search

fuel / core

Fuel PHP Framework - The core of the Fuel v1 framework
http://fuelphp.com
811 stars 344 forks source link

URI path present in _GET / Input::get() in case of PHP7+fpm #2167

Closed bartlomiejb closed 1 month ago

bartlomiejb commented 2 years ago

After migrating our apps to a newer server software we noticed that there is an URI path in _GET now sometimes (when there is no query params in URL proper).

For example lets modify an example initial Fuel app (welcome.php controller):

    public function action_hello()
    {
        //return Response::forge(Presenter::forge('welcome/hello'));
        echo '<pre><tt>hello' . "\n\n";print_r([$_GET, Input::get()]);die();
    }

After visiting http://domain/hello we get:

hello

Array
(
    [0] => Array
        (
            [/hello] => 
        )

    [1] => Array
        (
            [/hello] => 
        )

)

The culprit is the rule in .htaccess: https://github.com/fuel/fuel/blob/1.9/develop/public/.htaccess#L66

RewriteRule ^(.*)$ index.php?/$1 [QSA,L]

I guess the fix for this should be in Fuel core somewhere... Or maybe you have another idea?

From the application programmer point of view it shoud work just the same as it was the case of another server software (eg. PHP5 or PHP7+sapi), ie. no "garbage" in _GET :-)

WanWizard commented 2 years ago

Indeed, it should have been caught.

bartlomiejb commented 2 years ago

Thanks for a quick response!

https://github.com/fuel/fuel/commit/60e469073b70a1681ecaddefa2bd94126f294041 Is this the proper fix? When pointing to this rewrite rule as a culprit I was mainly thinking about an unnecessary question mark (?).

Anyway, removing it is fixing the issue for me (in 1.8)... I was trying it before, but due to some configuration option on our server it didn't work...

WanWizard commented 2 years ago

It works in 8.0 too.

bartlomiejb commented 2 years ago

Maybe I was not clear enough in above comment, so here is full explanation: by saying "removing it" I meant by "it" the question mark, NOT "QSA".

Removing "QSA" doesn't change anything in regard of URI path in GET

What fixes the issue for me (in Fuel release version) is removing the question mark from the rewrite rule, ie.: with this rule URI path is present in _GET and Input::get():

RewriteRule ^(.*)$ index.php?/$1 [L]

with this rule URI path is NOT present in _GET and Input::get():

RewriteRule ^(.*)$ index.php/$1 [L]

BTW: in current Fuel dev the URI path is still present in Input::get() (but not in raw _GET). (Removal of the question mark from the rewrite rule fixes it.)

By "Fuel release" I mean code installed by instructions from https://fuelphp.com/docs/installation/instructions.html#/from_github - "Clone the latest release from github", git+composer version.

By "Fuel dev" I mean code installed by instructions from https://fuelphp.com/docs/installation/instructions.html#/from_github - "Clone the latest development branch from github", git+composer version.

Tested (among others) on current Arch Linux, PHP7 with FPM.

WanWizard commented 2 years ago

I need to know the exact server setup you test with.

My local test server runs PHP-FPM 8.0 on AlmaLinux, and for that setup, the rewrite rule used is

    # deal with php-fcgi first
    <IfModule mod_fcgid.c>
        RewriteRule ^(.*)$ index.php?/$1 [QSA,L]
    </IfModule>

and if I disable mod_cgi, the rule used is

            # for fpm installations
            <IfModule !mod_php7.c>
                RewriteRule ^(.*)$ index.php?/$1 [L,QSA]
            </IfModule>

Both work fine here, both $_GET and Input::get() are clean.

I tested with URL http://test.lab.local/test/test/index?var1=one&var2=two

But with or without question mark, with or without QSA, the result stays the same: image

(I can't comment on the current release, as that might also have issues with the Input code)

bartlomiejb commented 2 years ago

I need to know the exact server setup you test with.

See https://github.com/bartlomiejb/for-fuel-core-issue-2167/tree/main/archlinux/etc There are configuration files from ArchLinux (I only ommited /etc/httpd/modules - it is a symlink to directory with .so modules outside of /etc), the only changes from standard files as packaged in distro are my changes as described in https://wiki.archlinux.org/title/Apache_HTTP_Server#PHP (and for FPM) and added two local vhosts.

I installed packages for PHP7 as that's the version that I am interested in ;)

$ pacman -Q | grep -i 'apache\|fpm\|php'
apache 2.4.52-1
php7 7.4.27-1
php7-apache 7.4.27-1
php7-fpm 7.4.27-1
php7-sodium 7.4.27-1

With this config and these packages the results of print_r([$_GET, Input::get()]); are (when visiting <localhost>/hello): Fuel Release:

Array
(
    [0] => Array
        (
            [/hello] => 
        )

    [1] => Array
        (
            [/hello] => 
        )

)

Fuel Dev:

Array
(
    [0] => Array
        (
        )

    [1] => Array
        (
            [/hello] => 
        )

)

My local test server runs PHP-FPM 8.0 on AlmaLinux (...)

Have you tried also with PHP7?

I tested with URL http://test.lab.local/test/test/index?var1=one&var2=two

Try omitting query params - from my tests on PHP7 the bug (ie. URI path) was not present when there were query params.