Re: www-sql cgi prog overrides .htaccess restrictions.

[sa () HOGIA NET (Sebastian Andersson)]

Someone wrote:
> On 09-Feb-98 Mr LEROY christophe wrote:

> > The problem is that www-sql performs nothing to verify if a user can
> > access the intended PATH_TRANSLATED file.
> This is a common characteristic of other "cgi-wrapper" programs as well,
> including w3-msql and php.cgi. The latter addresses this by giving one
> the option to set PATTERN_RESTRICT at compile time (that way it will
> only load files ending in say ".phtml"), or by compiling as an apache
> module. I'm not sure about w3-msql because I haven't been following it
> for quite some time.

> regards, markjr

I use PHP/FI as a cgi program with Apache and Apache's Action
directive. To stop this bug, I added this to php/fi 2.0b12's main.c
file (around line 45):

#if PHPFASTCGI
        while(FCGI_Accept() >= 0) {
#endif

+       s = getenv("REDIRECT_STATUS");
+       if(!s) {
+           puts("Content-type: text/plain\r\n\r\nPHP/FI detected an internal error. Please inform sa () hogia net of 
what you just did.\n");
+           exit(1);
+       }

        s = getenv("PATH_TRANSLATED");


This prevents the script from being called directly via an URL since
that wouldn't set the REDIRECT_STATUS variable. I believe I sent this to
the PHP/FI development list, but I never heard anything from them
(probably because they were going to drop the cgi support).

/Sebastian