Skip to content

Don't assume URIs with dots as static (#61286). #3215

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

Don't assume URIs with dots as static (#61286). #3215

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 8 additions & 7 deletions sapi/cli/php_cli_server.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1373,7 +1373,7 @@ static void php_cli_server_request_translate_vpath(php_cli_server_request *reque
char *buf = safe_pemalloc(1, request->vpath_len, 1 + document_root_len + 1 + sizeof("index.html"), 1);
char *p = buf, *prev_path = NULL, *q, *vpath;
size_t prev_path_len = 0;
int is_static_file = 0;
int is_php = 0;

if (!buf) {
return;
Expand All @@ -1385,11 +1385,12 @@ static void php_cli_server_request_translate_vpath(php_cli_server_request *reque
if (request->vpath_len > 0 && request->vpath[0] != '/') {
*p++ = DEFAULT_SLASH;
}
q = request->vpath + request->vpath_len;
while (q > request->vpath) {
if (*q-- == '.') {
is_static_file = 1;
break;
q = request->vpath;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This part looks not quite correct. Fe how would be /hello.php/world.php handled? Iterating backwards seems to make more sense. Also some backward compatibility might be broken.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The code before my patch, would raise a 404 unless a file corresponding to the path /hello.php/world.php is not present, because the path contains a dot.

We can choose to make the recursive search for a router script for ANY file that does not exists, and I agree with this idea. I was only trying to be the less disruptive as possible with the previous behaviour.

For what concerns the backward compatibility: the built-in server is only used for development purposes and must not be used in production.

This new implementation serves all the files that the old one did, but it serves also other paths that instead would have got a 404 status.

As an example, Drupal 8 now works, while before it did not.

{
if (q) {
char *dot = strrchr(q, '.');
if (dot && !strcmp(dot, ".php"))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

strlen(dot) could be less than 4.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In such case the file has not a ".php" extension. What's the problem?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If both are \0 terminated, i meant. Should be, actually, so perhaps no worries.

Thanks.

is_php = 1;
}
}
memmove(p, request->vpath, request->vpath_len);
Expand Down Expand Up @@ -1420,7 +1421,7 @@ static void php_cli_server_request_translate_vpath(php_cli_server_request *reque
}
file++;
}
if (!*file || is_static_file) {
if (!*file || is_php) {
if (prev_path) {
pefree(prev_path, 1);
}
Expand Down
66 changes: 66 additions & 0 deletions sapi/cli/tests/bug61286.phpt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
--TEST--
PATH_INFO (relevant to #60112)
--DESCRIPTION--
After this fix(#60112), previously 404 request like "localhost/foo/bar"
now could serve correctly with request_uri "index.php" and PATH_INFO "/foo/bar/"
--SKIPIF--
<?php
include "skipif.inc";
?>
--FILE--
<?php
include "php_cli_server.inc";
php_cli_server_start('var_dump($_SERVER["PATH_INFO"]);', null);

list($host, $port) = explode(':', PHP_CLI_SERVER_ADDRESS);
$port = intval($port)?:80;

$fp = fsockopen($host, $port, $errno, $errstr, 0.5);
if (!$fp) {
die("connect failed");
}

if(fwrite($fp, <<<HEADER
GET /foo/bar.anyext HTTP/1.1
Host: {$host}


HEADER
)) {
while (!feof($fp)) {
echo fgets($fp);
}
}

fclose($fp);

$fp = fsockopen($host, $port, $errno, $errstr, 0.5);
if (!$fp) {
die("connect failed");
}

if(fwrite($fp, <<<HEADER
GET /foo/bar.php HTTP/1.1
Host: {$host}


HEADER
)) {
while (!feof($fp)) {
echo fgets($fp);
break;
}
}

fclose($fp);
?>
--EXPECTF--
HTTP/1.1 200 OK
Host: %s
Date: %s
Connection: close
X-Powered-By: PHP/%s
Content-type: text/html; charset=UTF-8

string(15) "/foo/bar.anyext"
HTTP/1.1 404 Not Found
10 changes: 8 additions & 2 deletions sapi/cli/tests/php_cli_server_009.phpt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,6 @@ HEADER
)) {
while (!feof($fp)) {
echo fgets($fp);
break;
}
}

Expand All @@ -92,4 +91,11 @@ X-Powered-By: PHP/%s
Content-type: text/html; charset=UTF-8

string(9) "/foo/bar/"
HTTP/1.0 404 Not Found
HTTP/1.0 200 OK
Host: %s
Date: %s
Connection: close
X-Powered-By: PHP/%s
Content-type: text/html; charset=UTF-8

string(11) "/foo/bar.js"
4 changes: 2 additions & 2 deletions sapi/cli/tests/php_cli_server_016.phpt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,5 +42,5 @@ HEADER

fclose($fp);
?>
--EXPECTF--
HTTP/1.1 404 Not Found
--EXPECT--
HTTP/1.1 200 OK