View Issue Details

IDProjectCategoryView StatusLast Update
0016882phplist applicationCommand Linepublic26-09-13 14:09
Reporteroverload 
PrioritynormalSeveritycrashReproducibilityalways
Status resolvedResolutionfixed 
PlatformCentOSOSlinuxOS Version5.3
Product Version3.0.2 
Target Version3.0.XFixed in Version3.0.4 
Summary0016882: cli break
Descriptionfile:
public_html/lists/admin/index.php

function parseCline()
line:595
$GLOBALS["argv"] must be replaced with $_SERVER["argv"]
TagsNo tags attached.

Activities

michiel

20-09-13 17:04

manager   ~0052271

not necessarily. http://php.net/manual/en/reserved.variables.argv.php

overload

20-09-13 17:52

reporter   ~0052272

in my configuration $GLOBALS["argv"] is empty... I don't know where it is overwritten

michiel

20-09-13 18:54

manager   ~0052273

can you give more arguments for this change? For example argv is being removed from PHP from version X onwards?

I guess it could include some detection of register_argc_argv and give an error or warning when it is not enabled.

http://www.php.net/manual/en/ini.core.php#ini.register-argc-argv

duncanc

20-09-13 21:59

developer   ~0052274

Last edited: 20-09-13 22:52

View 2 revisions

I have seen this problem a few times when trying to get cron jobs working.
In those cases php cli was running with register_globals on instead of the cli default of off.

The workaround that I use is to add an option to the command,
 -d register_globals=0

It is not clear to me, from the php documentation, why register_globals should affect argc and argv.

michiel

21-09-13 03:20

manager   ~0052275

Ah, that might be the "unregister_globals" kicking in. For security, if register globals is on, they are all unregistered. But of a workaround for a major PHP insecurity, which I think is no longer valid, or at least is on the list to be obsoleted.

make sure register_globals is off
register-argc-argv is on

overload, can you verify this is the case, and the cause of this issue?

overload

21-09-13 14:16

reporter   ~0052277

Sorry, I'm new to mantis...

Yes: the case is "register_globals is on" and the function unregister_GLOBALS() set $GLOBALS["argv"] to null

on line 21 (admin/index.php) $_SERVER['argv'] is used, so could be used also in the function parseCline() to avoid problems even if register_globals is on.

In cli use, it is not necessary to unregister_GLOBALS(), because there are no security problems (imho)

michiel

22-09-13 03:03

manager   ~0052281

yes, I agree on CLI the unregister globals can be avoided. But at the same time, it is now (and has been for quite a few years) generally considered a bad thing to have register globals on, and it's advisable to switch it off.