php scripts and tripple slashes | |
Trying to find info about this, but searching for '///' or for 'tripple
slash' doesn't provide relevant answers. Can anyone please point me in the
right direction?
A simple script, called debug.php, shows some variables. I can call this
script using http://server/debug/show.php or using http://server/debug/show
Also I can add more to the URL, and the script is still called. So far so
good.
_SERVER["REQUEST_URI"]=/debug/show/a/b/c
_SERVER["SCRIPT_NAME"]=/debug/show.php
_SERVER["REQUEST_URI"]=/debug/show//a/b/c
_SERVER["SCRIPT_NAME"]=/debug/show.php
The problem starts when adding three or more slashes:
_SERVER["REQUEST_URI"]=/debug/show///a/b/c
_SERVER["SCRIPT_NAME"]=/debug/show/show.php
See how script_name suddenly has an extra '/show' in it?
This doesn't happen when I use the full script name:
_SERVER["REQUEST_URI"]=/debug/show.php///a/b/c
_SERVER["SCRIPT_NAME"]=/debug/show.php/
Is this a bug, or is this expected behaviour?
I also see a problem with PHP_SELF on one machine but not on another:
_SERVER["REQUEST_URI"]=/debug/show.php
_SERVER["PHP_SELF"]=/debug/show.php
_SERVER["REQUEST_URI"]=/debug/show.php/
_SERVER["PHP_SELF"]=/
Please point me into the right direction, currently I have no idea if I have
to look at apache's configuration, PHP, or if this is expected behaviour
(and, if so, why).
TIA | | | | re: php scripts and tripple slashes
mijn naam schreef: Quote:
Trying to find info about this, but searching for '///' or for 'tripple
slash' doesn't provide relevant answers. Can anyone please point me in
the right direction?
>
A simple script, called debug.php, shows some variables. I can call
this script using http://server/debug/show.php or using http://server/debug/show
>
Also I can add more to the URL, and the script is still called. So far
so good.
>
>
_SERVER["REQUEST_URI"]=/debug/show/a/b/c
_SERVER["SCRIPT_NAME"]=/debug/show.php
>
_SERVER["REQUEST_URI"]=/debug/show//a/b/c
_SERVER["SCRIPT_NAME"]=/debug/show.php
>
The problem starts when adding three or more slashes:
>
_SERVER["REQUEST_URI"]=/debug/show///a/b/c
_SERVER["SCRIPT_NAME"]=/debug/show/show.php
>
See how script_name suddenly has an extra '/show' in it?
>
This doesn't happen when I use the full script name:
>
_SERVER["REQUEST_URI"]=/debug/show.php///a/b/c
_SERVER["SCRIPT_NAME"]=/debug/show.php/
>
>
Is this a bug, or is this expected behaviour?
>
>
I also see a problem with PHP_SELF on one machine but not on another:
>
_SERVER["REQUEST_URI"]=/debug/show.php
_SERVER["PHP_SELF"]=/debug/show.php
>
_SERVER["REQUEST_URI"]=/debug/show.php/
_SERVER["PHP_SELF"]=/
>
Please point me into the right direction, currently I have no idea if I
have to look at apache's configuration, PHP, or if this is expected
behaviour (and, if so, why).
>
TIA
>
Hi,
I bet you are using mod_rewrite for apache.
Have a look at the rewrite rules and conditions in your apache config.
Post it here if you are in doubt. Or better here: alt.apache.configuration
Good luck.
Regards,
Erwin Moller
--
============================
Erwin Moller
Now dropping all postings from googlegroups.
Why? http://improve-usenet.org/
============================ | | | | re: php scripts and tripple slashes
"Erwin Moller"
<Since_humans_read_this_I_am_spammed_too_much@spam yourself.comschreef in
bericht news:48e0cabf$0$185$e4fe514c@news.xs4all.nl... Quote:
I bet you are using mod_rewrite for apache.
Have a look at the rewrite rules and conditions in your apache config.
Post it here if you are in doubt. Or better here: alt.apache.configuration
Thanks but no.
One machine is the provider's. I cannot look there.
The other one is my home box, this one doesn't do rewriting AFACT. Just to
be sure: I placed RewriteLogLevel 2 and RewriteLog logs/rewrite in the
config and that log stays empty.
Then I commented everything having to do with rewriting out, and restarted
apache. Before and after the following happens on my machine:
_SERVER["REQUEST_URI"]=/debug/one/two///three/four
_SERVER["SCRIPT_NAME"]=/debug/one/two/debug.php
_SERVER["PHP_SELF"]=/debug/one/two/debug.php/one/two/three/four | | | | re: php scripts and tripple slashes
"Erwin Moller"
<Since_humans_read_this_I_am_spammed_too_much@spam yourself.comschreef in
bericht news:48e0d358$0$182$e4fe514c@news.xs4all.nl... Quote:
>
mijn naam schreef: Quote:
>"Erwin Moller"
><Since_humans_read_this_I_am_spammed_too_much@spa myourself.comschreef
>in bericht news:48e0cabf$0$185$e4fe514c@news.xs4all.nl...
>> Quote:
>>I bet you are using mod_rewrite for apache.
>>Have a look at the rewrite rules and conditions in your apache config.
>>Post it here if you are in doubt. Or better here:
>>alt.apache.configuration
>>
>Thanks but no.
>>
>One machine is the provider's. I cannot look there.
>>
>The other one is my home box, this one doesn't do rewriting AFACT. Just
>to be sure: I placed RewriteLogLevel 2 and RewriteLog logs/rewrite in the
>config and that log stays empty.
>>
>Then I commented everything having to do with rewriting out, and
>restarted apache. Before and after the following happens on my machine:
>>
>_SERVER["REQUEST_URI"]=/debug/one/two///three/four
>_SERVER["SCRIPT_NAME"]=/debug/one/two/debug.php
>_SERVER["PHP_SELF"]=/debug/one/two/debug.php/one/two/three/four
>>
>
Hi Stranger,
>
And what URL are you feeding excactly that gives the above result?
http://hostname/debug/one/two///three/four
in other words: http://{$_SERVER["SERVER_NAME"]}{$_SERVER["REQUEST_URI"]} Quote:
And secondly: What is it excactly you are trying to achieve?
Do you have an actual problem or is this just research?
I'm writing a script which is going to be used to find files in a directory
structure. That script looks like a subdirectory in the normal tree.
E.g. http://servername/content/a/b/c/d will look at
/home/user/private_html/a/b/c/d
While testing my script with various different problems ('never trust user
input') I found the problem I'm trying to tackle.
I was using _SERVER["SCRIPT_NAME"] but obviously I run into trouble if I
can't rely on its contents.
The only workaround I've found so far is to
redirect(ereg_replace('///*','/',$_SERVER["REQUEST_URI"])) in case I find
two slashes in a row in request_uri. Not a nice solution but it seems to do
the job. Quote:
PS: Please 'mijn naam', use a (real) name, that makes conversations in
here a bit more pleasant. ;-)
Just call me 'Mijn'. No problem. | | | | re: php scripts and tripple slashes
mijn naam schreef: Quote:
"Erwin Moller"
<Since_humans_read_this_I_am_spammed_too_much@spam yourself.comschreef
in bericht news:48e0d358$0$182$e4fe514c@news.xs4all.nl... Quote:
>>
>mijn naam schreef: Quote:
>>"Erwin Moller"
>><Since_humans_read_this_I_am_spammed_too_much@sp amyourself.com>
>>schreef in bericht news:48e0cabf$0$185$e4fe514c@news.xs4all.nl...
>>>
>>>I bet you are using mod_rewrite for apache.
>>>Have a look at the rewrite rules and conditions in your apache config.
>>>Post it here if you are in doubt. Or better here:
>>>alt.apache.configuration
>>>
>>Thanks but no.
>>>
>>One machine is the provider's. I cannot look there.
>>>
>>The other one is my home box, this one doesn't do rewriting AFACT.
>>Just to be sure: I placed RewriteLogLevel 2 and RewriteLog
>>logs/rewrite in the config and that log stays empty.
>>>
>>Then I commented everything having to do with rewriting out, and
>>restarted apache. Before and after the following happens on my machine:
>>>
>>_SERVER["REQUEST_URI"]=/debug/one/two///three/four
>>_SERVER["SCRIPT_NAME"]=/debug/one/two/debug.php
>>_SERVER["PHP_SELF"]=/debug/one/two/debug.php/one/two/three/four
>>>
>>
>Hi Stranger,
>>
>And what URL are you feeding excactly that gives the above result?
>
Hi Mijn, OK, that makes sense then for $_SERVER["REQUEST_URI"].
I don't see how/why PHP fills $_SERVER["PHP_SELF"] with:
/debug/one/two/debug.php/one/two/three/four
for that URL if you don't play with mod_rewrite.
Your url: http://hostname/debug/one/two///three/four
DOESN'T name any php script, so HOW is this fed to a PHP script without
mod_rewrite???
Are you sure you are telling the whole story? Quote:
>
> Quote:
>And secondly: What is it excactly you are trying to achieve?
>Do you have an actual problem or is this just research?
>
I'm writing a script which is going to be used to find files in a
directory structure. That script looks like a subdirectory in the normal
tree.
>
E.g. http://servername/content/a/b/c/d will look at
/home/user/private_html/a/b/c/d
>
While testing my script with various different problems ('never trust
user input') I found the problem I'm trying to tackle.
>
I was using _SERVER["SCRIPT_NAME"] but obviously I run into trouble if I
can't rely on its contents.
>
The only workaround I've found so far is to
redirect(ereg_replace('///*','/',$_SERVER["REQUEST_URI"])) in case I
find two slashes in a row in request_uri. Not a nice solution but it
seems to do the job.
What about simply dismissing a request that has more than one / in the URL?
That must be an invalid request, since (I expect) you deliver the
directorylinks yourself, and thus correctly formatted. Quote:
>
> Quote:
>PS: Please 'mijn naam', use a (real) name, that makes conversations in
>here a bit more pleasant. ;-)
>
Just call me 'Mijn'. No problem.
Fine I will call you Mijn.
It just feels a little too intimate since I am Dutch too. ;-)
Regards,
Erwin Moller
--
============================
Erwin Moller
Now dropping all postings from googlegroups.
Why? http://improve-usenet.org/
============================ | | | | re: php scripts and tripple slashes
"Erwin Moller"
<Since_humans_read_this_I_am_spammed_too_much@spam yourself.comschreef in
bericht news:48e0ebcb$0$187$e4fe514c@news.xs4all.nl... Quote: >
OK, that makes sense then for $_SERVER["REQUEST_URI"].
>
I don't see how/why PHP fills $_SERVER["PHP_SELF"] with:
/debug/one/two/debug.php/one/two/three/four
for that URL if you don't play with mod_rewrite.
I'm sure I disabled mod_rewrite. At the server restart, apache complained
"Invalid command 'RewriteLog', perhaps mis-spelled or defined by a module
not included in the server configuration" ( I forgot to remove one such
line at first). the php script is debug.php ... Quote:
Are you sure you are telling the whole story?
.... and apache is setup with options MultiViews. I didn't hide that on
purpose. Quote:
What about simply dismissing a request that has more than one / in the
URL?
That must be an invalid request, since (I expect) you deliver the
directorylinks yourself, and thus correctly formatted.
That would also be an option. However: nobody's perfect, a mistake is easily
made e.g. $ptr="./{$dir}/{$path}"; what if path starts with a slash, dir
starts or ends with a slash, dir is empty, and so on. Apache couldn't care
less and will happily serve .///something/different.html | | | | re: php scripts and tripple slashes
mijn naam wrote: Quote:
"Erwin Moller"
<Since_humans_read_this_I_am_spammed_too_much@spam yourself.comschreef
in bericht news:48e0ebcb$0$187$e4fe514c@news.xs4all.nl...
> Quote: >>
>OK, that makes sense then for $_SERVER["REQUEST_URI"].
>>
>I don't see how/why PHP fills $_SERVER["PHP_SELF"] with:
>/debug/one/two/debug.php/one/two/three/four
>for that URL if you don't play with mod_rewrite.
>
I'm sure I disabled mod_rewrite. At the server restart, apache
complained "Invalid command 'RewriteLog', perhaps mis-spelled or defined
by a module not included in the server configuration" ( I forgot to
remove one such line at first).
>
> >
the php script is debug.php ...
> Quote:
>Are you sure you are telling the whole story?
>
... and apache is setup with options MultiViews. I didn't hide that on
purpose.
> Quote:
>What about simply dismissing a request that has more than one / in the
>URL?
>That must be an invalid request, since (I expect) you deliver the
>directorylinks yourself, and thus correctly formatted.
>
That would also be an option. However: nobody's perfect, a mistake is
easily made e.g. $ptr="./{$dir}/{$path}"; what if path starts with a
slash, dir starts or ends with a slash, dir is empty, and so on. Apache
couldn't care less and will happily serve .///something/different.html
Note that two slashes, as in http:// is part of the protocol.
If I serve http://some_domain.com//some_path, this will look like http://some_domain.com/http://somepath, or something like that..
I've stayed out of this thread because I'm hazy on this, but you
should be aware that serving two slashes will be interpreted differently
than what you want, it is not directory separator.
Jeff | | | | re: php scripts and tripple slashes
"Jeff" <jeff@spam_me_not.comschreef in bericht
news:4p6dnVj8d98da33VnZ2dnUVZ_q7inZ2d@earthlink.co m... Quote:
mijn naam wrote: Quote:
>"Erwin Moller"
><Since_humans_read_this_I_am_spammed_too_much@spa myourself.comschreef
>in bericht news:48e0ebcb$0$187$e4fe514c@news.xs4all.nl...
>> Quote:
>>> http://hostname/debug/one/two///three/four
>>>>
>>>in other words:
>>>http://{$_SERVER["SERVER_NAME"]}{$_SERVER["REQUEST_URI"]}
>>>
>>OK, that makes sense then for $_SERVER["REQUEST_URI"].
>>>
>>I don't see how/why PHP fills $_SERVER["PHP_SELF"] with:
>>/debug/one/two/debug.php/one/two/three/four
>>for that URL if you don't play with mod_rewrite.
>>
>I'm sure I disabled mod_rewrite. At the server restart, apache
>complained "Invalid command 'RewriteLog', perhaps mis-spelled or defined
>by a module not included in the server configuration" ( I forgot to
>remove one such line at first).
>>
>> >>
>the php script is debug.php ...
>> Quote:
>>Are you sure you are telling the whole story?
>>
>... and apache is setup with options MultiViews. I didn't hide that on
>purpose.
>> Quote:
>>What about simply dismissing a request that has more than one / in the
>>URL?
>>That must be an invalid request, since (I expect) you deliver the
>>directorylinks yourself, and thus correctly formatted.
>>
>That would also be an option. However: nobody's perfect, a mistake is
>easily made e.g. $ptr="./{$dir}/{$path}"; what if path starts with a
>slash, dir starts or ends with a slash, dir is empty, and so on. Apache
>couldn't care less and will happily serve .///something/different.html
>
Note that two slashes, as in http:// is part of the protocol.
>
If I serve http://some_domain.com//some_path, this will look like http://some_domain.com/http://somepath, or something like that..
>
I've stayed out of this thread because I'm hazy on this, but you should
be aware that serving two slashes will be interpreted differently than
what you want, it is not directory separator.
Not on the apache servers I'm dealing with. You could be right for other
servers.
Anyway, I'm trying to have proper URL's on my end, and at the same time I
want to be prepared if anyone/anybot is trying trickery on me.
For now I'll use that workaround of redirecting to a cleaned up version of
the URI.
But I still would appreciate any insight on the problem I found. | | | | re: php scripts and tripple slashes
mijn naam schreef: Quote:
"Erwin Moller"
<Since_humans_read_this_I_am_spammed_too_much@spam yourself.comschreef
in bericht news:48e0ebcb$0$187$e4fe514c@news.xs4all.nl...
> Quote: >>
>OK, that makes sense then for $_SERVER["REQUEST_URI"].
>>
>I don't see how/why PHP fills $_SERVER["PHP_SELF"] with:
>/debug/one/two/debug.php/one/two/three/four
>for that URL if you don't play with mod_rewrite.
>
I'm sure I disabled mod_rewrite. At the server restart, apache
complained "Invalid command 'RewriteLog', perhaps mis-spelled or defined
by a module not included in the server configuration" ( I forgot to
remove one such line at first).
>
> >
the php script is debug.php ...
> Quote:
>Are you sure you are telling the whole story?
>
... and apache is setup with options MultiViews. I didn't hide that on
purpose.
Aaah, Multiviews.
You should have mentioned that earlier.
That must be your problemobfuscator. ;-)
This is what my apache2 tell me (PHP5) when I request: http://www.example.com/test.php/one///two/three
[REQUEST_URI] =/test.php/one///two/three
[PHP_SELF] =/test.php/one///two/three
And I don't use Multiviews.
As you can see, both URI and PHP_SELF contain what you (or at least I)
expected.
I am no expert on Multiviews, but I expect your problem originates
there. Maybe you can configure them differently, or use mod_rewrite
instead if that is an option.
(You can mimic your desired multiview behaviour with mod_rewrite if you
just think up a smart match for the url.)
Good luck.
Regards,
Erwin Moller Quote:
> Quote:
>What about simply dismissing a request that has more than one / in the
>URL?
>That must be an invalid request, since (I expect) you deliver the
>directorylinks yourself, and thus correctly formatted.
>
That would also be an option. However: nobody's perfect, a mistake is
easily made e.g. $ptr="./{$dir}/{$path}"; what if path starts with a
slash, dir starts or ends with a slash, dir is empty, and so on. Apache
couldn't care less and will happily serve .///something/different.html
>
>
--
============================
Erwin Moller
Now dropping all postings from googlegroups.
Why? http://improve-usenet.org/
============================ |  |
| | |  /bytes/about
We are a network of experts and professionals in IT and software development that help one another with answers to tough questions and share insights.
Get the best answers to your questions from over 226,449 network members.
|
