[TYPO3-core] RFC: Bug #5548: cli_dispatch.phpsh will not run on CGI API

[Martin Kutschker]

Dmitry Dulepov schrieb:
> Hi!
> 
> Steffen Gebert wrote:
>> Description:
>> As already stated in a longer discussion [1], cli_dispatch.phpsh doesn't work in CGI environments as PHP_SAPI is 'cgi', not 'cli'.
>> This blocks CGI users and forces them to patch TYPO3 core code, if they want to use cli_dispatch.phpsh
>>
>> Solution:
>> Don't exit if PHP_SAPI != 'cgi', but also weather it starts with 'cgi' (this will accept 'cgi-fcgi', too (see [2], also mentioned by Michiel)).
>> I've overworked Masi's patch to accept cgi* as SAPI and to conform to CGL.
> 
> This is not enough. Executing cli_dispatch.phpsh under cgi SAPI must be disallowed from the browser.

Right.

> I think that check will be complicated. For example, checking for HTTP_USER_AGENT is not a valid way because it can be fooled using telnet.

I was thinking about checking $_SERVER[DOCUMENT_ROOT]. This should be
set for any SAPI but CLI.

There are others which could be checked, but most of them are also
present in $_ENV and so you could set them with a CLI. OTOH, if you do a
 check for eg $_ENV[REMOTE_ADDR] will shut you out.

In essence we have only to see if one or more varaiables are set that
are found when called via a webserver but not when called as CLI. If we
find them we bail out. I don't see how I can fool this check by sending
tailored HTTP headers.

Masi