View Issue Details

This bug affects 1 person(s).
 4
IDProjectCategoryView StatusLast Update
08356Bug reportsInstallationpublic2013-11-24 19:05
Reporterflewid Assigned Toc_schmitz  
PrioritynormalSeverityminor 
Status closedResolutionfixed 
Product Version2.00+ 
Fixed in Version2.00+ 
Summary08356: Apache 2.4 + PHP5-FPM (Fastcgi) and Rewrite Issue
Description

Hello,

I didn't find another thread about this so I figured I should post it, after asking on IRC and nobody had encountered it.

We are using Ubuntu, with Apache 2.4 and PHP 5.5.x on our new server. The old server, was using Apache 2.2 and Mod PHP.

Upon migrating Limesurvey to our new server, the main screen will not load, and the administration interface gives an error.

To be clear, we also tried a fresh installation, and the above still happens.

This happens if it's in it's own directory, or, if it's in a sub directory on the server.

Ive tried with, and without the default limesurvey .htaccess file as well.

Here's what happens on the index page, followed by the admin page, then the server logs for reference;

HOME PAGE;

CException

CHttpRequest is unable to determine the entry script URL.

/home/username/survey.domainname.com/framework/base/CModule.php(106)

094 /
095 Getter magic method.
096
This method is overridden to support accessing application components
097 like reading module properties.
098
@param string $name application component or property name
099 @return mixed the named property value
100
/
101 public function get($name)
102 {
103 if($this->hasComponent($name))
104 return $this->getComponent($name);
105 else
106 return parent::
get($name);
107 }
108
109 /

110 Checks if a property value is null.
111
This method overrides the parent implementation by checking
112 if the named application component is loaded.
113
@param string $name the property name or the event name
114 @return boolean whether the property value is null
115
/
116 public function __isset($name)
117 {
118 if($this->hasComponent($name))

Stack Trace
#0

/home/username/survey.domainname.com/framework/web/CHttpRequest.php(315): CHttpRequest->getScriptUrl()

310 @see setScriptUrl
311
/
312 public function getBaseUrl($absolute=false)
313 {
314 if($this->_baseUrl===null)
315 $this->_baseUrl=rtrim(dirname($this->getScriptUrl()),'\/');
316 return $absolute ? $this->getHostInfo() . $this->_baseUrl : $this->_baseUrl;
317 }
318
319 /*
320
Sets the relative URL for the application.

#1

/home/username/survey.domainname.com/framework/base/CApplication.php(553): CHttpRequest->getBaseUrl(false)

548 @return string the relative URL for the application
549
@see CHttpRequest::getBaseUrl()
550 */
551 public function getBaseUrl($absolute=false)
552 {
553 return $this->getRequest()->getBaseUrl($absolute);
554 }
555
556 /*
557
@return string the homepage URL
558 */

#2

/home/username/survey.domainname.com/framework/base/CComponent.php(112): CApplication->getBaseUrl()

107 */
108 public function __get($name)
109 {
110 $getter='get'.$name;
111 if(method_exists($this,$getter))
112 return $this->$getter();
113 else if(strncasecmp($name,'on',2)===0 && method_exists($this,$name))
114 {
115 // duplicating getEventHandlers() here for performance
116 $name=strtolower($name);
117 if(!isset($this->_e[$name]))

#3

/home/username/survey.domainname.com/framework/base/CModule.php(106): CComponent->__get("baseUrl")

101 public function get($name)
102 {
103 if($this->hasComponent($name))
104 return $this->getComponent($name);
105 else
106 return parent::
get($name);
107 }
108
109 /*
110
Checks if a property value is null.
111 * This method overrides the parent implementation by checking

#4

/home/username/survey.domainname.com/application/config/config-defaults.php(579): CModule->__get("baseUrl")

574 //The following url and dir locations do not need to be modified unless you have a non-standard
575 //LimeSurvey installation. Do not change unless you know what you are doing.
576
577 if(!isset($argv[0]))
578 {
579 $config['publicurl'] = Yii::app()->baseUrl . '/'; // The public website location (url) of the public survey script
580 }
581 else
582 {
583 $config['publicurl'] = '/';
584 }

#5

/home/username/survey.domainname.com/application/core/LSYii_Application.php(109): require("/home/username/survey.domainname.com/application/config/config-defaults....")

104 ),
105 ));
106
107 parent::__construct($config);
108 // Load the default and environmental settings from different files into self.
109 $ls_config = require(APPPATH . DIRECTORY_SEPARATOR . 'config' . DIRECTORY_SEPARATOR . 'config-defaults.php');
110 $email_config = require(APPPATH . DIRECTORY_SEPARATOR . 'config' . DIRECTORY_SEPARATOR . 'email.php');
111 $version_config = require(APPPATH . DIRECTORY_SEPARATOR . 'config' . DIRECTORY_SEPARATOR . 'version.php');
112 $settings = array_merge($ls_config, $version_config, $email_config);
113
114 if(file_exists(APPPATH . DIRECTORY_SEPARATOR. 'config' . DIRECTORY_SEPARATOR . 'config.php'))

#6

/home/username/survey.domainname.com/framework/YiiBase.php(127): LSYii_Application->__construct("/home/username/survey.domainname.com/application/config/config.php")

122 to the constructor of the application class.
123
@return mixed the application instance
124 */
125 public static function createApplication($class,$config=null)
126 {
127 return new $class($config);
128 }
129
130 /*
131
Returns the application singleton, null if the singleton has not been created yet.
132 * @return CApplication the application singleton, null if the singleton has not been created yet.

#7

/home/username/survey.domainname.com/index.php(179): YiiBase::createApplication("LSYii_Application", "/home/username/survey.domainname.com/application/config/config.php")

174
175
/
176 require_once BASEPATH . 'yii' . EXT;
177 require_once APPPATH . 'core/LSYii_Application' . EXT;
178
179 Yii::createApplication('LSYii_Application', APPPATH . 'config/config' . EXT)->run();
180
181 / End of file index.php /
182 / Location: ./index.php /

ADMIN PAGE;

Access denied.

SERVER LOGS;

[Tue Nov 12 04:36:22.810573 2013] [:error] [pid 7811:tid 140527118784256] [client 50.157.104.227:65403] FastCGI: server "/usr/lib/cgi-bin/php5-fcgi-domainname-survey" stderr: Access to the script '/home/username/survey.domainname.com/index.php/admin' has been denied (see security.limit_extensions)

Steps To Reproduce
  1. Untar Limesurvey in a directory, or document root within Apache 2.4 + phpfpm

  2. Setup VHOST like you would any other vhost with phpfpm

  3. Visit the web address http://site.com/ or http://site.com/survey/

  4. The main screen will present one error

  5. The admin screen will present a different error.

Additional Information

The problem appears to be in the rewrites supplied with the controller/limesurvey.

By default, the newer versions of PHP and PHP5-FPM include a new directive in the pool configuration, which is;

security.limit_extensions = .php

What this does is limit what PHP5-FPM will execute as a php script. In hopes of stopping certain attacks on the site, obviously.

However, because of the rewrites employed by limesurvey, it's thinking that /admin/ is not a php file.

I tried adding /admin, admin, . to the restrictions line and that did not make a difference.

Full PHP version;

PHP 5.5.3-1ubuntu2 (cli) (built: Oct 9 2013 14:49:12)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2013 Zend Technologies
with Zend OPcache v7.0.2, Copyright (c) 1999-2013, by Zend Technologies

Default HTACCESS;

<IfModule mod_rewrite.c>
RewriteEngine on

# if a directory or a file exists, use it directly
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d

# otherwise forward it to index.php
RewriteRule . index.php

</IfModule>

General setting to properly handle LimeSurvey paths

AcceptPathInfo on

My VHOST;

<VirtualHost XXX.XXX.XXX.XXX:80>
ServerName survey.domainname.com
DocumentRoot /home/username/survey.domainname.com/
<Directory "/home/username/survey.domainname.com">
AllowOverride All
Options -Indexes +FollowSymLinks +MultiViews +ExecCGI
Require all granted
DirectoryIndex home.php index.php index.html index.htm
<IfModule mod_headers.c>
<FilesMatch ".(flv|gif|jpg|jpeg|png|ico|swf)$">
Header set Cache-Control "max-age=7257600"
</FilesMatch>
<FilesMatch ".(js|css|pdf|txt)$">
Header set Cache-Control "max-age=604800"
</FilesMatch>
<FilesMatch ".(pl|php|cgi|spl|htm|html)$">
Header unset Cache-Control
Header unset Expires
Header unset Last-Modified
FileETag None
Header unset Pragma
</FilesMatch>
</IfModule>
</Directory>
ErrorLog /home/username/logs/survey.domainname.com.error.log
LogLevel warn
CustomLog /home/username/logs/survey.domainname.com.access.log combined
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
<IfModule mod_fastcgi.c>
AddHandler fastcgi-script .fcgi
AddHandler php5-fcgi .php
Action php5-fcgi /php5-fcgi
Alias /php5-fcgi /usr/lib/cgi-bin/php5-fcgi-domainname-survey
FastCgiExternalServer /usr/lib/cgi-bin/php5-fcgi-domainname-survey -idle-timeout 100 -socket /var/run/php-domainname.socket -pass-header Authorization
<Directory "/usr/lib/cgi-bin">
AllowOverride All
Options None
Require all granted
Options FollowSymLinks
</Directory>
</IfModule>
</VirtualHost>

TagsNo tags attached.
Bug heat4
Complete LimeSurvey version number (& build)131107
I will donate to the project if issue is resolvedNo
BrowserChrome, Firefox, Safari
Database type & versionMariaDB - Ubuntu Latest
Server OS (if known)Ubuntu Server
Webserver software & version (if known)Apache 2.4
PHP VersionPHP 5.5.3

Users monitoring this issue

flewid

Activities

c_schmitz

c_schmitz

2013-11-20 23:43

administrator   ~27261

If you set security.limit_extensions to an empty value the restriction should be lifted.
ALternatively just change
'urlFormat' => 'path'
in /application/config/config.php
to
'urlFormat' => 'get'
but you will lose the short URLs.

c_schmitz

c_schmitz

2013-11-20 23:56

administrator   ~27262

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=13474

c_schmitz

c_schmitz

2013-11-20 23:59

administrator   ~27263

Fix committed to 2.05 branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=13475

c_schmitz

c_schmitz

2013-11-20 23:59

administrator   ~27264

Fix: LimeSurvey now tries to find out if security.limit_extensions is set during install and uses urlFormat 'get' if applicable.

c_schmitz

c_schmitz

2013-11-24 19:05

administrator   ~27347

2.00+ Build 131122 released

Related Changesets

LimeSurvey: master e1c3719d

2013-11-20 23:56

c_schmitz


Details Diff
Fixed issue 08356: PHP5.5 FPM with security.limit_extensions parameter breaks LimeSurvey Affected Issues
08356
mod - application/controllers/InstallerController.php Diff File

LimeSurvey: 2.05 21f665e3

2013-11-20 23:56

c_schmitz


Details Diff
Fixed issue 08356: PHP5.5 FPM with security.limit_extensions parameter breaks LimeSurvey Affected Issues
08356
mod - application/controllers/InstallerController.php Diff File

Issue History

Date Modified Username Field Change
2013-11-12 11:43 flewid New Issue
2013-11-12 14:11 flewid Issue Monitored: flewid
2013-11-20 23:43 c_schmitz Note Added: 27261
2013-11-20 23:43 c_schmitz Assigned To => c_schmitz
2013-11-20 23:43 c_schmitz Status new => feedback
2013-11-20 23:56 c_schmitz Changeset attached => LimeSurvey master e1c3719d
2013-11-20 23:56 c_schmitz Note Added: 27262
2013-11-20 23:56 c_schmitz Resolution open => fixed
2013-11-20 23:59 c_schmitz Changeset attached => LimeSurvey 2.05 21f665e3
2013-11-20 23:59 c_schmitz Note Added: 27263
2013-11-20 23:59 c_schmitz Note Added: 27264
2013-11-20 23:59 c_schmitz Status feedback => resolved
2013-11-20 23:59 c_schmitz Fixed in Version => 2.00+
2013-11-24 19:05 c_schmitz Note Added: 27347
2013-11-24 19:05 c_schmitz Status resolved => closed
2021-08-02 18:07 guest Bug heat 2 => 4