search

php / doc-en

English PHP documentation
484 stars 724 forks source link

`opcache.restrict_api` may not correctly apply through web server #1639

Open Rarst opened 2 years ago

Rarst commented 2 years ago

Description

I observe an issue when correct opcache.restrict_api setting isn't correctly applied when run through an Apache (2.4.52) web server.

The following code:

<?php

var_dump(
    php_sapi_name(),
    ini_get( 'opcache.restrict_api' ),
    __FILE__,
    strpos( __FILE__, ini_get( 'opcache.restrict_api' ) )
);
opcache_get_status();

Non-matching path, CLI (correct, warning)

string(3) "cli"
string(10) "C:\serverr"
string(47) "C:\server\www\dev\opcache-restrict-api-test.php"
bool(false)

Warning: Zend OPcache API is restricted by "restrict_api" configuration directive in C:\server\www\dev\opcache-restrict-api-test.php on line 9

Non-matching path, web server (correct, warning)

string(14) "apache2handler" string(10) "C:\serverr" string(47) "C:\server\www\dev\opcache-restrict-api-test.php" bool(false)
Warning: Zend OPcache API is restricted by "restrict_api" configuration directive in C:\server\www\dev\opcache-restrict-api-test.php on line 9

Matching path, CLI (correct, no warning)

string(3) "cli"
string(9) "C:\server"
string(47) "C:\server\www\dev\opcache-restrict-api-test.php"
int(0)

Matching path, web server (INCORRECT, warning)

string(14) "apache2handler" string(9) "C:\server" string(47) "C:\server\www\dev\opcache-restrict-api-test.php" int(0)
Warning: Zend OPcache API is restricted by "restrict_api" configuration directive in C:\server\www\dev\opcache-restrict-api-test.php on line 9

PHP Version

8.1.2

Operating System

Windows 10

cmb69 commented 2 years ago

Try opcache.restrict_api=C:/server; that should work for Apache.

I'm not totally convinced that OPcache should automatically care about that slash vs. backslash issue. Maybe we just should document it.

Rarst commented 2 years ago

Yes, changing slash makes it work for my Apache (and breaks it for CLI accordingly).

I think that is extra confusing, since then it visibly doesn't match __FILE__ as reported by PHP.

In general I would expect paths to be normalized for any comparison purposes, but I am not familiar what's the practices are in PHP code base.

P.S. for the context my use case started as implementing a check for this for systems I don't control (WordPress plugin), rather than just configuring something of my own.

cmb69 commented 2 years ago

In general I would expect paths to be normalized for any comparison purposes, but I am not familiar what's the practices are in PHP code base.

For apache2handler, the internal SG(request_info).path_translated is set from what Apache reports, without any modifications. And apparently, Apache prefers slashes as directory separator, even if configured otherwise. Not sure if we should change the slashes to backslashes there.

arnaud-lb commented 2 years ago

I'm not totally convinced that OPcache should automatically care about that slash vs. backslash issue. Maybe we just should document it.

Since opcache.restrict_api is an allowed path (rather than a denied path), I think that we should not try to transform it or to compare it in a lose way. Agreed that we should document it.

cmb69 commented 2 years ago

Reclassifying as documentation problem according to @arnaud-lb's comment above.