[TYPO3-core] RFC: Bug #5548: cli_dispatch.phpsh will not run on CGI API
Steffen Gebert
steffen at steffen-gebert.de
Tue Jan 20 20:28:21 CET 2009
Martin Kutschker wrote:
>> Steffen Gebert wrote:
>>> We could check REMOTE_ADDR - this will be empty while running from
>>> command line and I'm quite sure never when launched by a HTTP server.
>>> Would this be acceptable?
>>
>> Can you check that it is indeed empty and does not contain some fake
>> value? If yes, than fine :)
>
> How could you make a HTTP connect and force the webserver NOT to set
> REMOTE_ADDR? You can spoof the address itself, but still it would be set.
Yes, of course it wouldn't be undefined..
The following $_SERVER-keys are not defined in CGI:
'HTTP_USER_AGENT', 'HTTP_HOST', 'SERVER_NAME', 'REMOTE_ADDR', 'REMOTE_PORT', 'SERVER_PROTOCOL', 'REQUEST_URI'
As there might be environment (=shell) variables defined with the same name as those from PHP, we shouldn't immediately exit (e.g. I see REMOTEHOST from SSH, which is quite close to PHP's REMOTE_HOST - maybe there's anywhere a collision in any environment).
Maybe we could check for all and output a hint, if any of those are defined (and should be unset before launching the script). But if none is defined, I'm really sure, that we are not using HTTP ;)
It would be nice if some of you could check the following snippet to ensure, that your CGI works like mine...
$envVars = array('HTTP_USER_AGENT', 'HTTP_HOST', 'SERVER_NAME', 'REMOTE_ADDR', 'REMOTE_PORT', 'SERVER_PROTOCOL');
foreach ($envVars as $var) {
if (array_key_exists($var, $_SERVER)) {
echo '$_SERVER[' . $var . '] is defined (not expected). Value: ' . $_SERVER[$var] . chr(10);
} else {
echo 'OK, ' . $var . ' is not defined' . chr(10);
}
}
Steffen
More information about the TYPO3-team-core
mailing list