By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
438,278 Members | 1,357 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 438,278 IT Pros & Developers. It's quick & easy.

php scripts and tripple slashes

P: n/a
Trying to find info about this, but searching for '///' or for 'tripple
slash' doesn't provide relevant answers. Can anyone please point me in the
right direction?

A simple script, called debug.php, shows some variables. I can call this
script using http://server/debug/show.php or using http://server/debug/show

Also I can add more to the URL, and the script is still called. So far so
good.
_SERVER["REQUEST_URI"]=/debug/show/a/b/c
_SERVER["SCRIPT_NAME"]=/debug/show.php

_SERVER["REQUEST_URI"]=/debug/show//a/b/c
_SERVER["SCRIPT_NAME"]=/debug/show.php

The problem starts when adding three or more slashes:

_SERVER["REQUEST_URI"]=/debug/show///a/b/c
_SERVER["SCRIPT_NAME"]=/debug/show/show.php

See how script_name suddenly has an extra '/show' in it?

This doesn't happen when I use the full script name:

_SERVER["REQUEST_URI"]=/debug/show.php///a/b/c
_SERVER["SCRIPT_NAME"]=/debug/show.php/
Is this a bug, or is this expected behaviour?
I also see a problem with PHP_SELF on one machine but not on another:

_SERVER["REQUEST_URI"]=/debug/show.php
_SERVER["PHP_SELF"]=/debug/show.php

_SERVER["REQUEST_URI"]=/debug/show.php/
_SERVER["PHP_SELF"]=/

Please point me into the right direction, currently I have no idea if I have
to look at apache's configuration, PHP, or if this is expected behaviour
(and, if so, why).

TIA

Sep 28 '08 #1
Share this Question
Share on Google+
8 Replies


P: n/a

mijn naam schreef:
Trying to find info about this, but searching for '///' or for 'tripple
slash' doesn't provide relevant answers. Can anyone please point me in
the right direction?

A simple script, called debug.php, shows some variables. I can call
this script using http://server/debug/show.php or using
http://server/debug/show

Also I can add more to the URL, and the script is still called. So far
so good.
_SERVER["REQUEST_URI"]=/debug/show/a/b/c
_SERVER["SCRIPT_NAME"]=/debug/show.php

_SERVER["REQUEST_URI"]=/debug/show//a/b/c
_SERVER["SCRIPT_NAME"]=/debug/show.php

The problem starts when adding three or more slashes:

_SERVER["REQUEST_URI"]=/debug/show///a/b/c
_SERVER["SCRIPT_NAME"]=/debug/show/show.php

See how script_name suddenly has an extra '/show' in it?

This doesn't happen when I use the full script name:

_SERVER["REQUEST_URI"]=/debug/show.php///a/b/c
_SERVER["SCRIPT_NAME"]=/debug/show.php/
Is this a bug, or is this expected behaviour?
I also see a problem with PHP_SELF on one machine but not on another:

_SERVER["REQUEST_URI"]=/debug/show.php
_SERVER["PHP_SELF"]=/debug/show.php

_SERVER["REQUEST_URI"]=/debug/show.php/
_SERVER["PHP_SELF"]=/

Please point me into the right direction, currently I have no idea if I
have to look at apache's configuration, PHP, or if this is expected
behaviour (and, if so, why).

TIA
Hi,

I bet you are using mod_rewrite for apache.
Have a look at the rewrite rules and conditions in your apache config.
Post it here if you are in doubt. Or better here: alt.apache.configuration

Good luck.

Regards,
Erwin Moller

--
============================
Erwin Moller
Now dropping all postings from googlegroups.
Why? http://improve-usenet.org/
============================
Sep 29 '08 #2

P: n/a
"Erwin Moller"
<Si******************************************@spam yourself.comschreef in
bericht news:48*********************@news.xs4all.nl...
I bet you are using mod_rewrite for apache.
Have a look at the rewrite rules and conditions in your apache config.
Post it here if you are in doubt. Or better here: alt.apache.configuration
Thanks but no.

One machine is the provider's. I cannot look there.

The other one is my home box, this one doesn't do rewriting AFACT. Just to
be sure: I placed RewriteLogLevel 2 and RewriteLog logs/rewrite in the
config and that log stays empty.

Then I commented everything having to do with rewriting out, and restarted
apache. Before and after the following happens on my machine:

_SERVER["REQUEST_URI"]=/debug/one/two///three/four
_SERVER["SCRIPT_NAME"]=/debug/one/two/debug.php
_SERVER["PHP_SELF"]=/debug/one/two/debug.php/one/two/three/four

Sep 29 '08 #3

P: n/a
"Erwin Moller"
<Si******************************************@spam yourself.comschreef in
bericht news:48*********************@news.xs4all.nl...
>
mijn naam schreef:
>"Erwin Moller"
<Si******************************************@spa myourself.comschreef
in bericht news:48*********************@news.xs4all.nl...
>>I bet you are using mod_rewrite for apache.
Have a look at the rewrite rules and conditions in your apache config.
Post it here if you are in doubt. Or better here:
alt.apache.configuration

Thanks but no.

One machine is the provider's. I cannot look there.

The other one is my home box, this one doesn't do rewriting AFACT. Just
to be sure: I placed RewriteLogLevel 2 and RewriteLog logs/rewrite in the
config and that log stays empty.

Then I commented everything having to do with rewriting out, and
restarted apache. Before and after the following happens on my machine:

_SERVER["REQUEST_URI"]=/debug/one/two///three/four
_SERVER["SCRIPT_NAME"]=/debug/one/two/debug.php
_SERVER["PHP_SELF"]=/debug/one/two/debug.php/one/two/three/four

Hi Stranger,

And what URL are you feeding excactly that gives the above result?
http://hostname/debug/one/two///three/four

in other words: http://{$_SERVER["SERVER_NAME"]}{$_SERVER["REQUEST_URI"]}

And secondly: What is it excactly you are trying to achieve?
Do you have an actual problem or is this just research?
I'm writing a script which is going to be used to find files in a directory
structure. That script looks like a subdirectory in the normal tree.

E.g. http://servername/content/a/b/c/d will look at
/home/user/private_html/a/b/c/d

While testing my script with various different problems ('never trust user
input') I found the problem I'm trying to tackle.

I was using _SERVER["SCRIPT_NAME"] but obviously I run into trouble if I
can't rely on its contents.

The only workaround I've found so far is to
redirect(ereg_replace('///*','/',$_SERVER["REQUEST_URI"])) in case I find
two slashes in a row in request_uri. Not a nice solution but it seems to do
the job.

PS: Please 'mijn naam', use a (real) name, that makes conversations in
here a bit more pleasant. ;-)
Just call me 'Mijn'. No problem.

Sep 29 '08 #4

P: n/a

mijn naam schreef:
"Erwin Moller"
<Si******************************************@spam yourself.comschreef
in bericht news:48*********************@news.xs4all.nl...
>>
mijn naam schreef:
>>"Erwin Moller"
<Si******************************************@sp amyourself.com>
schreef in bericht news:48*********************@news.xs4all.nl...

I bet you are using mod_rewrite for apache.
Have a look at the rewrite rules and conditions in your apache config.
Post it here if you are in doubt. Or better here:
alt.apache.configuration

Thanks but no.

One machine is the provider's. I cannot look there.

The other one is my home box, this one doesn't do rewriting AFACT.
Just to be sure: I placed RewriteLogLevel 2 and RewriteLog
logs/rewrite in the config and that log stays empty.

Then I commented everything having to do with rewriting out, and
restarted apache. Before and after the following happens on my machine:

_SERVER["REQUEST_URI"]=/debug/one/two///three/four
_SERVER["SCRIPT_NAME"]=/debug/one/two/debug.php
_SERVER["PHP_SELF"]=/debug/one/two/debug.php/one/two/three/four

Hi Stranger,

And what URL are you feeding excactly that gives the above result?
Hi Mijn,
http://hostname/debug/one/two///three/four

in other words: http://{$_SERVER["SERVER_NAME"]}{$_SERVER["REQUEST_URI"]}
OK, that makes sense then for $_SERVER["REQUEST_URI"].

I don't see how/why PHP fills $_SERVER["PHP_SELF"] with:
/debug/one/two/debug.php/one/two/three/four
for that URL if you don't play with mod_rewrite.

Your url:
http://hostname/debug/one/two///three/four
DOESN'T name any php script, so HOW is this fed to a PHP script without
mod_rewrite???

Are you sure you are telling the whole story?
>
>And secondly: What is it excactly you are trying to achieve?
Do you have an actual problem or is this just research?

I'm writing a script which is going to be used to find files in a
directory structure. That script looks like a subdirectory in the normal
tree.

E.g. http://servername/content/a/b/c/d will look at
/home/user/private_html/a/b/c/d

While testing my script with various different problems ('never trust
user input') I found the problem I'm trying to tackle.

I was using _SERVER["SCRIPT_NAME"] but obviously I run into trouble if I
can't rely on its contents.

The only workaround I've found so far is to
redirect(ereg_replace('///*','/',$_SERVER["REQUEST_URI"])) in case I
find two slashes in a row in request_uri. Not a nice solution but it
seems to do the job.
What about simply dismissing a request that has more than one / in the URL?
That must be an invalid request, since (I expect) you deliver the
directorylinks yourself, and thus correctly formatted.

>
>PS: Please 'mijn naam', use a (real) name, that makes conversations in
here a bit more pleasant. ;-)

Just call me 'Mijn'. No problem.
Fine I will call you Mijn.
It just feels a little too intimate since I am Dutch too. ;-)
Regards,
Erwin Moller

--
============================
Erwin Moller
Now dropping all postings from googlegroups.
Why? http://improve-usenet.org/
============================
Sep 29 '08 #5

P: n/a
"Erwin Moller"
<Si******************************************@spam yourself.comschreef in
bericht news:48*********************@news.xs4all.nl...
>http://hostname/debug/one/two///three/four

in other words: http://{$_SERVER["SERVER_NAME"]}{$_SERVER["REQUEST_URI"]}

OK, that makes sense then for $_SERVER["REQUEST_URI"].

I don't see how/why PHP fills $_SERVER["PHP_SELF"] with:
/debug/one/two/debug.php/one/two/three/four
for that URL if you don't play with mod_rewrite.
I'm sure I disabled mod_rewrite. At the server restart, apache complained
"Invalid command 'RewriteLog', perhaps mis-spelled or defined by a module
not included in the server configuration" ( I forgot to remove one such
line at first).

Your url:
http://hostname/debug/one/two///three/four
DOESN'T name any php script, so HOW is this fed to a PHP script without
mod_rewrite???
the php script is debug.php ...
Are you sure you are telling the whole story?
.... and apache is setup with options MultiViews. I didn't hide that on
purpose.
What about simply dismissing a request that has more than one / in the
URL?
That must be an invalid request, since (I expect) you deliver the
directorylinks yourself, and thus correctly formatted.
That would also be an option. However: nobody's perfect, a mistake is easily
made e.g. $ptr="./{$dir}/{$path}"; what if path starts with a slash, dir
starts or ends with a slash, dir is empty, and so on. Apache couldn't care
less and will happily serve .///something/different.html
Sep 29 '08 #6

P: n/a
mijn naam wrote:
"Erwin Moller"
<Si******************************************@spam yourself.comschreef
in bericht news:48*********************@news.xs4all.nl...
>>http://hostname/debug/one/two///three/four

in other words:
http://{$_SERVER["SERVER_NAME"]}{$_SERVER["REQUEST_URI"]}

OK, that makes sense then for $_SERVER["REQUEST_URI"].

I don't see how/why PHP fills $_SERVER["PHP_SELF"] with:
/debug/one/two/debug.php/one/two/three/four
for that URL if you don't play with mod_rewrite.

I'm sure I disabled mod_rewrite. At the server restart, apache
complained "Invalid command 'RewriteLog', perhaps mis-spelled or defined
by a module not included in the server configuration" ( I forgot to
remove one such line at first).

>Your url:
http://hostname/debug/one/two///three/four
DOESN'T name any php script, so HOW is this fed to a PHP script
without mod_rewrite???

the php script is debug.php ...
>Are you sure you are telling the whole story?

... and apache is setup with options MultiViews. I didn't hide that on
purpose.
>What about simply dismissing a request that has more than one / in the
URL?
That must be an invalid request, since (I expect) you deliver the
directorylinks yourself, and thus correctly formatted.

That would also be an option. However: nobody's perfect, a mistake is
easily made e.g. $ptr="./{$dir}/{$path}"; what if path starts with a
slash, dir starts or ends with a slash, dir is empty, and so on. Apache
couldn't care less and will happily serve .///something/different.html
Note that two slashes, as in http:// is part of the protocol.

If I serve http://some_domain.com//some_path, this will look like
http://some_domain.com/http://somepath, or something like that..

I've stayed out of this thread because I'm hazy on this, but you
should be aware that serving two slashes will be interpreted differently
than what you want, it is not directory separator.

Jeff
>
Sep 29 '08 #7

P: n/a
"Jeff" <jeff@spam_me_not.comschreef in bericht
news:4p******************************@earthlink.co m...
mijn naam wrote:
>"Erwin Moller"
<Si******************************************@spa myourself.comschreef
in bericht news:48*********************@news.xs4all.nl...
>>>http://hostname/debug/one/two///three/four

in other words:
http://{$_SERVER["SERVER_NAME"]}{$_SERVER["REQUEST_URI"]}

OK, that makes sense then for $_SERVER["REQUEST_URI"].

I don't see how/why PHP fills $_SERVER["PHP_SELF"] with:
/debug/one/two/debug.php/one/two/three/four
for that URL if you don't play with mod_rewrite.

I'm sure I disabled mod_rewrite. At the server restart, apache
complained "Invalid command 'RewriteLog', perhaps mis-spelled or defined
by a module not included in the server configuration" ( I forgot to
remove one such line at first).

>>Your url:
http://hostname/debug/one/two///three/four
DOESN'T name any php script, so HOW is this fed to a PHP script without
mod_rewrite???

the php script is debug.php ...
>>Are you sure you are telling the whole story?

... and apache is setup with options MultiViews. I didn't hide that on
purpose.
>>What about simply dismissing a request that has more than one / in the
URL?
That must be an invalid request, since (I expect) you deliver the
directorylinks yourself, and thus correctly formatted.

That would also be an option. However: nobody's perfect, a mistake is
easily made e.g. $ptr="./{$dir}/{$path}"; what if path starts with a
slash, dir starts or ends with a slash, dir is empty, and so on. Apache
couldn't care less and will happily serve .///something/different.html

Note that two slashes, as in http:// is part of the protocol.

If I serve http://some_domain.com//some_path, this will look like
http://some_domain.com/http://somepath, or something like that..

I've stayed out of this thread because I'm hazy on this, but you should
be aware that serving two slashes will be interpreted differently than
what you want, it is not directory separator.

Not on the apache servers I'm dealing with. You could be right for other
servers.

Anyway, I'm trying to have proper URL's on my end, and at the same time I
want to be prepared if anyone/anybot is trying trickery on me.

For now I'll use that workaround of redirecting to a cleaned up version of
the URI.

But I still would appreciate any insight on the problem I found.

Sep 29 '08 #8

P: n/a

mijn naam schreef:
"Erwin Moller"
<Si******************************************@spam yourself.comschreef
in bericht news:48*********************@news.xs4all.nl...
>>http://hostname/debug/one/two///three/four

in other words:
http://{$_SERVER["SERVER_NAME"]}{$_SERVER["REQUEST_URI"]}

OK, that makes sense then for $_SERVER["REQUEST_URI"].

I don't see how/why PHP fills $_SERVER["PHP_SELF"] with:
/debug/one/two/debug.php/one/two/three/four
for that URL if you don't play with mod_rewrite.

I'm sure I disabled mod_rewrite. At the server restart, apache
complained "Invalid command 'RewriteLog', perhaps mis-spelled or defined
by a module not included in the server configuration" ( I forgot to
remove one such line at first).

>Your url:
http://hostname/debug/one/two///three/four
DOESN'T name any php script, so HOW is this fed to a PHP script
without mod_rewrite???

the php script is debug.php ...
>Are you sure you are telling the whole story?

... and apache is setup with options MultiViews. I didn't hide that on
purpose.
Aaah, Multiviews.
You should have mentioned that earlier.
That must be your problemobfuscator. ;-)

This is what my apache2 tell me (PHP5) when I request:
http://www.example.com/test.php/one///two/three

[REQUEST_URI] =/test.php/one///two/three
[PHP_SELF] =/test.php/one///two/three

And I don't use Multiviews.

As you can see, both URI and PHP_SELF contain what you (or at least I)
expected.

I am no expert on Multiviews, but I expect your problem originates
there. Maybe you can configure them differently, or use mod_rewrite
instead if that is an option.
(You can mimic your desired multiview behaviour with mod_rewrite if you
just think up a smart match for the url.)

Good luck.

Regards,
Erwin Moller
>
>What about simply dismissing a request that has more than one / in the
URL?
That must be an invalid request, since (I expect) you deliver the
directorylinks yourself, and thus correctly formatted.

That would also be an option. However: nobody's perfect, a mistake is
easily made e.g. $ptr="./{$dir}/{$path}"; what if path starts with a
slash, dir starts or ends with a slash, dir is empty, and so on. Apache
couldn't care less and will happily serve .///something/different.html


--
============================
Erwin Moller
Now dropping all postings from googlegroups.
Why? http://improve-usenet.org/
============================
Sep 29 '08 #9

This discussion thread is closed

Replies have been disabled for this discussion.