Someone wrote: > On 09-Feb-98 Mr LEROY christophe wrote: > >The problem is that www-sql performs nothing to verify if a user can > >access the intended PATH_TRANSLATED file. > > > This is a common characteristic of other "cgi-wrapper" programs as well, > including w3-msql and php.cgi. The latter addresses this by giving one > the option to set PATTERN_RESTRICT at compile time (that way it will > only load files ending in say ".phtml"), or by compiling as an apache > module. I'm not sure about w3-msql because I haven't been following it > for quite some time. > regards, markjr I use PHP/FI as a cgi program with Apache and Apache's Action directive. To stop this bug, I added this to php/fi 2.0b12's main.c file (around line 45): #if PHPFASTCGI while(FCGI_Accept() >= 0) { #endif + s = getenv("REDIRECT_STATUS"); + if(!s) { + puts("Content-type: text/plain\r\n\r\nPHP/FI detected an internal error. Please inform saat_private of what you just did.\n"); + exit(1); + } s = getenv("PATH_TRANSLATED"); This prevents the script from being called directly via an URL since that wouldn't set the REDIRECT_STATUS variable. I believe I sent this to the PHP/FI development list, but I never heard anything from them (probably because they were going to drop the cgi support). /Sebastian
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:42:29 PDT