Bug #1489

Archive mode and SE friendly URLs

Added by dev 2 about 3 years ago. Updated over 1 year ago.

Status:ClosedStart date:03/07/2011
Priority:NormalDue date:
Assignee:Tom Moore% Done:

100%

Category:Archive
Target version:1.6.10
Reproducibility:Always Database Type:
Reported In MyBB Version:1.6.1 Database Version:
PHP Version: SQA assignments:Jitendra Maharaj
Browser:

Description

The archive mode doesn't care about global settings (on/off/auto) of friendly URLs and the automatic mode of detecting if mod_rewrite is active doesn't work for me (Server: Nginx + PHP-FPM5), it turns on friendly URLs while there are no rewrite directives in Nginx configuration for MyBB written yet.

The buggy places are the "if" comparisions in 2 files here:

inc/functions.php

function build_archive_link($type, $id="") {
global $mybb;

// If the server OS is not Windows and not Apache or the PHP is running as a CGI or we have defined ARCHIVE_QUERY_STRINGS, use query strings - DIRECTORY_SEPARATOR checks if running windows
if((DIRECTORY_SEPARATOR '\\' && is_numeric(stripos($_SERVER['SERVER_SOFTWARE'], "apache")) false) || is_numeric(stripos(SAPI_NAME, "cgi")) !== false || defined("ARCHIVE_QUERY_STRINGS")) {
$base_url = $mybb->settings['bburl']."/archive/index.php?";
}
else {
$base_url = $mybb->settings['bburl']."/archive/index.php/";
}
...
...
// ----------------------

file archive/global.php

// If the server OS is not Windows and not Apache or the PHP is running as a CGI or we have defined ARCHIVE_QUERY_STRINGS, use query strings - DIRECTORY_SEPARATOR checks if running windows
if((DIRECTORY_SEPARATOR '\\' && stripos($_SERVER['SERVER_SOFTWARE'], 'apache') false) || stripos(SAPI_NAME, 'cgi') !== false || defined("ARCHIVE_QUERY_STRINGS")) {
$url = $_SERVER['QUERY_STRING'];
$base_url = $mybb->settings['bburl']."/archive/index.php?";
$endpart = $url;
}
// Otherwise, we're using 100% friendly URLs
else {
...
...

History

#1 Updated by Andreas Klauer about 3 years ago

This is unrelated to the friendly URL setting. Archive doesn't use rewrites at all, instead it makes use of file.php/path style. To make it work you have to configure nginx to pass the PATH_INFO to PHP properly. For starters see http://kbeezie.com/view/php-self-path-nginx/ (note the comments)

You should fix your nginx setup in any case (make sure it checks that the PHP file actually exists, otherwise you have a security issue), however you can also just define ARCHIVE_QUERY_STRINGS in both global.php and archive/global.php to make it use dynamic URLs. For the archive that's probably the best solution, although I have never tried it myself, so whether it actually works you have to find out for yourself...

#2 Updated by dev 2 about 3 years ago

Thank you for reply.

In Nginx, I am checking the ".php" to be at the end of the matching string (regexp \.php$) to get rid of the security bug you have mentioned (when, for exampled, legit uploaded image.php.gif image containing php code can be executed).

I'll define ARCHIVE_QUERY_STRINGS as you said, as a solution. Thank you.

[trolling]
Anyhow, I can't understand why to use script.php/parameters style. :)
[/trolling]

P.S.
Sorry for messed up first post, maybe it's beacuse of my turned off JS.

#3 Updated by Andreas Klauer about 3 years ago

dev 2 wrote:

I am checking the ".php" to be at the end of the matching string (regexp \.php$)

That's fine, if you don't need to support PATH_INFO...

to get rid of the security bug you have mentioned

Nope, that's exactly what it does not do. You have to actually check that the file.php is an existing file. Otherwise uploaded_image.gif/foobar.php will match the location but execute code embedded in uploaded_image.gif.

You can support PATH_INFO, no problem, as long as you do the file.php exists check...

[trolling]
Anyhow, I can't understand why to use script.php/parameters style. :)
[/trolling]

This is but one of many strange things in PHP...

I can't think of a way to make an autodetect actually work for this, I think the attempt should be removed altogether and ARCHIVE_QUERY_STRINGS define replaced with a setting, that'd be the most useful thing to do, as people can just disable it if their server doesn't support / like PATH_INFO style URLs for some reason.

#4 Updated by dev 2 about 3 years ago

> Nope, that's exactly what it does not do. You have to actually check that the file.php is an existing file. Otherwise uploaded_image.gif/foobar.php will match the location but execute code embedded in uploaded_image.gif.

Yep, it was preventing uploaded_image.php.gif but, as you say, not uploaded_image.gif/foobar.php, thank you for pointing it out. Is this right then, I suppose:

    location ~ \.php$ {
        if (!-f $request_filename) {
            return 404;
            break;
        }
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }

> I can't think of a way to make an autodetect actually work for this, I think the attempt should be removed altogether and ARCHIVE_QUERY_STRINGS define replaced with a setting

+1 for that.

#5 Updated by Tom Moore about 3 years ago

  • Target version changed from 1.6.2 to 1.6.3

#6 Updated by Tom Moore about 3 years ago

  • Target version deleted (1.6.3)

#7 Updated by Jorge Oliveira almost 3 years ago

Hello.
I am using mybb 1.6.3 and running apache 2.2.17 on Linux using FastCGI sapi.
I believe the issue is the same.

Default URLs are broken.
board.example.com/archive/index.php/forum-2.html
doesn't work

If I add an ? between the index.php and the slash url works
board.example.com/archive/index.php?/forum-2.html

Please fix this soon.
Thanks :)

#8 Updated by Tom Moore about 2 years ago

  • Status changed from New to Assigned
  • Assignee set to Tom Moore
  • Target version set to 1.6.8

#9 Updated by Tom Moore about 2 years ago

  • Status changed from Assigned to Resolved
  • % Done changed from 0 to 100

Applied in changeset r5811.

#10 Updated by Jitendra Maharaj almost 2 years ago

  • SQA assignments set to Jitendra Maharaj

checking

#11 Updated by Jitendra Maharaj almost 2 years ago

  • Status changed from Resolved to Closed

#12 Updated by Nathan Malcolm almost 2 years ago

  • Status changed from Closed to Feedback

Lite (Archive) Mode still links to the old URL scheme on forumdisplay/showthread.

#13 Updated by Anonymous almost 2 years ago

  • Status changed from Feedback to Resolved

#14 Updated by Stefan T. almost 2 years ago

  • Status changed from Resolved to Feedback

#15 Updated by Tom Moore almost 2 years ago

  • Target version changed from 1.6.8 to 1.6.9

#16 Updated by Tom Moore over 1 year ago

  • Status changed from Feedback to Resolved

Fixed in deced029f3 1.6 and 888ee2adc2 1.8.

#17 Updated by Jitendra Maharaj over 1 year ago

  • Status changed from Resolved to Closed

#18 Updated by Stefan T. over 1 year ago

  • Target version changed from 1.6.9 to 1.6.10

Also available in: Atom PDF