PHP - script filename may incorrectly contain query parameters

[dward]

If a query string contains something that looks like a pathinfo string, nginx unit will incorrectly attempt to load the wrong php file.

The issue is triggered when the string ".php" followed by a "/" is found in the query string.
Example: http://foo.bar/test.php?blah=test.php/foo

The following is a test case that triggers the issue in master. As far as I can tell, this bug exists back to at least 1.25.0.

from unit.applications.lang.php import TestApplicationPHP
from unit.option import option


class TestPHPParseConfusion(TestApplicationPHP):
    prerequisites = {'modules': {'php': 'any'}}

    def test_php_parse_confusion(self):
        assert 'success' in self.conf(
            {
                "listeners": {"*:7080": {"pass": "routes"}},
                "routes": [
                    {
                        "action": {"pass": "applications/targets/default"}
                    }
                ],
                "applications": {
                    "targets": {
                        "type": self.get_application_type(),
                        "processes": {"spare": 0},
                        "targets": {
                            "default": {
                                "root": option.test_dir + "/php/targets/",
                            }
                        }
                    }
                }
            }
        )
        assert self.get(url='/1.php?test=test.php/')['body'] == '1'

Output:

E       AssertionError: assert '<br />\n<b>W...0</b><br />\n' == '1'
E         + 1
E         - <br />
E         - <b>Warning</b>:  Unknown: Failed to open stream: No such file or directory in <b>Unknown</b> on line <b>0</b><br />
E         - <br />
E         - <b>Fatal error</b>:  Failed opening required '/home/dward/unit/test/php/targets/1.php?test=test.php' (include_path='.:/usr/local/lib/php:/usr/local/share/php') in <b>Unknown</b> on line <b>0</b><br **/>**

[tippexs]

Yes was able to reproduce. This is indeed a bug! Thanks for reporting this to us. @ac000 will check in with you on slack about it.

[ac000]

Hi @dward

Care to give this patch a quick spin?

diff --git a/src/nxt_php_sapi.c b/src/nxt_php_sapi.c
index 924dd4e6..a913240e 100644
--- a/src/nxt_php_sapi.c
+++ b/src/nxt_php_sapi.c
@@ -1025,7 +1025,8 @@ nxt_php_dynamic_request(nxt_php_run_ctx_t *ctx, nxt_unit_request_t *r)
 
     nxt_str_null(&script_name);
 
-    ctx->path_info.start = (u_char *) strstr((char *) path.start, ".php/");
+    ctx->path_info.start = (u_char *) memmem(path.start, path.length, ".php/",
+                                             strlen(".php/"));
     if (ctx->path_info.start != NULL) {
         ctx->path_info.start += 4;
         path.length = ctx->path_info.start - path.start;

[dward]

@ac000 - That fixes it.

Thanks for the super fast fix!

[ac000]

Great, thanks for testing!

[ac000]

@dward

Can I incorporate your test case into our test suite?

[dward]

@ac000
feel free! thanks

[ac000]

This fix has been merged.