08356: Apache 2.4 + PHP5-FPM (Fastcgi) and Rewrite Issue - LimeSurvey bugs and feature requests

This bug affects 1 person(s).

ID	Project	Category	View Status	Date Submitted	Last Update

08356	Bug reports	Installation	public	2013-11-12 11:43	2013-11-24 19:05

Reporter	flewid	Assigned To	c_schmitz
Priority	normal	Severity	minor
Status	closed	Resolution	fixed
Product Version	2.00+
Fixed in Version	2.00+

Summary	08356: Apache 2.4 + PHP5-FPM (Fastcgi) and Rewrite Issue
Description	Hello, I didn't find another thread about this so I figured I should post it, after asking on IRC and nobody had encountered it. We are using Ubuntu, with Apache 2.4 and PHP 5.5.x on our new server. The old server, was using Apache 2.2 and Mod PHP. Upon migrating Limesurvey to our new server, the main screen will not load, and the administration interface gives an error. To be clear, we also tried a fresh installation, and the above still happens. This happens if it's in it's own directory, or, if it's in a sub directory on the server. Ive tried with, and without the default limesurvey .htaccess file as well. Here's what happens on the index page, followed by the admin page, then the server logs for reference; HOME PAGE; CException CHttpRequest is unable to determine the entry script URL. /home/username/survey.domainname.com/framework/base/CModule.php(106) 094 / 095 Getter magic method. 096 This method is overridden to support accessing application components 097 like reading module properties. 098 @param string $name application component or property name 099 @return mixed the named property value 100 / 101 public function get($name) 102 { 103 if($this->hasComponent($name)) 104 return $this->getComponent($name); 105 else 106 return parent::get($name); 107 } 108 109 / 110 Checks if a property value is null. 111 This method overrides the parent implementation by checking 112 if the named application component is loaded. 113 @param string $name the property name or the event name 114 @return boolean whether the property value is null 115 / 116 public function __isset($name) 117 { 118 if($this->hasComponent($name)) Stack Trace #0 – /home/username/survey.domainname.com/framework/web/CHttpRequest.php(315): CHttpRequest->getScriptUrl() 310 @see setScriptUrl 311 / 312 public function getBaseUrl($absolute=false) 313 { 314 if($this->_baseUrl===null) 315 $this->_baseUrl=rtrim(dirname($this->getScriptUrl()),'\/'); 316 return $absolute ? $this->getHostInfo() . $this->_baseUrl : $this->_baseUrl; 317 } 318 319 /* 320 Sets the relative URL for the application. #1 – /home/username/survey.domainname.com/framework/base/CApplication.php(553): CHttpRequest->getBaseUrl(false) 548 @return string the relative URL for the application 549 @see CHttpRequest::getBaseUrl() 550 / 551 public function getBaseUrl($absolute=false) 552 { 553 return $this->getRequest()->getBaseUrl($absolute); 554 } 555 556 / 557 @return string the homepage URL 558 / #2 – /home/username/survey.domainname.com/framework/base/CComponent.php(112): CApplication->getBaseUrl() 107 / 108 public function __get($name) 109 { 110 $getter='get'.$name; 111 if(method_exists($this,$getter)) 112 return $this->$getter(); 113 else if(strncasecmp($name,'on',2)===0 && method_exists($this,$name)) 114 { 115 // duplicating getEventHandlers() here for performance 116 $name=strtolower($name); 117 if(!isset($this->_e[$name])) #3 – /home/username/survey.domainname.com/framework/base/CModule.php(106): CComponent->__get("baseUrl") 101 public function get($name) 102 { 103 if($this->hasComponent($name)) 104 return $this->getComponent($name); 105 else 106 return parent::get($name); 107 } 108 109 /* 110 Checks if a property value is null. 111 * This method overrides the parent implementation by checking #4 – /home/username/survey.domainname.com/application/config/config-defaults.php(579): CModule->__get("baseUrl") 574 //The following url and dir locations do not need to be modified unless you have a non-standard 575 //LimeSurvey installation. Do not change unless you know what you are doing. 576 577 if(!isset($argv[0])) 578 { 579 $config['publicurl'] = Yii::app()->baseUrl . '/'; // The public website location (url) of the public survey script 580 } 581 else 582 { 583 $config['publicurl'] = '/'; 584 } #5 – /home/username/survey.domainname.com/application/core/LSYii_Application.php(109): require("/home/username/survey.domainname.com/application/config/config-defaults....") 104 ), 105 )); 106 107 parent::__construct($config); 108 // Load the default and environmental settings from different files into self. 109 $ls_config = require(APPPATH . DIRECTORY_SEPARATOR . 'config' . DIRECTORY_SEPARATOR . 'config-defaults.php'); 110 $email_config = require(APPPATH . DIRECTORY_SEPARATOR . 'config' . DIRECTORY_SEPARATOR . 'email.php'); 111 $version_config = require(APPPATH . DIRECTORY_SEPARATOR . 'config' . DIRECTORY_SEPARATOR . 'version.php'); 112 $settings = array_merge($ls_config, $version_config, $email_config); 113 114 if(file_exists(APPPATH . DIRECTORY_SEPARATOR. 'config' . DIRECTORY_SEPARATOR . 'config.php')) #6 – /home/username/survey.domainname.com/framework/YiiBase.php(127): LSYii_Application->__construct("/home/username/survey.domainname.com/application/config/config.php") 122 to the constructor of the application class. 123 @return mixed the application instance 124 / 125 public static function createApplication($class,$config=null) 126 { 127 return new $class($config); 128 } 129 130 / 131 Returns the application singleton, null if the singleton has not been created yet. 132 * @return CApplication the application singleton, null if the singleton has not been created yet. #7 – /home/username/survey.domainname.com/index.php(179): YiiBase::createApplication("LSYii_Application", "/home/username/survey.domainname.com/application/config/config.php") 174 175 / 176 require_once BASEPATH . 'yii' . EXT; 177 require_once APPPATH . 'core/LSYii_Application' . EXT; 178 179 Yii::createApplication('LSYii_Application', APPPATH . 'config/config' . EXT)->run(); 180 181 / End of file index.php / 182 / Location: ./index.php / ADMIN PAGE; Access denied. SERVER LOGS; [Tue Nov 12 04:36:22.810573 2013] [:error] [pid 7811:tid 140527118784256] [client 50.157.104.227:65403] FastCGI: server "/usr/lib/cgi-bin/php5-fcgi-domainname-survey" stderr: Access to the script '/home/username/survey.domainname.com/index.php/admin' has been denied (see security.limit_extensions)
Steps To Reproduce	Untar Limesurvey in a directory, or document root within Apache 2.4 + phpfpm Setup VHOST like you would any other vhost with phpfpm Visit the web address http://site.com/ or http://site.com/survey/ The main screen will present one error The admin screen will present a different error.
Additional Information	The problem appears to be in the rewrites supplied with the controller/limesurvey. By default, the newer versions of PHP and PHP5-FPM include a new directive in the pool configuration, which is; security.limit_extensions = .php What this does is limit what PHP5-FPM will execute as a php script. In hopes of stopping certain attacks on the site, obviously. However, because of the rewrites employed by limesurvey, it's thinking that /admin/ is not a php file. I tried adding /admin, admin, . to the restrictions line and that did not make a difference. Full PHP version; PHP 5.5.3-1ubuntu2 (cli) (built: Oct 9 2013 14:49:12) Copyright (c) 1997-2013 The PHP Group Zend Engine v2.5.0, Copyright (c) 1998-2013 Zend Technologies with Zend OPcache v7.0.2, Copyright (c) 1999-2013, by Zend Technologies Default HTACCESS; <IfModule mod_rewrite.c> RewriteEngine on `# if a directory or a file exists, use it directly RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d # otherwise forward it to index.php RewriteRule . index.php` </IfModule> General setting to properly handle LimeSurvey paths AcceptPathInfo on My VHOST; <VirtualHost XXX.XXX.XXX.XXX:80> ServerName survey.domainname.com DocumentRoot /home/username/survey.domainname.com/ <Directory "/home/username/survey.domainname.com"> AllowOverride All Options -Indexes +FollowSymLinks +MultiViews +ExecCGI Require all granted DirectoryIndex home.php index.php index.html index.htm <IfModule mod_headers.c> <FilesMatch ".(flv\|gif\|jpg\|jpeg\|png\|ico\|swf)$"> Header set Cache-Control "max-age=7257600" </FilesMatch> <FilesMatch ".(js\|css\|pdf\|txt)$"> Header set Cache-Control "max-age=604800" </FilesMatch> <FilesMatch ".(pl\|php\|cgi\|spl\|htm\|html)$"> Header unset Cache-Control Header unset Expires Header unset Last-Modified FileETag None Header unset Pragma </FilesMatch> </IfModule> </Directory> ErrorLog /home/username/logs/survey.domainname.com.error.log LogLevel warn CustomLog /home/username/logs/survey.domainname.com.access.log combined Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch <IfModule mod_fastcgi.c> AddHandler fastcgi-script .fcgi AddHandler php5-fcgi .php Action php5-fcgi /php5-fcgi Alias /php5-fcgi /usr/lib/cgi-bin/php5-fcgi-domainname-survey FastCgiExternalServer /usr/lib/cgi-bin/php5-fcgi-domainname-survey -idle-timeout 100 -socket /var/run/php-domainname.socket -pass-header Authorization <Directory "/usr/lib/cgi-bin"> AllowOverride All Options None Require all granted Options FollowSymLinks </Directory> </IfModule> </VirtualHost>
Tags	No tags attached.

Bug heat	4
Complete LimeSurvey version number (& build)	131107
I will donate to the project if issue is resolved	No
Browser	Chrome, Firefox, Safari
Database type & version	MariaDB - Ubuntu Latest
Server OS (if known)	Ubuntu Server
Webserver software & version (if known)	Apache 2.4
PHP Version	PHP 5.5.3

User List	flewid

c_schmitz 2013-11-20 23:43 administrator ~27261	If you set security.limit_extensions to an empty value the restriction should be lifted. ALternatively just change 'urlFormat' => 'path' in /application/config/config.php to 'urlFormat' => 'get' but you will lose the short URLs.

c_schmitz 2013-11-20 23:56 administrator ~27262	Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=13474

c_schmitz 2013-11-20 23:59 administrator ~27263	Fix committed to 2.05 branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=13475

c_schmitz 2013-11-20 23:59 administrator ~27264	Fix: LimeSurvey now tries to find out if security.limit_extensions is set during install and uses urlFormat 'get' if applicable.

c_schmitz 2013-11-24 19:05 administrator ~27347	2.00+ Build 131122 released

LimeSurvey: master e1c3719d 2013-11-20 22:56:23 c_schmitz Details Diff	Fixed issue 08356: PHP5.5 FPM with security.limit_extensions parameter breaks LimeSurvey	Affected Issues 08356
	mod - application/controllers/InstallerController.php	Diff File
LimeSurvey: 2.05 21f665e3 2013-11-20 22:56:23 c_schmitz Details Diff	Fixed issue 08356: PHP5.5 FPM with security.limit_extensions parameter breaks LimeSurvey	Affected Issues 08356
	mod - application/controllers/InstallerController.php	Diff File

Date Modified	Username	Field	Change
2013-11-12 11:43	flewid	New Issue
2013-11-12 14:11	flewid	Issue Monitored: flewid
2013-11-20 23:43	c_schmitz	Note Added: 27261
2013-11-20 23:43	c_schmitz	Assigned To	=> c_schmitz
2013-11-20 23:43	c_schmitz	Status	new => feedback
2013-11-20 23:56	c_schmitz	Changeset attached	=> LimeSurvey master e1c3719d
2013-11-20 23:56	c_schmitz	Note Added: 27262
2013-11-20 23:56	c_schmitz	Resolution	open => fixed
2013-11-20 23:59	c_schmitz	Changeset attached	=> LimeSurvey 2.05 21f665e3
2013-11-20 23:59	c_schmitz	Note Added: 27263
2013-11-20 23:59	c_schmitz	Note Added: 27264
2013-11-20 23:59	c_schmitz	Status	feedback => resolved
2013-11-20 23:59	c_schmitz	Fixed in Version	=> 2.00+
2013-11-24 19:05	c_schmitz	Note Added: 27347
2013-11-24 19:05	c_schmitz	Status	resolved => closed
2021-08-02 18:07	guest	Bug heat	2 => 4

View Issue Details

General setting to properly handle LimeSurvey paths

Users monitoring this issue

Activities

Related Changesets

Issue History