[TYPO3-core] RFC #15246: Use t3lib_div::getIndpEnv('SCRIPT_FILENAME') to determine PATH_thisScript

Felix Kopp — PHORAX typo3-core at phorax.com
Tue Jul 27 15:03:54 CEST 2010


Hi folks,

please find my remarks below:

On 27.07.2010, at 13:34, Dmitry Dulepov wrote:

> Hi!
> 
> Nikolas Hagelstein wrote:
>> Problem:
>> Currently PATH_thisScript is checked/defined in several files using a
>> pretty ugly "monster clause chain"
>> 
>> Changing this to t3lib_div::getIndpEnv('SCRIPT_FILENAME') makes things
>> more readable and maintainable.
>> 
>> Solution:
>> Replace "monster clause" by t3lib_div::getIndpEnv('SCRIPT_FILENAME')
> 

This patch does not reference SCRIPT_FILENAME as environment var but the getIndpEnv($getEnvName) static function with string parameter "SCRIPT_FILENAME" as input key.

> I made a quick search and discovered that this change may break script path
> detection. Here is what I found quickly.
> 
> SCRIPT_FILENAME is non–standard. CGI spec [1] does not have this variable,
> so it is possible that your solution will not work in cgi mode.

t3lib_div::getIndpEnv('SCRIPT_FILENAME') is parsed via the switch-case in t3lib_div which references several checks within $_SERVER array. therefore we have to determine wether ORIG_PATH_TRANSLATED, PATH_TRANSLATED, ORIG_PATH_TRANSLATED, PATH_TRANSLATED, ORIG_SCRIPT_FILENAME and SCRIPT_FILENAME are all necessary _SERVER-keys. In CGI mode PATH_TRANSLATED will be referenced (see 4.1).

> SCRIPT_FILENAME under MS IIS returns a string with backward slashes. Web
> also indicates that this variable may not exist when php runs as cgi under
> MS IIS. I did not check any Windows versions myself. The information comes
> from comments on php.net.

The slash vs. backslash situation will also be handled within getIndpEnv due to the surrounding str_replace.

> Under certain condition you can get a path to the PHP interpreter in this
> variable ([2]).

Seems to be a non-standard configuration to me but I can not confirm my theory.
Furthermore this parameter would most certainly not be used due to the order of the parameters within getIndpEnv.


> Some editions of Ubuntu seem to discard SCRIPT_FILENAME completely ([3]).
> 
> [1] http://www.rfc-editor.org/rfc/rfc3875.txt
> [2]
> http://www.bigresource.com/PHP--_SERVER-SCRIPT_FILENAME-php-php-exe--EziQEXuQ.html
> [3] http://community.activestate.com/faq/cgi-debugging-no-input-fi#comment-811
> 
> -- 
> Dmitry Dulepov
> TYPO3 core&security teams member
> Twitter: http://twitter.com/dmitryd
> Read more @ http://dmitry-dulepov.com/
> 

I think this patch is the right step into the right direction to make the code more readable and remove redundant checks. The centralization should be done.

+1 by reading and (testing within /index.php) from me.


But additionally we have to add the fpm-fcgi (PHP_SAPI) into the $retVal condition to ensure the underlying problem (#15241). I will send the v2-patch for fpm-fcgi this evening if no one else finds the time beforehand.

Kind regard to you all,
Felix*









More information about the TYPO3-team-core mailing list