uploads/1.jpg as a script filename.
The suggested patch fixes this, too.
------------------------------------------------------------------------
[2010-06-09 16:15:57] [email protected]
I mentioned all the web servers to make sure we agree on doing this.
I totaly agree on making this change. This pathinfo thing sucks for
real.
------------------------------------------------------------------------
[2010-06-09 15:59:48] [email protected]
Jerome, I agree that we should drop this fix_pathinfo stuff - it makes
no sense to adopt all the freaky things from CGI API.
The patch requires some extensive testing, though, that's clear. But I
don't think we should keep in mind of all the web-servers you
mentioned.
Apache, nginx & lightty are my biggest concern, others can be safely
dropped (or assumed working).
You can forget about IIS anyway, FPM doesn't support Windows.
------------------------------------------------------------------------
[2010-06-04 09:07:10] konstantin at symbi dot org
And of course I never say we should do anything with the CGI/FCGI sapi.
I am sure
its implementation must not be chanhed 'cause it was tested with many
webservers
during years. I am speaking only about FPM sapi which is much more
specific.
------------------------------------------------------------------------
[2010-06-04 09:04:54] konstantin at symbi dot org
FPM sapi implements remote fastcgi only (also known as "external
FastCGI").
So it is limited to web servers which support it.
I have tested Nginx, Lighttpd, and Apache mod_fastcgi.
For other webservers listed, are there ones which of them support remote
fastcgi? At least I am sure that IIS does not (even with its latest
fastcgi
implementations, I've asked this question on IIS FastCGI forums). As far
as I
know, thttpd does not, too.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/bug.php?id=51983
--
Edit this bug report at http://bugs.php.net/bug.php?id=51983&edit=1
