Re: [cgiwrap-users] cgiwrap and PHP
Brought to you by:
nneul
Menu
▾
▴
Re: [cgiwrap-users] cgiwrap and PHP
|
From: Piotr K. <ma...@ma...> - 2005-03-18 07:30:46
|
On Thu, Mar 17, 2005 at 05:03:00PM +0000, Gary Wilson wrote:
>
> But surely that just disables the security checks which I wanted to keep
> in?
If you look into the source of the PHP, you will see that the only
"security check" you disable with compiling without --force-cgi-redirect
is checking for redirect environment variable existence, i.e.
REDIRECT_STATUS (Apache) or HTTP_REDIRECT_STATUS (Netscape, redirect.so)
or cgi.redirect_status_env from php.ini.
This is an alert that php is run directly as simple cgi. In ancient
times people thought that php could be placed in /cgi-bin/, and it revealed
that it is not safe, because anyone from the web can call /cgi-bin/php/any_file
(php used PATH_INFO for looking for the script, similar to cgiwrap).
That is why there is a check for redirect variable.
With cgiwrap php-cgi should not be placed in /cgi-bin/ and should not
be available for anyone from the web.
> Is that the only way?
No. You can change sources of cgiwrap to set
SafePutenv("REDIRECT_STATUS=1","setting REDIRECT_STATUS");
and check if your PHP would accept this. Maybe you would need
to set cgi.fix_pathinfo=1 in php.ini
Another way is to set cgi.force_redirect=0 in php.ini,
but this might not work with all php versions.
Best regards,
--
Piotr Klaban
|
