security/cgi-bin.xml
87d3bf2e9ea7da5abbeca3e60ea7cf7abfa6f7f3
87d3bf2e9ea7da5abbeca3e60ea7cf7abfa6f7f3
...
...
@@ -10,13 +10,14 @@
10
10
Using PHP as a <acronym>CGI</acronym> binary is an option for
11
11
setups that for some reason do not wish to integrate PHP as a
12
12
module into server software (like Apache), or will use PHP with
13
-
different kinds of <acronym>CGI</acronym> wrappers to create safe chroot and setuid
13
+
different kinds of <acronym>CGI</acronym> wrappers to create safe
14
+
<command>chroot</command> and <command>setuid</command>
14
15
environments for scripts. This setup usually involves installing
15
-
executable PHP binary to the web server cgi-bin directory. CERT
16
-
advisory <link xlink:href="&url.cert;">CA-96.11</link> recommends
17
-
against placing any interpreters into cgi-bin. Even if the PHP
18
-
binary can be used as a standalone interpreter, PHP is designed
19
-
to prevent the attacks this setup makes possible:
16
+
executable <command>php</command> binary to the web server <filename class="directory">cgi-bin</filename> directory.
17
+
CERT advisory <link xlink:href="&url.cert;">CA-96.11</link> recommends
18
+
against placing any interpreters into <filename class="directory">cgi-bin</filename>.
19
+
Even if the <command>php</command> binary can be used as a standalone interpreter,
20
+
PHP is designed to prevent the attacks this setup makes possible:
20
21
</simpara>
21
22
<itemizedlist>
22
23
<listitem>
...
...
@@ -25,13 +26,13 @@
25
26
role="url">http://my.host/cgi-bin/php?/etc/passwd</filename>
26
27
</simpara>
27
28
<simpara>
28
-
The query information in a URL after the question mark (?) is
29
+
The query information in a URL after the question mark (<literal>?</literal>) is
29
30
passed as command line arguments to the interpreter by the CGI
30
31
interface. Usually interpreters open and execute the file
31
32
specified as the first argument on the command line.
32
33
</simpara>
33
34
<simpara>
34
-
When invoked as a CGI binary, PHP refuses to interpret the
35
+
When invoked as a CGI binary, <command>php</command> refuses to interpret the
35
36
command line arguments.
36
37
</simpara>
37
38
</listitem>
...
...
@@ -46,7 +47,7 @@
46
47
conventionally used to specify the name of the file to be
47
48
opened and interpreted by the <acronym>CGI</acronym> program.
48
49
Usually some web server configuration directives (Apache:
49
-
Action) are used to redirect requests to documents like
50
+
<literal>Action</literal>) are used to redirect requests to documents like
50
51
<filename
51
52
role="url">http://my.host/secret/script.php</filename> to the
52
53
PHP interpreter. With this setup, the web server first checks
...
...
@@ -80,13 +81,13 @@
80
81
81
82
<simpara>
82
83
If your server does not have any content that is not restricted
83
-
by password or ip based access control, there is no need for
84
+
by password or IP based access control, there is no need for
84
85
these configuration options. If your web server does not allow
85
86
you to do redirects, or the server does not have a way to
86
87
communicate to the PHP binary that the request is a safely
87
-
redirected request, you can specify the option <link
88
-
linkend="configure.enable-force-cgi-redirect">--enable-force-cgi-redirect</link>
89
-
to the configure script. You still have to make sure your PHP
88
+
redirected request, you can enable the
89
+
<link linkend="ini.cgi.force-redirect">cgi.force_redirect</link>
90
+
ini directive. You still have to make sure your PHP
90
91
scripts do not rely on one or another way of calling the script,
91
92
neither by directly <filename
92
93
role="php">http://my.host/cgi-bin/php/dir/script.php</filename>
...
...
@@ -94,8 +95,8 @@
94
95
role="php">http://my.host/dir/script.php</filename>.
95
96
</simpara>
96
97
<simpara>
97
-
Redirection can be configured in Apache by using AddHandler and
98
-
Action directives (see below).
98
+
Redirection can be configured in Apache by using <literal>AddHandler</literal> and
99
+
<literal>Action</literal> directives (see below).
99
100
</simpara>
100
101
</sect1>
101
102
...
...
@@ -104,13 +105,11 @@
104
105
<simpara>
105
106
The configuration directive <link
106
107
linkend="ini.cgi.force-redirect">cgi.force_redirect</link>
107
-
prevents anyone from calling PHP
108
+
prevents anyone from calling <command>php</command>
108
109
directly with a URL like <filename
109
110
role="php">http://my.host/cgi-bin/php/secretdir/script.php</filename>.
110
111
Instead, PHP will only parse in this mode if it has gone through
111
112
a web server redirect rule.
112
-
PHP older than 4.2.0 used <literal>--enable-force-cgi-redirect</literal>
113
-
compile time option for this.
114
113
</simpara>
115
114
<simpara>
116
115
Usually the redirection in the Apache configuration is done with
...
...
@@ -149,7 +148,8 @@ AddHandler php-script .php
149
148
<simpara>
150
149
Also if the method for making sure the requests are not
151
150
redirected, as described in the previous section, is not
152
-
available, it is necessary to set up a script doc_root that is
151
+
available, it is necessary to set up a
152
+
script <link linkend="ini.doc-root">doc_root</link> that is
153
153
different from web document root.
154
154
</simpara>
155
155
<simpara>
...
...
@@ -166,17 +166,17 @@ AddHandler php-script .php
166
166
</simpara>
167
167
<simpara>
168
168
Another option usable here is <link
169
-
linkend="ini.user-dir">user_dir</link>. When user_dir is unset,
170
-
only thing controlling the opened file name is
169
+
linkend="ini.user-dir">user_dir</link>. When <parameter>user_dir</parameter> is
170
+
unset, only thing controlling the opened file name is
171
171
<parameter>doc_root</parameter>. Opening a URL like <filename
172
172
role="url">http://my.host/~user/doc.php</filename> does not
173
173
result in opening a file under users home directory, but a file
174
174
called <filename role="uri">~user/doc.php</filename> under
175
-
doc_root (yes, a directory name starting with a tilde
175
+
<parameter>doc_root</parameter> (yes, a directory name starting with a tilde
176
176
[<literal>~</literal>]).
177
177
</simpara>
178
178
<simpara>
179
-
If user_dir is set to for example <filename
179
+
If <parameter>user_dir</parameter> is set to for example <filename
180
180
role="dir">public_php</filename>, a request like <filename
181
181
role="url">http://my.host/~user/doc.php</filename> will open a
182
182
file called <filename>doc.php</filename> under the directory
...
...
@@ -218,9 +218,8 @@ AddHandler php-script .php
218
218
<para>
219
219
To get PHP to handle <envar>PATH_INFO</envar> and
220
220
<envar>PATH_TRANSLATED</envar> information correctly with this
221
-
setup, the PHP parser should be compiled with the <link
222
-
linkend="configure.enable-discard-path">--enable-discard-path</link>
223
-
configure option.
221
+
setup, the <link linkend="ini.cgi.discard-path">cgi.discard_path</link>
222
+
ini directive has to be enabled.
224
223
</para>
225
224
</sect1>
226
225
227
226