[TYPO3-core] RFC: Bug #5548: cli_dispatch.phpsh will not run on CGI API
Dmitry Dulepov
dmitry at typo3.org
Tue Jan 20 13:27:54 CET 2009
Hi!
Steffen Gebert wrote:
> Description:
> As already stated in a longer discussion [1], cli_dispatch.phpsh doesn't work in CGI environments as PHP_SAPI is 'cgi', not 'cli'.
> This blocks CGI users and forces them to patch TYPO3 core code, if they want to use cli_dispatch.phpsh
>
> Solution:
> Don't exit if PHP_SAPI != 'cgi', but also weather it starts with 'cgi' (this will accept 'cgi-fcgi', too (see [2], also mentioned by Michiel)).
> I've overworked Masi's patch to accept cgi* as SAPI and to conform to CGL.
This is not enough. Executing cli_dispatch.phpsh under cgi SAPI must be disallowed from the browser. Otherwise cli_dispatch.phpsh may be used to execute processes that must not run under the web server. Those processes can be used to find various information about the web server that can be used for attacks (such as location of files). For now this patch is too dangerous to be committed.
I think that check will be complicated. For example, checking for HTTP_USER_AGENT is not a valid way because it can be fooled using telnet.
--
Dmitry Dulepov
TYPO3 core team
"Sometimes they go bad. No one knows why" (Cameron, TSCC, "Dungeons&Dragons")
More information about the TYPO3-team-core
mailing list