Skip to content

Commit 7c4412a

Browse files
nielsdosremicollet
nielsdos
authored and
remicollet
committed
Apache only generates REDIRECT_STATUS, so explicitly check for that if the server name is Apache, don't allow other variable names. Furthermore, redirect.so and Netscape no longer exist, so remove those entries as we can't check their server name anymore. We now also check for the configuration override *first* such that it always take precedence. This would allow for a mitigation path if something like this happens in the future. (cherry picked from commit 48808d98f4fc2a05193cdcc1aedd6c66816450f1) (cherry picked from commit 8aa748e) (cherry picked from commit c7308ba) (cherry picked from commit 21e2b0a) (cherry picked from commit 74f1553) (cherry picked from commit 1e522a6) (cherry picked from commit 234a673)
1 parent d371734 commit 7c4412a

File tree

1 file changed

+11
-12
lines changed

1 file changed

+11
-12
lines changed

sapi/cgi/cgi_main.c

Lines changed: 11 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1942,18 +1942,17 @@ int main(int argc, char *argv[])
19421942

19431943
/* check force_cgi after startup, so we have proper output */
19441944
if (cgi && CGIG(force_redirect)) {
1945-
/* Apache will generate REDIRECT_STATUS,
1946-
* Netscape and redirect.so will generate HTTP_REDIRECT_STATUS.
1947-
* redirect.so and installation instructions available from
1948-
* http://www.koehntopp.de/php.
1949-
* -- [email protected]
1950-
*/
1951-
if (!getenv("REDIRECT_STATUS") &&
1952-
!getenv ("HTTP_REDIRECT_STATUS") &&
1953-
/* this is to allow a different env var to be configured
1954-
* in case some server does something different than above */
1955-
(!CGIG(redirect_status_env) || !getenv(CGIG(redirect_status_env)))
1956-
) {
1945+
/* This is to allow a different environment variable to be configured
1946+
* in case the we cannot auto-detect which environment variable to use.
1947+
* Checking this first to allow user overrides in case the environment
1948+
* variable can be set by an untrusted party. */
1949+
const char *redirect_status_env = CGIG(redirect_status_env);
1950+
if (!redirect_status_env) {
1951+
/* Apache will generate REDIRECT_STATUS. */
1952+
redirect_status_env = "REDIRECT_STATUS";
1953+
}
1954+
1955+
if (!getenv(redirect_status_env)) {
19571956
zend_try {
19581957
SG(sapi_headers).http_response_code = 400;
19591958
PUTS("<b>Security Alert!</b> The PHP CGI cannot be accessed directly.\n\n\

0 commit comments

Comments
 (0)