Solution for "script_name" variable in php-cgi?

software development

#1

I’m posting this question here, rather than in third party scripts, because it seems to be an issue with a lot of security-aware scripts, rather than just a specific script issue.

I need to run my phpnuke site as php-cgi in order to have Gallery work. Both Gallery and single log-in is essential for this site. I would like to upgrade to PHPnuke Platinum but it uses the script_name variable which breaks in php-cgi.

Example:

if (!stristr($_SERVER['SCRIPT_NAME'], "modules.php")) { die ("You can't access this file directly..."); }Older, unpatched versions of the script use (Example):

if (!eregi("modules.php", $_SERVER[PHP_SELF])) { die ("You can't access this file directly..."); }I’ve read the Kbase article on this:
https://panel.dreamhost.com/kbase/index.cgi?area=2933

A possible fix for wordpress is posted there

[quote]In Wordpress, adding:
$_SERVER[‘SCRIPT_NAME’] = $_SERVER[‘SCRIPT_URL’];
at the second line of your wp-config.php file seems to help.[/quote]
I am wondering if there is a similar fix for nuke, a way of universally redirecting the variable? Having to manually fix all of the files would be pretty impossible plus, it might break the site and would make adding additional modules difficult. I’ve yet to find a solution to this at any nuke forums.

I can find my way around most scripts, but I am not a PHP programmer, so sorry if the solution to this is is obvious.

Thanks


#2

argh… replying to my own thread. No ideas anyone?

I have found this additional info but not sure what I can do about it. Seems I need a change to php.ini, which I can’t override if I am not running PHP as Apache.


[quote]The only way I can think of that it (using the SCRIPT_NAME variable) might be a problem if the server involved uses not the built-in PHP but it uses PHP as a cgi-script. The SCRIPT_NAME then naturally becomes the name of the cgi-script, which is exactly what SCRIPT_NAME should do…

But if I am correct

Code:

cgi.fix_pathinfo=1

setting fixes that problem

From the documentation:

Code:

Provides real PATH_INFO/PATH_TRANSLATED support for CGI. PHP’s previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting this to 1 will cause PHP CGI to fix it’s paths to conform to the spec. A setting of zero causes PHP to behave as before. Default is zero. You should fix your scripts to use SCRIPT_FILENAME rather than PATH_TRANSLATED.[/quote]
any htaccess solutions?