Bug #2216
closedmod_userdir doesn't set environment variable DOCUMENT_ROOT
Description
1) Fresh install of lighttpd + mod_userdir enabled (tested on Ubuntu 10.04)
2) in a test php file
sudo aptitude install lighttpd && sudo lighty-enable-mod userdir cgi && mkdir ~/public_html && echo '<?php phpinfo(); ?>' >> ~/public_html/index.php && x-www-browser http://localhost/~`id -un`
Look for the 'Environment section' - DOCUMENT_ROOT. Provided I haven't gone mad, you'll notice that it's /var/www/ rather than /home/username/public_html/ .
This seems to fix it, though I don't know enough about lighty's source to know if it is the correct fix:
--- lighttpd-1.4.26.orig/src/mod_userdir.c +++ lighttpd-1.4.26/src/mod_userdir.c @@ -302,6 +302,7 @@ * TODO: what to do with trailing dots in usernames on windows? they may result in the same directory * as a username without them. */ + buffer_copy_string_buffer(con->physical.doc_root, p->temp_path); if (NULL != (rel_url = strchr(con->physical.rel_path->ptr + 2, '/'))) { buffer_append_string(p->temp_path, rel_url + 1); /* skip the / */ }
Files
Updated by DanielRichman over 14 years ago
That's meant to say
2) in a test php file '<?php phpinfo(); ?>'
but appears to have got cut out... along with some other stuff
Updated by stbuehler over 14 years ago
mod_alias doesn't modify the doc_root either, so i'm not sure whether we really want that in mod_userdir.
Updated by stbuehler over 14 years ago
- Status changed from Patch Pending to Invalid
- Target version deleted (
1.4.x) - Missing in 1.5.x changed from Yes to No
As long as no one provides good reasons why we would want to change that, i don't change it :)
Updated by DanielRichman over 14 years ago
This feature might be useful for additional security when using suphp with lighttpd http://www.suphp.org/DocumentationView.html?file=CONFIG see check_vhost_docroot: Checks wheter the script is within DOCUMENT_ROOT specified by the webserver. This option is intended to avoid symbol links outside of the webpage directory. You may want to disable it, when you are using mod_vhost_alias or the Alias-directive. (trying to do this was how I noticed this issue) I am yet to meet some CGI/php that relies on the DOCUMENT_ROOT env. var, but it is possible.
Updated by stbuehler over 14 years ago
- Status changed from Invalid to Reopened
- Target version set to 1.4.29
http://www.php.net/manual/en/configuration.file.per-user.php
It scans the directories up to the doc-root, if the doc-root is a prefix of the "script-filename"; otherwise it only scans the directory of the "script-filename".
So we probably want to set the userdir / alias destination as doc-root.
Updated by stbuehler over 13 years ago
- Status changed from Reopened to Fixed
Applied in changeset r2794.
Updated by glen over 10 years ago
i think it's wrong to change DOCUMENT_ROOT to be root of alias, it's breaking the common setup that has always existed, since even PHP was invented.
for example this kind PHP specific hack breaks the possibility to access real document root (set in virtualhost config) if your script itself is mapped to all virtualhosts via Alias.
if such option is still wanted (note that bug reporter himself wasn't sure but you still merged it!), it should be configurable option, either global or new directive to map such alias which also changes DOCUMENT_ROOT.
there's also mailinglist post saying that this change is wrong: http://article.gmane.org/gmane.comp.web.lighttpd/5361
Also available in: Atom