Installing PHP 4.3.3 as a CGI with #! support
Posted August 22, 2003
You want some sites ("foo.dom") to use "Action ... /php.cgi":
-rw-r--r-- foo foo /home/foo/docroot/.htaccess
-rwx------ foo foo /home/foo/docroot/php.cgi
-rw-r--r-- foo foo /home/foo/docroot/example.php
You want some other sites ("bar.dom") to use "#!/usr/local/bin/php":
-rwx------ bar bar /home/bar/docroot/example.php
-rwxr-xr-x root wheel /usr/local/bin/php
You don't want this security hole.
http://foo.dom/php.cgi/.htaccess
Or this one.
http://bar.dom/example.php/.htaccess
(http://bar.dom/example.php/.htaccess should execute example.php with /.htaccess in $_ENV[PATH_INFO]. Without a patch, PHP executes /home/bar/docroot/.htaccess as a PHP program, which means sending it to the client.)
Build two versions of PHP, one with "force_cgi_redirect" disabled. (If you don't enable this during ./configure when you build PHP, then the setting in php.ini has no effect.)
- extract source code
- apply php433-hashbang-pathinfo patch
- configure with --disable-path-info-check and without --enable-force-cgi-redirect
- make
- make install
- strip /usr/local/bin/php
- delete build dir and extract source code again
- apply "check script owner" and "path info" patches
- configure with --enable-force-cgi-redirect
- make
- cp -p sapi/cgi/php /usr/local/bin/php.cgi
- strip /usr/local/bin/php.cgi
- ensure cgi.force_redirect = 1 in /usr/local/lib/php.ini
|