Bug #2216


mod_userdir doesn't set environment variable DOCUMENT_ROOT

Added by DanielRichman about 14 years ago. Updated about 10 years ago.

Target version:


1) Fresh install of lighttpd + mod_userdir enabled (tested on Ubuntu 10.04)
2) in a test php file

sudo aptitude install lighttpd && sudo lighty-enable-mod userdir cgi &&
mkdir ~/public_html && echo '<?php phpinfo(); ?>' >> ~/public_html/index.php &&
x-www-browser http://localhost/~`id -un`

Look for the 'Environment section' - DOCUMENT_ROOT. Provided I haven't gone mad, you'll notice that it's /var/www/ rather than /home/username/public_html/ .

This seems to fix it, though I don't know enough about lighty's source to know if it is the correct fix:

--- lighttpd-1.4.26.orig/src/mod_userdir.c
+++ lighttpd-1.4.26/src/mod_userdir.c
@@ -302,6 +302,7 @@
         * TODO: what to do with trailing dots in usernames on windows? they may result in the same directory
         *       as a username without them.
+       buffer_copy_string_buffer(con->physical.doc_root, p->temp_path);
        if (NULL != (rel_url = strchr(con->physical.rel_path->ptr + 2, '/'))) {
                buffer_append_string(p->temp_path, rel_url + 1); /* skip the / */


mod_userdir.c (8.47 KB) mod_userdir.c DanielRichman, 2010-05-31 20:56
Actions #1

Updated by DanielRichman about 14 years ago

That's meant to say

2) in a test php file '<?php phpinfo(); ?>'

but appears to have got cut out... along with some other stuff

Actions #2

Updated by stbuehler almost 14 years ago

mod_alias doesn't modify the doc_root either, so i'm not sure whether we really want that in mod_userdir.

Actions #3

Updated by stbuehler almost 14 years ago

  • Status changed from Patch Pending to Invalid
  • Target version deleted (1.4.x)
  • Missing in 1.5.x changed from Yes to No

As long as no one provides good reasons why we would want to change that, i don't change it :)

Actions #4

Updated by DanielRichman almost 14 years ago

This feature might be useful for additional security when using suphp 
with lighttpd
see check_vhost_docroot:
  Checks wheter the script is within DOCUMENT_ROOT specified by the 
  webserver. This option is intended to avoid symbol links outside of the
  webpage directory. You may want to disable it, when you are using
  mod_vhost_alias or the Alias-directive.
(trying to do this was how I noticed this issue)
I am yet to meet some CGI/php that relies on the DOCUMENT_ROOT env. var,
but it is possible.
Actions #5

Updated by stbuehler almost 14 years ago

  • Status changed from Invalid to Reopened
  • Target version set to 1.4.29

It scans the directories up to the doc-root, if the doc-root is a prefix of the "script-filename"; otherwise it only scans the directory of the "script-filename".

So we probably want to set the userdir / alias destination as doc-root.

Actions #6

Updated by stbuehler about 13 years ago

  • Status changed from Reopened to Fixed

Applied in changeset r2794.

Actions #7

Updated by glen about 10 years ago

i think it's wrong to change DOCUMENT_ROOT to be root of alias, it's breaking the common setup that has always existed, since even PHP was invented.

for example this kind PHP specific hack breaks the possibility to access real document root (set in virtualhost config) if your script itself is mapped to all virtualhosts via Alias.

if such option is still wanted (note that bug reporter himself wasn't sure but you still merged it!), it should be configurable option, either global or new directive to map such alias which also changes DOCUMENT_ROOT.

there's also mailinglist post saying that this change is wrong:


Also available in: Atom