This is a resend - I don't know if the original message was filtered out or lost due to the netspace quirks... At 11:57 10/02/98 +0100, Sebastian Andersson wrote: >I use PHP/FI as a cgi program with Apache and Apache's Action >directive. To stop this bug, I added this to php/fi 2.0b12's main.c >file (around line 45): > >#if PHPFASTCGI > while(FCGI_Accept() >= 0) { >#endif > >+ s = getenv("REDIRECT_STATUS"); >+ if(!s) { >+ puts("Content-type: text/plain\r\n\r\nPHP/FI detected an internal error. Please inform saat_private of what you just did.\n"); >+ exit(1); >+ } > > s = getenv("PATH_TRANSLATED"); > > >This prevents the script from being called directly via an URL since >that wouldn't set the REDIRECT_STATUS variable. I believe I sent this to >the PHP/FI development list, but I never heard anything from them >(probably because they were going to drop the cgi support). Hi, CGI support isn't going away anytime soon. It's supported in the new version (PHP 3.0) and isn't scheduled to be discontinued. Note that even with your patch, people on your machine with permissions to use PHP scripts will still be able to access files with the same permissions as the user running the web server (or the CGI, if you use suexec), possibly overriding any apache .htaccess restrictions. However, you can configure this using safe mode. In any case, your patch does give some extra security to the CGI version of PHP when using apache's Action feature, so I added it to the source tree of PHP 3. Thanks for the suggestion. Zeev --- Zeev Suraski <zeevat_private> Web programmer, System administrator, Netvision LTD http://bourbon.netvision.net.il/ ICQ: 1450980 For a PGP public key, finger bourbonat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:42:46 PDT