[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug 62339] New: proxy-fcgi-pathinfo=unescape breaks PATH_INFO and SCRIPT_NAME


            Bug ID: 62339
           Summary: proxy-fcgi-pathinfo=unescape breaks PATH_INFO and
           Product: Apache httpd-2
           Version: 2.4.25
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: blocker
          Priority: P2
         Component: mod_proxy_fcgi
          Assignee: bugs@xxxxxxxxxxxxxxxx
          Reporter: mathieu+apache@xxxxxxxxx
  Target Milestone: ---

To get a PATH_INFO environment variable available to PHP-FPM, the doc
http://httpd.apache.org/docs/current/mod/mod_proxy_fcgi.html#env says to add
this line in the conf:

  SetEnvIf REQUEST_URI "^/.*\.php/.*$" proxy-fcgi-pathinfo

It does works for ASCII values in PATH_INFO:
  /phpinfo.php/simple-path_info → PATH_INFO = /simple-path_info

However, for values containing spaces or non-ASCII values, it does urlencode
  "/phpinfo.php/spaced path_info" → PATH_INFO="/spaced%20path_info"
  "/phpinfo.php/é_accent" → PATH_INFO="/%C3%A9_accent"

So, as I need a PATH_INFO unescaped, and still according to the doc, I valued
proxy-fcgi-pathinfo to "unescape":
  SetEnvIf REQUEST_URI "^/.*\.php/.*$" proxy-fcgi-pathinfo=unescape

This does unescape, but it does break strings too:
  "http://example.com/phpinfo.php/spaced path_info"
  → PATH_INFO = hp/spaced path_info
                ^^ Why the last 2 chars of "/phpinfo.php" are here?
  → SCRIPT_NAME = /var/www/html/phpinfo.p
                                        ^^^ It's missing the above "hp".

And it worsen with length of string. It looks like it truncate PATH_INFO by a
number of characters related to those it had to unescape :
  - "/phpinfo.php/a 1z" → PATH_INFO="hp/a 1z" ∕
  - "/phpinfo.php/a 1 2z" → PATH_INFO=".php/a 1 2z" /
  - "/phpinfo.php/a 1 2 3z" → PATH_INFO="fo.php/a 1 2 3z" /
  - "/phpinfo.php/a 1 2 3 4 5z" → PATH_INFO="hpinfo.php/a 1 2 3 4 5z" /

It does of course breaks with accented characters too, not only spaces (%20).

You are receiving this mail because:
You are the assignee for the bug.
To unsubscribe, e-mail: bugs-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: bugs-help@xxxxxxxxxxxxxxxx