Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

FPM with httpd ProxyPass does not decode script path #17645

Open
bukka opened this issue Jan 30, 2025 · 1 comment · May be fixed by #17896
Open

FPM with httpd ProxyPass does not decode script path #17645

bukka opened this issue Jan 30, 2025 · 1 comment · May be fixed by #17896
Labels
Feature SAPI: fpm

Comments

@bukka
Copy link
Member

bukka commented Jan 30, 2025

Description

This makes ProxyPass and ProxyPassMatch inconsistent from SetHandler as well as usual nginx setup where script path is decoded.

If space file.php is:

<?php
echo 1;

Then curl 'http://localhost:8521/space%20file.php results in 404. This is because the path is not decoded like it's done for other setups.

This is kind of known issue but the inconsistency wasn't considered before and it really doesn't make much sense not to decode and it really seems like a bug for users. To be super safe we could consider fallback to the decoded path but it seems quite unlikely that anyone would rely on this.

It seems to me that people really use SetHandler more so similar issue there has been reported for ProxyPass I guess that its users probably just use normal file paths without special characters.

PHP Version

PHP 8.3+

Operating System

Linux
@bukka
Copy link
Member Author

bukka commented Feb 8, 2025

I have been just looking into this more and it's slightly risky if anyone really has files saved in encoded way, then it might be tricky to keep it that way. I think it might be best to do this only in master and add a note to UPGRADING for this so will change this to feature.

@bukka bukka added Feature and removed Bug labels Feb 8, 2025
@bukka bukka mentioned this issue Feb 8, 2025
Open
bukka added a commit to bukka/php-src that referenced this issue Feb 22, 2025
@bukka
Fix phpGH-17645: FPM with httpd ProxyPass does not decode script path
7dc17df 
This always decodes SCRIPT_FILENAME when Apache ProxyPass or
ProxyPassMatch is used. It also introduces a new INI option
fastcgi.script_path_encoded that allows using previous behavior of not
decoding as there is a chance that some users could use encoded file
paths in FS.
@bukka bukka linked a pull request Feb 22, 2025 that will close this issue
Fix GH-17645: FPM with httpd ProxyPass does not decode script path #17896
Open
bukka added a commit to bukka/php-src that referenced this issue Mar 2, 2025
@bukka
Fix phpGH-17645: FPM with httpd ProxyPass does not decode script path
f990379 
This changes make FPM always decode SCRIPT_FILENAME when Apache
ProxyPass or ProxyPassMatch is used. It also introduces a new INI
option fastcgi.script_path_encoded that allows using the previous
behavior of not decoding the path. The INI is introduced because
there is a chance that some users could use encoded file paths in
their file system as a workaround for the previous behavior.

Close phpGH-17896
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
Feature SAPI: fpm
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix GH-17645: FPM with httpd ProxyPass does not decode script path bukka/php-src
1 participant
@bukka