[PHP-BUG] Bug #61218 [NEW]: FPM doesn't receive binary values in FastCGI requests
From: Operating system: Ubuntu 10.04.4 LTS x64 PHP version: 5.3.10 Package: FPM related Bug Type: Bug Bug description:FPM doesn't receive binary values in FastCGI requests Description: The function fcgi_get_params() checks fastcgi name-value pairs on their effective sizes using fcgi_param_get_eff_len(). This works good only for zero-ended string values, but not the binary data. Suppose we want to transmit binary data with zeroes in the middle. In that case fcgi_param_get_eff_len() returns 0. That causes FPM to drop FastCGI connection. Test script: --- How to reproduce (passing binary client address in BREMOTE_ADDR): nginx server configuration: http://www.box.com/s/dduo08uni67ilgjnn6rc TCP session dump (tcpdump -ni lo port 4006 -X -s 0): http://www.box.com/s/ukkyco8raeijvb3hr8ep Expected result: Expected: full response from PHP. Actual result: -- Actually got: TCP reset immediately after receiving data packet with FastCGI request. You may decode bytes sequence in the data packet. Bytes from 0x0094 to 0x00A5 are: 0x0094 = x0c = 12 (the length of "BREMOTE_ADDR" string) 0x0095 = x04 = 04 (the length of binary data) 0x0096-0x00A1 = "BREMOTE_ADDR" (the name) 0x00A2-0x00A5 = 0x7f 0x00 0x00 0x01 (the binary representation of IPv4 address 127.0.0.1) I found something like FastCGI specs on http://www.fastcgi.com/drupal/node/6?q=node/22#S5.2 "3.4 Name-Value Pairs ... This name-value pair format allows the sender to transmit binary values without additional encoding, and enables the receiver to allocate the correct amount of storage immediately even for large values." Thus, I think assuming that all FastCGI data is a zero-ended strings is wrong. I wrote a patch that removes check for non-zero byte after "end of string". -- Edit bug report at https://bugs.php.net/bug.php?id=61218&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=61218&r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=61218&r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=61218&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=61218&r=fixed Fixed in SVN and need be documented: https://bugs.php.net/fix.php?id=61218&r=needdocs Fixed in release: https://bugs.php.net/fix.php?id=61218&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=61218&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=61218&r=needscript Try newer version: https://bugs.php.net/fix.php?id=61218&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=61218&r=support Expected behavior: https://bugs.php.net/fix.php?id=61218&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=61218&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=61218&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=61218&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=61218&r=php4 Daylight Savings:https://bugs.php.net/fix.php?id=61218&r=dst IIS Stability: https://bugs.php.net/fix.php?id=61218&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=61218&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=61218&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=61218&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=61218&r=mysqlcfg
Bug #61218 [Opn]: FPM drops connection while receiving some binary values in FastCGI requests
Edit report at https://bugs.php.net/bug.php?id=61218&edit=1 ID: 61218 User updated by:bruzh2 at gmail dot com Reported by:bruzh2 at gmail dot com -Summary:FPM doesn't receive binary values in FastCGI requests +Summary:FPM drops connection while receiving some binary values in FastCGI requests Status: Open Type: Bug Package:FPM related Operating System: Ubuntu 10.04.4 LTS x64 PHP Version:5.3.10 Block user comment: N Private report: N New Comment: refine summary field Previous Comments: [2012-03-01 12:04:42] bruzh2 at gmail dot com Description: The function fcgi_get_params() checks fastcgi name-value pairs on their effective sizes using fcgi_param_get_eff_len(). This works good only for zero-ended string values, but not the binary data. Suppose we want to transmit binary data with zeroes in the middle. In that case fcgi_param_get_eff_len() returns 0. That causes FPM to drop FastCGI connection. Test script: --- How to reproduce (passing binary client address in BREMOTE_ADDR): nginx server configuration: http://www.box.com/s/dduo08uni67ilgjnn6rc TCP session dump (tcpdump -ni lo port 4006 -X -s 0): http://www.box.com/s/ukkyco8raeijvb3hr8ep Expected result: Expected: full response from PHP. Actual result: -- Actually got: TCP reset immediately after receiving data packet with FastCGI request. You may decode bytes sequence in the data packet. Bytes from 0x0094 to 0x00A5 are: 0x0094 = x0c = 12 (the length of "BREMOTE_ADDR" string) 0x0095 = x04 = 04 (the length of binary data) 0x0096-0x00A1 = "BREMOTE_ADDR" (the name) 0x00A2-0x00A5 = 0x7f 0x00 0x00 0x01 (the binary representation of IPv4 address 127.0.0.1) I found something like FastCGI specs on http://www.fastcgi.com/drupal/node/6?q=node/22#S5.2 "3.4 Name-Value Pairs ... This name-value pair format allows the sender to transmit binary values without additional encoding, and enables the receiver to allocate the correct amount of storage immediately even for large values." Thus, I think assuming that all FastCGI data is a zero-ended strings is wrong. I wrote a patch that removes check for non-zero byte after "end of string". -- Edit this bug report at https://bugs.php.net/bug.php?id=61218&edit=1
Bug #61218 [Com]: FPM drops connection while receiving some binary values in FastCGI requests
Edit report at https://bugs.php.net/bug.php?id=61218&edit=1 ID: 61218 Comment by: bruzh2 at gmail dot com Reported by:bruzh2 at gmail dot com Summary:FPM drops connection while receiving some binary values in FastCGI requests Status: Open Type: Bug Package:FPM related Operating System: Ubuntu 10.04.4 LTS x64 PHP Version:5.3.10 Block user comment: N Private report: N New Comment: php.ini http://www.box.com/s/bpuv2ngqoh4mog8srl4d php-fpm.conf http://www.box.com/s/o81ruvvf8gx31sd456qm Previous Comments: [2012-03-01 15:09:57] bruzh2 at gmail dot com refine summary field [2012-03-01 12:04:42] bruzh2 at gmail dot com Description: The function fcgi_get_params() checks fastcgi name-value pairs on their effective sizes using fcgi_param_get_eff_len(). This works good only for zero-ended string values, but not the binary data. Suppose we want to transmit binary data with zeroes in the middle. In that case fcgi_param_get_eff_len() returns 0. That causes FPM to drop FastCGI connection. Test script: --- How to reproduce (passing binary client address in BREMOTE_ADDR): nginx server configuration: http://www.box.com/s/dduo08uni67ilgjnn6rc TCP session dump (tcpdump -ni lo port 4006 -X -s 0): http://www.box.com/s/ukkyco8raeijvb3hr8ep Expected result: Expected: full response from PHP. Actual result: -- Actually got: TCP reset immediately after receiving data packet with FastCGI request. You may decode bytes sequence in the data packet. Bytes from 0x0094 to 0x00A5 are: 0x0094 = x0c = 12 (the length of "BREMOTE_ADDR" string) 0x0095 = x04 = 04 (the length of binary data) 0x0096-0x00A1 = "BREMOTE_ADDR" (the name) 0x00A2-0x00A5 = 0x7f 0x00 0x00 0x01 (the binary representation of IPv4 address 127.0.0.1) I found something like FastCGI specs on http://www.fastcgi.com/drupal/node/6?q=node/22#S5.2 "3.4 Name-Value Pairs ... This name-value pair format allows the sender to transmit binary values without additional encoding, and enables the receiver to allocate the correct amount of storage immediately even for large values." Thus, I think assuming that all FastCGI data is a zero-ended strings is wrong. I wrote a patch that removes check for non-zero byte after "end of string". -- Edit this bug report at https://bugs.php.net/bug.php?id=61218&edit=1
Bug #61218 [Com]: FPM drops connection while receiving some binary values in FastCGI requests
Edit report at https://bugs.php.net/bug.php?id=61218&edit=1
ID: 61218
Comment by: bruzh2 at gmail dot com
Reported by:bruzh2 at gmail dot com
Summary:FPM drops connection while receiving some binary
values in FastCGI requests
Status: Open
Type: Bug
Package:FPM related
Operating System: Ubuntu 10.04.4 LTS x64
PHP Version:5.3.10
Block user comment: N
Private report: N
New Comment:
linux command line to send HTTP request to nginx:
echo -e "GET /test.php HTTP/1.1\nHost: tmp\nConnection: close\n" | nc localhost
80
nginx response:
HTTP/1.1 502 Bad Gateway
Server: nginx/0.7.68
Date: Thu, 01 Mar 2012 10:39:21 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 173
Connection: close
Set-Cookie: ngs_uid=fwAAAU9PUdk/Oi4mAwMJAg==; expires=Sun, 27-Feb-22 10:39:21
GMT; domain=ngs.ru; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
502 Bad Gateway
502 Bad Gateway
nginx/0.7.68
Take note this is LOCAL connection to nginx. Further nginx transmits 4 bytes
('127.0.0.1' = 0x7f 0x00 0x00 0x01) in the 'BREMOTE_ADDR' FastCGI value. And
PHP-FPM drops FastCGI connection after receiving non-zero ended binary sequence
in the FastCGI value. Any other connection from HTTP client without zeroes in
the IPv4 address would work.
Previous Comments:
----------------
[2012-03-02 03:04:11] bruzh2 at gmail dot com
php.ini
http://www.box.com/s/bpuv2ngqoh4mog8srl4d
php-fpm.conf
http://www.box.com/s/o81ruvvf8gx31sd456qm
----------------
[2012-03-01 15:09:57] bruzh2 at gmail dot com
refine summary field
----------------
[2012-03-01 12:04:42] bruzh2 at gmail dot com
Description:
The function fcgi_get_params() checks fastcgi name-value pairs on their
effective sizes using fcgi_param_get_eff_len().
This works good only for zero-ended string values, but not the binary data.
Suppose we want to transmit binary data with zeroes in the middle.
In that case fcgi_param_get_eff_len() returns 0. That causes FPM to drop
FastCGI connection.
Test script:
---
How to reproduce (passing binary client address in BREMOTE_ADDR):
nginx server configuration:
http://www.box.com/s/dduo08uni67ilgjnn6rc
TCP session dump (tcpdump -ni lo port 4006 -X -s 0):
http://www.box.com/s/ukkyco8raeijvb3hr8ep
Expected result:
Expected: full response from PHP.
Actual result:
--
Actually got: TCP reset immediately after receiving data packet with FastCGI
request.
You may decode bytes sequence in the data packet. Bytes from 0x0094 to 0x00A5
are:
0x0094 = x0c = 12 (the length of "BREMOTE_ADDR" string)
0x0095 = x04 = 04 (the length of binary data)
0x0096-0x00A1 = "BREMOTE_ADDR" (the name)
0x00A2-0x00A5 = 0x7f 0x00 0x00 0x01 (the binary representation of IPv4 address
127.0.0.1)
I found something like FastCGI specs on
http://www.fastcgi.com/drupal/node/6?q=node/22#S5.2
"3.4 Name-Value Pairs
...
This name-value pair format allows the sender to transmit binary values without
additional encoding,
and enables the receiver to allocate the correct amount of storage immediately
even for large values."
Thus, I think assuming that all FastCGI data is a zero-ended strings is wrong.
I wrote a patch that removes check for non-zero byte after "end of string".
--
Edit this bug report at https://bugs.php.net/bug.php?id=61218&edit=1
