Script causing 500 Internal Server Error
Question
My site has been suffering "500 Internal Server Error" often of late, and host has advised that this bundle.css.php script might be the reason why ...
<?php
ob_start('ob_gzhandler');
header('Content-Type: text/css');
$files = split(",",$_GET['files']);
foreach($files as $key=>$val){
if(file_exists($val.'.css')){
include_once($val.'.css');
}else{
echo "\n\n/*** File \"$val\" does not exist. ***/\n\n";
}
}
?>
In the words of my host ...
"It is trying to buffer all of output into ob_gzhandler. It is taking a very insecure list of parameters passed in GET variable 'files', and is then trying to include those files into the output. I'm not sure exactly what list of parameters is being passed, but I suspect there is a bug somewhere in your scripts that is passing a large array of file names to this script, and thus trying to build a buffered object that is too large."
This is well beyond my expertise, so any advice to fix the problem would be much appreciated. Many thanks.
UPDATE
The error log is full of lines such as ...
[Mon Apr 23 15:44:41 2012] [error] [client xx.xx.xx.xx] (12)Cannot allocate memory: couldn't create child process: /opt/suphp/sbin/suphp for /home/xxxxxy/public_html/xxxx.php, referer: http://www.xxxxxxx.com/wp-content/themes/xxx/style.css
2 answers
solution1
0 2012-04-23 16:57:51
Multiple points to take into account here, starting with an explanation of the code:
You're starting the gzip output buffering handler, emitting a Content-Type: text/css header, splitting the contents of the GET form parameter by comma, looping through each element in the resulting array, including each file as necessary or emitting a CSS comment as a logging string.
It's most likely that your PHP process doesn't have enough memory to handle the output buffering and the compression all at once. It's also possible that your host could have an application-layer firewall preventing this (something like mod_security for good reason) or it's also possible that your PHP doesn't support the GZIP output buffering.
This script is a massive security hole! You can make the web server running this code dump arbitrary files from the server it's running on by altering a form parameter! Don't use this in production! Ever! If you don't understand what you're doing or it's "outside of your expertise" you should stop coding now and find a new job.
solution2
0 2013-03-12 16:07:23
为了使这个脚本更轻松一些,您应该检查是否通过isset函数设置了$ _GET变量,第二,您绝对不应让用户访问您正在使用的变量,因为很容易向其中注入恶意代码,如果可以的话请改用$ _POST或至少检查$ _GET变量中传递的值是否为字母数字。
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.