Someone wrote:
> On 09-Feb-98 Mr LEROY christophe wrote:
> >The problem is that www-sql performs nothing to verify if a user can
> >access the intended PATH_TRANSLATED file.
> >
> This is a common characteristic of other "cgi-wrapper" programs as well,
> including w3-msql and php.cgi. The latter addresses this by giving one
> the option to set PATTERN_RESTRICT at compile time (that way it will
> only load files ending in say ".phtml"), or by compiling as an apache
> module. I'm not sure about w3-msql because I haven't been following it
> for quite some time.
> regards, markjr
I use PHP/FI as a cgi program with Apache and Apache's Action
directive. To stop this bug, I added this to php/fi 2.0b12's main.c
file (around line 45):
#if PHPFASTCGI
while(FCGI_Accept() >= 0) {
#endif
+ s = getenv("REDIRECT_STATUS");
+ if(!s) {
+ puts("Content-type: text/plain\r\n\r\nPHP/FI detected an internal error. Please inform saat_private of what you just did.\n");
+ exit(1);
+ }
s = getenv("PATH_TRANSLATED");
This prevents the script from being called directly via an URL since
that wouldn't set the REDIRECT_STATUS variable. I believe I sent this to
the PHP/FI development list, but I never heard anything from them
(probably because they were going to drop the cgi support).
/Sebastian
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:42:29 PDT