Debian Bug report logs - #459040
libapache2-mod-php5: @ fails to hide warnings/errors when error_reporting is locked in httpd.conf

version graph

Package: libapache2-mod-php5; Maintainer for libapache2-mod-php5 is (unknown);

Reported by: Bj�Wiberg <Bjorn.Wiberg@its.uu.se>

Date: Fri, 4 Jan 2008 10:18:02 UTC

Severity: normal

Found in version php5/5.2.0-8+etch9

Fixed in version 5.2.6.dfsg.1-1+lenny3

Done: Ondřej Surý <ondrej@sury.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#459040; Package libapache2-mod-php5. (full text, mbox, link).

Acknowledgement sent to Bj�Wiberg <Bjorn.Wiberg@its.uu.se>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Bj�Wiberg <Bjorn.Wiberg@its.uu.se>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libapache2-mod-php5: @ fails to hide warnings/errors when error_reporting is locked in httpd.conf
Date: Fri, 04 Jan 2008 11:05:35 +0100
Package: libapache2-mod-php5
Version: 5.2.0-8+etch9
Severity: normal

Summary: @ fails to hide warnings/errors when error_reporting is locked in httpd.conf


Sample script:

<?php
  $resource = opendir($_SERVER['DOCUMENT_ROOT'] . '/no/such/dir/');
  echo('<BR>');
  $resource = @opendir($_SERVER['DOCUMENT_ROOT'] . '/no/such/dir/');
?>


Comments:

The @ should prevent warnings and errors to be shown on the web page.
However, when the error_reporting directive is locked with php_admin_value in httpd.conf, @ fails and warnings/errors are shown on the web page.
This was not so in the previous release of php5 in Debian.
This is probably related to the fact that PHP recently (as of 5.2.5) correctly enforces php_admin_value in httpd.conf, although this side effect may be undesirable. Backporting miss?

Please note that it *is* desirable to lock error_reporting with php_admin_value so that malicious code cannot disable error reporting *completely*.


Result with "php_admin_value error_reporting 6135" in httpd.conf:

Warning: opendir(/var/www/fuscus.its.uu.se/no/such/dir/): failed to open dir: No such file or directory in /var/www/fuscus.its.uu.se/admin/test.php on line 2
Warning: opendir(/var/www/fuscus.its.uu.se/no/such/dir/): failed to open dir: No such file or directory in /var/www/fuscus.its.uu.se/admin/test.php on line 4


Result with "php_value error_reporting 6135" in httpd.conf:

Warning: opendir(/var/www/fuscus.its.uu.se/no/such/dir/): failed to open dir: No such file or directory in /var/www/fuscus.its.uu.se/admin/test.php on line 2


Expected result:

Warning: opendir(/var/www/fuscus.its.uu.se/no/such/dir/): failed to open dir: No such file or directory in /var/www/fuscus.its.uu.se/admin/test.php on line 2

...for both "php_admin_value error_reporting 6135" and "php_value error_reporting 6135".


-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-5-686
Locale: LANG=sv_SE.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to sv_SE.UTF-8)

Versions of packages libapache2-mod-php5 depends on:
ii  apa 2.2.3-4+etch3                        Traditional model for Apache HTTPD
ii  apa 2.2.3-4+etch3                        Next generation, scalable, extenda
ii  lib 1.0.3-6                              high-quality block-sorting file co
ii  lib 2.3.6.ds1-13etch4                    GNU C Library: Shared libraries
ii  lib 1.39+1.40-WIP-2006.11.14+dfsg-2etch1 common error description library
ii  lib 4.4.20-8                             Berkeley v4.4 Database Libraries [
ii  lib 1.4.4-7etch4                         MIT Kerberos runtime libraries
ii  lib 4.17-5etch3                          File type determination library us
ii  lib 6.7+7.4-2                            Perl 5 Compatible Regular Expressi
ii  lib 0.9.8c-4etch1                        SSL shared libraries
ii  lib 2.6.27.dfsg-1                        GNOME XML library
ii  mim 3.39-1                               MIME files 'mime.types' & 'mailcap
ii  php 5.2.0-8+etch9                        Common files for packages built fr
ii  ucf 2.0020                               Update Configuration File: preserv
ii  zli 1:1.2.3-13                           compression library - runtime

libapache2-mod-php5 recommends no packages.

-- no debconf information

Message sent on to Bj�Wiberg <Bjorn.Wiberg@its.uu.se>:
Bug#459040. (Fri, 08 Jan 2010 16:27:21 GMT) (full text, mbox, link).

Message #8 received at 459040-submitter@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@sury.org>
To: 459040-submitter@bugs.debian.org
Subject: #459040: libapache2-mod-php5: @ fails to hide warnings/errors when error_reporting is locked in httpd.conf
Date: Fri, 8 Jan 2010 17:21:21 +0100
Hi Bjorn,

could you please retest with current stable (lenny) and if it still
fails with unstable?

Ondrej
-- 
Ondřej Surý <ondrej@sury.org>
http://blog.rfc1925.org/

Reply sent to Ondřej Surý <ondrej@sury.org>:
You have taken responsibility. (Mon, 11 Jan 2010 09:15:04 GMT) (full text, mbox, link).

Notification sent to Bj�Wiberg <Bjorn.Wiberg@its.uu.se>:
Bug acknowledged by developer. (Mon, 11 Jan 2010 09:15:04 GMT) (full text, mbox, link).

Message #13 received at 459040-done@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@sury.org>
To: 459040-done@bugs.debian.org
Subject: Re: Bug#459040: #459040: libapache2-mod-php5: @ fails to hide warnings/errors when error_reporting is locked in httpd.conf
Date: Mon, 11 Jan 2010 10:11:07 +0100
Version: 5.2.6.dfsg.1-1+lenny3

>> could you please retest with current stable (lenny) and if it still
>> fails with unstable?
>
> Seems to be OK in Lenny now (libapache2-mod-php5/lenny uptodate
> 5.2.6.dfsg.1-1+lenny4) so I guess this case can be closed.

Closing the bug.

-- 
Ondřej Surý <ondrej@sury.org>
http://blog.rfc1925.org/

Information stored :
Bug#459040; Package libapache2-mod-php5. (Mon, 11 Jan 2010 09:18:11 GMT) (full text, mbox, link).

Acknowledgement sent to Björn Wiberg <Bjorn.Wiberg@uadm.uu.se>:
Extra info received and filed, but not forwarded. (Mon, 11 Jan 2010 09:18:11 GMT) (full text, mbox, link).

Message #18 received at 459040-quiet@bugs.debian.org (full text, mbox, reply):

From: Björn Wiberg <Bjorn.Wiberg@uadm.uu.se>
To: Ondřej Surý <ondrej@sury.org>, 459040-quiet@bugs.debian.org
Cc: 459040-submitter@bugs.debian.org, Debian BTS <debbugs@rietz.debian.org>
Subject: Re: Bug#459040: #459040: libapache2-mod-php5: @ fails to hide warnings/errors when error_reporting is locked in httpd.conf
Date: Mon, 11 Jan 2010 10:07:41 +0100 (CET)
[Message part 1 (text/plain, inline)]
Hello Ondřej!

On Fri, 8 Jan 2010, Ondřej Surý wrote:
> could you please retest with current stable (lenny) and if it still
> fails with unstable?

Seems to be OK in Lenny now (libapache2-mod-php5/lenny uptodate 
5.2.6.dfsg.1-1+lenny4) so I guess this case can be closed.

Thank you for your help!

Best regards,
Björn

Message sent on to Bj�Wiberg <Bjorn.Wiberg@its.uu.se>:
Bug#459040. (Mon, 11 Jan 2010 09:18:13 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 09 Feb 2010 07:31:13 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jul 2 03:09:07 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.