Running mantis 1.2.19 on Ubuntu 14.04 and Apache 2.4.18. This installation was just moved from an old CentOS host running Apache 2.2. The new site is running PHP 5.6.20 with php5-fpm; the old site just used mod_php. The site is a SSL-only site, as was the old one on CentOS.
The installation is running well with except that attempting to delete a bug attachment file fails.
After confirming the deletion, the URL is redirected to 'https://example.org/php5-fcgi', and the error is printed 'Access denied.'
The error log says this:
[Wed Apr 06 10:23:40.678114 2016] [:error] [pid 4704:tid 140136923412224] [client 173.16.211.81:55582] FastCGI: server "/usr/lib/cgi-bin/php5-fcgi" stderr: Access to the script '/usr/lib/cgi-bin/php5-fcgi' has been denied (see security.limit_extensions), referer: https://mantis.prmia.org/bug_file_delet ... 99c193ffa0
The 'security.limit_extensions' variable is set in fpm/pool.d/www.conf: 'security.limit_extensions = .php .php3 .php4 .php5', which means that only files with these extensions are runnable as PHP.
I have several other PHP sites running on this host without problems. I assume I have mantis misconfigured but I'm not sure how.
I would appreciate any ideas for fixing this. Thanks.
php5-cgi error when deleting attachment file
Moderators: Developer, Contributor
php5-cgi error when deleting attachment file
Last edited by kmorgan on 06 Apr 2016, 21:24, edited 3 times in total.
Re: php5-cgi error when deleting attachment file
To follow up:
This is looking like some kind of redirection problem.
If I relax the suffixes in security.limit_extensions, I get a different printed error 'No input file specified.'
The corresponding log record is:
[Wed Apr 06 11:45:37.833232 2016] [:error] [pid 4704:tid 140136847877888] [client 173.16.211.81:57126] FastCGI: server "/usr/lib/cgi-bin/php5-fcgi" stderr: Unable to open primary script: /usr/lib/cgi-bin/php5-fcgi (No such file or directory), referer: https://mantis.prmia.org/bug_file_delet ... 77753d41c1
SECOND CASE
At https://mantis.prmia.org/manage_overview_page.php, when my session has expired, the message is printed: "You are visiting a secure page, and your secure session has expired. Please authenticate yourself to continue."
When I enter the password and press 'login' the error message is printed 'No input file specified.'
The corresponding log record is:
[Wed Apr 06 14:46:54.985652 2016] [:error] [pid 19269:tid 140652939310848] [client 173.16.211.81:59364] FastCGI: server "/usr/lib/cgi-bin/php5-fcgi" stderr: Unable to open primary script: /usr/lib/cgi-bin/php5-fcgi (No such file or directory), referer: https://mantis.prmia.org/manage_overview_page.php
This is looking like some kind of redirection problem.
If I relax the suffixes in security.limit_extensions, I get a different printed error 'No input file specified.'
The corresponding log record is:
[Wed Apr 06 11:45:37.833232 2016] [:error] [pid 4704:tid 140136847877888] [client 173.16.211.81:57126] FastCGI: server "/usr/lib/cgi-bin/php5-fcgi" stderr: Unable to open primary script: /usr/lib/cgi-bin/php5-fcgi (No such file or directory), referer: https://mantis.prmia.org/bug_file_delet ... 77753d41c1
SECOND CASE
At https://mantis.prmia.org/manage_overview_page.php, when my session has expired, the message is printed: "You are visiting a secure page, and your secure session has expired. Please authenticate yourself to continue."
When I enter the password and press 'login' the error message is printed 'No input file specified.'
The corresponding log record is:
[Wed Apr 06 14:46:54.985652 2016] [:error] [pid 19269:tid 140652939310848] [client 173.16.211.81:59364] FastCGI: server "/usr/lib/cgi-bin/php5-fcgi" stderr: Unable to open primary script: /usr/lib/cgi-bin/php5-fcgi (No such file or directory), referer: https://mantis.prmia.org/manage_overview_page.php
Re: php5-cgi error when deleting attachment file
Just some thoughts, no real idea at the moment.
I assume you have your attachments stored on disk, not in database.
If so, did you transfer them to the new server and did your store them in same path?
Check if you succeed in creating a new attachment on the new server and deleting it afterwards
I assume you have your attachments stored on disk, not in database.
If so, did you transfer them to the new server and did your store them in same path?
Check if you succeed in creating a new attachment on the new server and deleting it afterwards
Re: php5-cgi error when deleting attachment file
Thanks for your reply.
I have been able to reproduce the problem with a freshly created ticket containing a file attachment. Actually attachments are stored in the database for now.
It looks like other redirections are failing too, as I tried to show in my 'SECOND CASE' above.
I have been able to reproduce the problem with a freshly created ticket containing a file attachment. Actually attachments are stored in the database for now.
It looks like other redirections are failing too, as I tried to show in my 'SECOND CASE' above.
Re: php5-cgi error when deleting attachment file
Unfortunately the logged error remains the same.
I added the following to config_inc.php and restarted apache.
--
$g_path = 'https://mantis.prmia.org/';
--
Are there some debugging output statements you could recommend? I would be happy to test them and report results back here.
I added the following to config_inc.php and restarted apache.
--
$g_path = 'https://mantis.prmia.org/';
--
Are there some debugging output statements you could recommend? I would be happy to test them and report results back here.
Re: php5-cgi error when deleting attachment file
Problem solved. The problem was caused by the server configuration cgi.fix_pathinfo=0. Changing this setting to '1' fixed the problem.
Background:
Various pages use form_action_self() to generate an originating URL, which in turn uses $_SERVER['SCRIPT_NAME']. The cgi.fix_pathinfo=0 setting caused the script name to be assigned as 'php5-cgi' instead of the actual script, 'bug_file_delete.php' in this case.
In the past PHP FPM broke $_SERVER['SCRIPT_NAME'], and a recommended security practice was to set cgi.fix_pathinfo=0 in fpm/php.ini. This is no longer necessary because FPM restricts PHP execution using the security.limit_extensions setting. See https://serverfault.com/a/701500/23442 for a more thorough explanation.
Background:
Various pages use form_action_self() to generate an originating URL, which in turn uses $_SERVER['SCRIPT_NAME']. The cgi.fix_pathinfo=0 setting caused the script name to be assigned as 'php5-cgi' instead of the actual script, 'bug_file_delete.php' in this case.
In the past PHP FPM broke $_SERVER['SCRIPT_NAME'], and a recommended security practice was to set cgi.fix_pathinfo=0 in fpm/php.ini. This is no longer necessary because FPM restricts PHP execution using the security.limit_extensions setting. See https://serverfault.com/a/701500/23442 for a more thorough explanation.