-
-
Notifications
You must be signed in to change notification settings - Fork 259
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ensure some $_SERVER variables have the right values #1133
Comments
Interesting, I imagine correctly handling the encoded string is important for a reverse proxy since it potentially allows bypassing certain paths if the origin server does decode them.
And I get a request like this: Caddy would invoke the handle directive. |
Yep, it was #1130 that led me to this, specifically in regards to %2f. I was looking at my WordPress logs before doing the switch to FrankenPHP and saw a number of those types of requests, so I got curious what the behavior is supposed to be.
I believe this is reasonably correct. There are some other fun ones: https://withinboredom.info/2024/08/12///////////////////////////////////optimizing-cgo-handles/ is a valid URI that Apache and Nginx normalize. |
Yeah you are right, And as you mentioned everything but REQUEST_URI is normalized:
Probably makes sense to stay consistent with nginx/apache 👍 . I think this is niche enough to not break any application depending on the current logic. |
Thank you @AlliBalliBaba for the dd fix I was just going through some of the tickets by both of you. Love the commitment and collaboration both of you doing together. Reading your replies, it felt like I'm watching 2 friends discussing their next journey. Loved it. I've not even started using this but it looks like what the php world should have moved to way sooner. |
Describe you feature request
The values are somewhat documented here: https://www.php.net/manual/en/reserved.variables.server.php
Specifically, this issue is in regards to:
Which suggests a 'literal', non-processed URI for REQUEST_URI. Digging into the comments on this page, I was able to get a little more information from people studying these behaviors of these variables across time/SAPIs (I love comments on these pages).
REQUEST_URI:
SCRIPT_NAME:
PHP_SELF:
I also noted that we may not have the correct values for PATH_INFO:
This should be the values after the php script: /index.php/some/path should be /some/path, different from REQUEST_URI.
Apache and Nginx
For Apache and nginx, I looked into how they handle encoded urls (urls that have
%2f
instead of/
):Apache has AllowEncodedSlashes to process these urls. It looks like the typical usecase is something like: /example/http:%2F%2Fwww.someurl.com/ for proxies and potentially retrieving screenshots. Apache considers these invalid urls unless this setting is set to On or NoDecode (and processes them or doesn't, depending on the value of this setting).
For nginx, it depends on how you formulate the variable in your configuration. If you use $uri, then it will pass on the unescaped version, but $request_uri will be the original escaped version. Looking at the default fastcgi parameters that came with my nginx installation (ubuntu 24.04), it sets REQUEST_URI to $request_uri.
In both SAPIs, this behavior is configurable for handling url-decoding before passing to PHP.
The text was updated successfully, but these errors were encountered: