89159 – PHP as cgi-bin in Apache broken

Bug 89159 - PHP as cgi-bin in Apache broken

Summary: PHP as cgi-bin in Apache broken

Keywords:
Status:	CLOSED CANTFIX
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	php
Sub Component:
Version:	8.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Joe Orton
QA Contact:	David Lawrence
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2003-04-18 18:30 UTC by Miguel Feitosa
Modified:	2007-04-18 16:53 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-10-18 16:37:05 UTC
Embargoed:

Attachments	(Terms of Use)

Description Miguel Feitosa 2003-04-18 18:30:46 UTC

Description of problem:

I was using apache 1.3 and php 4.0.5 on rh7.3.
Since I had multiple users on the same instance of apache, for security  PHP was
installed using the cgi-bin interface and suExec.
Albeit slow, this setup is OK for web sites with little use of PHP.
When a certain user had a large amount of PHP usage, he was transferred to his
own instance of apache.
I have been unable to reproduce the above setup in rh8.0

My VirtualHost is configured as follows
<VirtualHost 127.0.0.1 >
  SuexecUserGroup fcwaka cwaka
  ServerAdmin webmaster.br
  DocumentRoot /vmn/web/data/cwaka/html
 <Directory "/vmn/web/data/cwaka/html/">
    Options Indexes FollowSymLinks ExecCGI
    AllowOverride AuthConfig
    Order allow,deny
    Allow from all
 </Directory>
  ServerName *voudemochila.com.br
  ScriptAlias /cgi-bin/ "/vmn/web/data/cwaka/cgi-bin/
  <Directory "/vmn/web/data/cwaka/cgi-bin/">
   AllowOverride None
   Options ExecCGI
   Order allow,deny
   Allow from all
  </Directory>
  AddHandler application/x-httpd-php php
  Action application/x-httpd-php /php
  ScriptAlias /php  /vmn/web/data/cwaka/php-bin/php
  CustomLog /vmn/web/conf/nobody/log/voudemochila.combined_log combined
</VirtualHost>

When I call http://www.voudemochila.com.br/somefile.php my php binary gets
downloaded as a text page... I see all these strange chars and things like
libc.so.3 ....

I checked the web, rh lists and nobody seems to be experiencing this issue.
PHP.net folks say php less than 4.3 is not stable for apache 2.0
On the other hand, my apache instances that have PHP installed as a filter have
not shown any problems.

I have tried many MANY different apache directives all with the same result.

To make sure that the problem was with php and not a general cgi problem in
apache 2.0 I substituted my php binary with the following bash script


#####################
#!/bin/bash

echo "Content-type: text/html"
echo ""
echo "<html> <body>Hi, I have been executed! </body> </html>"

#################

When I call http://www.voudemochila.com.br/somefile.php
with this setup I get the string in the last echo which is correct.

If I call php directly such as http://www.voudemochila.com.br/php
I get a web page saying that php should not be called directly due to security
issues...this is also expected and correct.

Only when Apache internally redirects
http://www.voudemochila.com.br/somefile.php to
http://www.voudemochila.com.br/php/somefile.php 
I get the php bin downloaded in my web page.

Version-Release number of selected component (if applicable):
httpd-2.0.40-8
php-4.2.2-8.0.7
php-pgsql-4.2.2-8.0.7
php-imap-4.2.2-8.0.7
php-mysql-4.2.2-8.0.7
php-ldap-4.2.2-8.0.7


How reproducible:
Always


Steps to Reproduce:
1.Configure Apache to use PHP as a cgi-bin and not as filter
2.Call php directly to check it works - I cgi-redirect security measure should
appear 
3.Call php indirectly by calling a web page such as test.php (<?php phpinfo() ?>)
    
Actual results:
I get php downloaded as a text file . I see alot of strange chars
and things like libc.so ...

Expected results:
I web page generated by php


Additional info:

Comment 1 Bill Nottingham 2006-08-07 19:13:21 UTC

Red Hat Linux is no longer supported by Red Hat, Inc. If you are still
running Red Hat Linux, you are strongly advised to upgrade to a
current Fedora Core release or Red Hat Enterprise Linux or comparable.
Some information on which option may be right for you is available at
http://www.redhat.com/rhel/migrate/redhatlinux/.

Red Hat apologizes that these issues have not been resolved yet. We do
want to make sure that no important bugs slip through the cracks.
Please check if this issue is still present in a current Fedora Core
release. If so, please change the product and version to match, and
check the box indicating that the requested information has been
provided. Note that any bug still open against Red Hat Linux on will be
closed as 'CANTFIX' on September 30, 2006. Thanks again for your help.

Comment 2 Bill Nottingham 2006-10-18 16:37:05 UTC

Red Hat Linux is no longer supported by Red Hat, Inc. If you are still
running Red Hat Linux, you are strongly advised to upgrade to a
current Fedora Core release or Red Hat Enterprise Linux or comparable.
Some information on which option may be right for you is available at
http://www.redhat.com/rhel/migrate/redhatlinux/.

Closing as CANTFIX.

Note You need to log in before you can comment on or make changes to this bug.