PHP: Make the filter_input() function work.

On GitHub, @jamesRUS52 reported that the PHP filter_input()[0] function
would just return NULL.

To enable this function we need to run the variables thro

PHP: Make the filter_input() function work.

On GitHub, @jamesRUS52 reported that the PHP filter_input()[0] function
would just return NULL.

To enable this function we need to run the variables through the
sapi_module.input_filter() function when we call
php_register_variable_safe().

In PHP versions prior to 7.0.0, input_filter() takes 'len' as an
unsigned int, while later versions take it as a size_t.

Now, with this commit and the following PHP

<?php

var_dump(filter_input(INPUT_SERVER, 'REMOTE_ADDR'));
var_dump(filter_input(INPUT_SERVER, 'REQUEST_URI'));
var_dump(filter_input(INPUT_GET, 'get', FILTER_SANITIZE_SPECIAL_CHARS));

?>

you get

$ curl 'http://localhost:8080/854.php?get=foo<>'
string(3) "::1"
string(18) "/854.php?get=foo<>"
string(13) "foo&#60;&#62;"

[0]: <https://www.php.net/manual/en/function.filter-input.php>

Tested-by: <https://github.com/jamesRUS52>
Closes: <https://github.com/nginx/unit/issues/854>
Reviewed-by: Alejandro Colomar <alx@nginx.com>
Signed-off-by: Andrew Clayton <a.clayton@nginx.com>

show more ...

PHP: Implement better error handling.

Previously the PHP module would produce one of four status codes

200 OK
301 Moved Permanently
500 Internal Server Error
503 Service Unavailable

200 fo

PHP: Implement better error handling.

Previously the PHP module would produce one of four status codes

200 OK
301 Moved Permanently
500 Internal Server Error
503 Service Unavailable

200 for successful requests, 301 for cases where the url was a directory
without a trailing '/', 500 for bad PHP or non-existing PHP file and 503
for all other errors.

With this commit we now handle missing files and directories, returning
404 Not Found and files and directories that don't allow access,
returning 403 Forbidden.

We do these checks in two places, when we check if we should do a
directory redirect (bar -> bar/) and in the nxt_php_execute() function.

One snag with the latter is that the php_execute_script() function only
returns success/failure (no reason). However while it took a
zend_file_handle structure with the filename of the script to run, we
can instead pass through an already opened file-pointer (FILE *) via
that structure. So we can try opening the script ourselves and do the
required checks before calling php_execute_script().

We also make use of the zend_stream_init_fp() function that initialises
the zend_file_handle structure if it's available otherwise we use our
own version. This is good because the zend_file_handle structure has
changed over time and the zend_stream_init_fp() function should change
with it.

Closes: <https://github.com/nginx/unit/issues/767>
Reviewed-by: Alejandro Colomar <alx@nginx.com>
Cc: Andrei Zeliankou <zelenkov@nginx.com>
Signed-off-by: Andrew Clayton <a.clayton@nginx.com>

show more ...

PHP: Simplify ctx->script_filename.start in nxt_php_execute().

Create a const char *filename variable to hold
ctx->script_filename.start, which is a much more manageable name and
will negate the nee

PHP: Simplify ctx->script_filename.start in nxt_php_execute().

Create a const char *filename variable to hold
ctx->script_filename.start, which is a much more manageable name and
will negate the need for any more casting in the following commit when
we switch to using a FILE * instead of a filename in
php_execute_script().

Reviewed-by: Alejandro Colomar <alx@nginx.com>
Cc: Andrei Zeliankou <zelenkov@nginx.com>
Signed-off-by: Andrew Clayton <a.clayton@nginx.com>

show more ...

PHP: Make use of zend_stream_init_filename().

Where possible make use of the zend_stream_init_filename() function
introduced in PHP 7.4.

This is essentially a preparatory patch for switching to usi

PHP: Make use of zend_stream_init_filename().

Where possible make use of the zend_stream_init_filename() function
introduced in PHP 7.4.

This is essentially a preparatory patch for switching to using an
already opened file-pointer in nxt_php_execute(). While wrapping this
new code in a PHP version check with a fallback to our own function is
perhaps slightly overkill, it does reduce the diff of the commit that
switches to a FILE *.

Reviewed-by: Alejandro Colomar <alx@nginx.com>
Cc: Andrei Zeliankou <zelenkov@nginx.com>
Signed-off-by: Andrew Clayton <a.clayton@nginx.com>

show more ...

PHP: Factored out code into a helper function.

We're going to use zend_stream_init_filename in a following commit. To
reduce the diff of that change, move the current code that will be
replaced, to

PHP: Factored out code into a helper function.

We're going to use zend_stream_init_filename in a following commit. To
reduce the diff of that change, move the current code that will be
replaced, to a function that has the same interface.

We use strlen(3) here to be able to use an interface without passing the
length, but we will remove that call in a following code, so it has no
performance issues.

Co-developed-by: Andrew Clayton <a.clayton@nginx.com>
Signed-off-by: Alejandro Colomar <alx@nginx.com>
Reviewed-by: Andrew Clayton <a.clayton@nginx.com>
Cc: Andrei Zeliankou <zelenkov@nginx.com>
Signed-off-by: Andrew Clayton <a.clayton@nginx.com>

show more ...

PHP: Fix a potential problem parsing the path.

@dward on GitHub reported an issue with a URL like

http://foo.bar/test.php?blah=test.php/foo

where we would end up trying to run the script

test

PHP: Fix a potential problem parsing the path.

@dward on GitHub reported an issue with a URL like

http://foo.bar/test.php?blah=test.php/foo

where we would end up trying to run the script

test.php?blah=test.php

In the PHP module the format 'file.php/' is treated as a special case in
nxt_php_dynamic_request() where we check the _path_ part of the url for
the string '.php/'.

The problem is that the path actually also contains the query string,
thus we were finding 'test.php/' in the above URL and treating that
whole path as the script to run.

The fix is simple, replace the strstr(3) with a memmem(3), where we can
limit the amount of path we use for the check.

The trick here and what is not obvious from the code is that while
path.start points to the whole path including the query string,
path.length only contains the length of the _path_ part.

NOTE: memmem(3) is a GNU extension and is neither specified by POSIX or
ISO C, however it is available on a number of other systems, including:
FreeBSD, OpenBSD, NetBSD, illumos, and macOS.

If it comes to it we can implement a simple alternative for systems
which lack memmem(3).

This also adds a test case (provided by @dward) to cover this.

Closes: <https://github.com/nginx/unit/issues/781>
Cc: Andrei Zeliankou <zelenkov@nginx.com>
Reviewed-by: Alejandro Colomar <alx@nginx.com>
Reviewed-by: Andrei Zeliankou <zelenkov@nginx.com> [test]
Signed-off-by: Andrew Clayton <a.clayton@nginx.com>

show more ...

Removed the unsafe nxt_memcmp() wrapper for memcmp(3).

The casts are unnecessary, since memcmp(3)'s arguments are 'void *'.
It might have been necessary in the times of K&R, where 'void *' didn't
ex

Removed the unsafe nxt_memcmp() wrapper for memcmp(3).

The casts are unnecessary, since memcmp(3)'s arguments are 'void *'.
It might have been necessary in the times of K&R, where 'void *' didn't
exist. Nowadays, it's unnecessary, and _very_ unsafe, since casts can
hide all classes of bugs by silencing most compiler warnings.

The changes from nxt_memcmp() to memcmp(3) were scripted:

$ find src/ -type f \
| grep '\.[ch]$' \
| xargs sed -i 's/nxt_memcmp/memcmp/'

Reviewed-by: Andrew Clayton <a.clayton@nginx.com>
Signed-off-by: Alejandro Colomar <alx@nginx.com>

show more ...

PHP: allowed to specify URLs without a trailing '/'.

Both @lucatacconi & @mwoodpatrick reported what appears to be the same
issue on GitHub. Namely that when using the PHP language module and
trying

PHP: allowed to specify URLs without a trailing '/'.

Both @lucatacconi & @mwoodpatrick reported what appears to be the same
issue on GitHub. Namely that when using the PHP language module and
trying to access a URL that is a directory but without specifying the
trailing '/', they were getting a '503 Service Unavailable' error.

Note: This is when _not_ using the 'script' option.

E.g with the following config

{
"listeners": {
"[::1]:8080": {
"pass": "applications/php"
}
},

"applications": {
"php": {
"type": "php",
"root": "/var/tmp/unit-php"
}
}
}

and with a directory path of /var/tmp/unit-php/foo containing an
index.php, you would see the following

$ curl http://localhost/foo
<title>Error 503</title>
Error 503

However

$ curl http://localhost/foo/

would work and serve up the index.php

This commit fixes the above so you get the desired behaviour without
specifying the trailing '/' by doing the following

1] If the URL doesn't end in .php and doesn't have a trailing '/'
then check if the requested path is a directory.

2) If it is a directory then create a 301 re-direct pointing to it.
This matches the behaviour of the likes of nginx, Apache and
lighttpd.

This also matches the behaviour of the "share" action in Unit.

This doesn't effect the behaviour of the 'script' option which bypasses
the nxt_php_dynamic_request() function.

This also adds a couple of tests to test/test_php_application.py to
ensure this continues to work.

Closes: <https://github.com/nginx/unit/issues/717>
Closes: <https://github.com/nginx/unit/issues/753>
Signed-off-by: Andrew Clayton <a.clayton@nginx.com>

show more ...

Added parentheses for consistency.

Reported-by: Andrew Clayton <a.clayton@nginx.com>
Signed-off-by: Remi Collet <remi@remirepo.net>
Reviewed-by: Andrew Clayton <a.clayton@nginx.com>
Signed-off-by: A

Added parentheses for consistency.

Reported-by: Andrew Clayton <a.clayton@nginx.com>
Signed-off-by: Remi Collet <remi@remirepo.net>
Reviewed-by: Andrew Clayton <a.clayton@nginx.com>
Signed-off-by: Alejandro Colomar <alx@nginx.com>

show more ...

PHP: Fixed php_module_startup() call for PHP 8.2.

PHP 8.2 changed the prototype of the function, removing the last
parameter.

Signed-off-by: Remi Collet <remi@remirepo.net>
Cc: Timo Stark <t.stark@

PHP: Fixed php_module_startup() call for PHP 8.2.

PHP 8.2 changed the prototype of the function, removing the last
parameter.

Signed-off-by: Remi Collet <remi@remirepo.net>
Cc: Timo Stark <t.stark@nginx.com>
Cc: George Peter Banyard <girgias@php.net>
Tested-by: Andy Postnikov <apostnikov@gmail.com>
Acked-by: Andy Postnikov <apostnikov@gmail.com>
Reviewed-by: Andrew Clayton <a.clayton@nginx.com>
Signed-off-by: Alejandro Colomar <alx@nginx.com>

show more ...

Renamed a couple of members of nxt_unit_request_t.

This is a preparatory patch that renames the 'local' and 'local_length'
members of the nxt_unit_request_t structure to 'local_addr' and
'local_addr

Renamed a couple of members of nxt_unit_request_t.

This is a preparatory patch that renames the 'local' and 'local_length'
members of the nxt_unit_request_t structure to 'local_addr' and
'local_addr_length' in preparation for the adding of 'local_port' and
'local_port_length' members.

Suggested-by: Zhidao HONG <z.hong@f5.com>
Signed-off-by: Andrew Clayton <a.clayton@nginx.com>

show more ...

PHP: fixed crash when calling module functions in OPcache preload.

In PHP, custom fastcgi_finish_request() and overloaded chdir() functions can be
invoked by an OPcache preloading script (it runs wh

PHP: fixed crash when calling module functions in OPcache preload.

In PHP, custom fastcgi_finish_request() and overloaded chdir() functions can be
invoked by an OPcache preloading script (it runs when php_module_startup() is
called in the app process setup handler). In this case, there was no runtime
context set so trying to access it caused a segmentation fault.

This closes #602 issue on GitHub.

show more ...

Moving request limit control to libunit.

Introducting application graceful stop. For now only used when application
process reach request limit value.

This closes #585 issue on GitHub.

PHP: adopted "file_handle" to Zend API changes in 8.1.0-dev.

This fixes building module with the development version of PHP after the change:
https://github.com/php/php-src/commit/c732ab400af92c54ee

PHP: adopted "file_handle" to Zend API changes in 8.1.0-dev.

This fixes building module with the development version of PHP after the change:
https://github.com/php/php-src/commit/c732ab400af92c54eee47c487a56009f1d79dd5d

show more ...

PHP: forced initialization of $_SERVER in fastcgi_finish_request().

The "auto_globals_jit" PHP option postponed the initialization of the $_SERVER
global variable until the script using it had been

PHP: forced initialization of $_SERVER in fastcgi_finish_request().

The "auto_globals_jit" PHP option postponed the initialization of the $_SERVER
global variable until the script using it had been loaded (e. g. via the
"include" expression). As a result, nxt_php_register_variables() could be
called after fastcgi_finish_request() had finished the request and nulled
ctx->req, which thus caused a segmentation fault.

show more ...

Fixed building the PHP 5 module with ZTS, broken by dab8544b5440.

This closes #525 issue on GitHub.

PHP: populating PHP_AUTH_* server variables.

This closes #498 issue on GitHub.

PHP: implementation of the fastcgi_finish_request() function.

This closes #219 issue on GitHub.

PHP: prevention of consuming unread request body on finalization.

The php_request_shutdown() function calls sapi_deactivate() that tries to read
request body into a dummy buffer. In our case it's j

PHP: prevention of consuming unread request body on finalization.

The php_request_shutdown() function calls sapi_deactivate() that tries to read
request body into a dummy buffer. In our case it's just waste of CPU cycles.

This change is also required for the following implementation of the
fastcgi_finish_request() function, where the request context can be
cleared by the time of finalization.

show more ...

PHP: compatibility with 8.0.0 RC1.

This closes #474 PR on GitHub.

PHP: fixed "rootfs" isolation dependency on system mounts.

PHP: added bind mounts for extensions directory.

PHP: compatibility with 8.0.0 Beta 1.

This closes #441 PR on GitHub.

Configuration: added checking for presence of mandatory fields.

PHP: using nxt_unit_default_init() for module structure init.

Using this function in all language modules helps to avoid code duplication
and reduce the size of future patches.