View Issue Details

IDProjectCategoryView StatusLast Update
0001608XdebugStep Debuggingpublic2020-11-14 16:15
Reporteralexo Assigned Toderick  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
PlatformANYOSANYOS VersionANY
Product Version2.6.0 
Target Version3.0.0RC1Fixed in Version3.0.0RC1 
Summary0001608: XDEBUG_CONFIG env var make sessions automatically START ever (at least send the XDEBUG_SESSION cookie)
Description

I think i've found a great bug inthe XDEBUG sources (linked to my previous issue 0001604 not yet answered).

My problem was that i've set (for any need) an EMPTY env var called XDEBUG_CONFIG, this make XDEBUG ALWAYS write a XDEBUG_SESSION cookie in response to any request, with the default IDE key.
This is a security issue as anyone is able to know that XDEBUG is enabled. (i was protected as used a firewalled dbgp-proxy, but it is a security issue)

THIS also make XDEBUG ever try to contact the xdebug.remote_host EVER when remote_enable=0 or remote_autostart=0
causing PERFORMANCE ISSUES (a call to the proxy/IDE for ALL the requests)

I arrived to this problem trough reading the C source and i saw this line:
https://github.com/xdebug/xdebug/blob/2be75478788e84f75662ad4c400697ff02b47b37/xdebug_com.c#L569

I'm not actually a C developer but wrote some driver in the past so i can quickly understand that getenv() return NULL only when the ENV_VAR does not exist... when it is empty getenv() return an empty string that in that IF evaluate to TRUE.

Actually i'm unable to make a fix/PR as i dont touch C lang since some time, so please make a PR yourself and TAG me on github if you have pleasure (my GitHub account is aledelgo)

Steps To Reproduce

Set this in the php-fpm pool setting

env[XDEBUG_CONFIG] = $XDEBUG_CONFIG

set the env as empty on your system
XDEBUG_CONFIG=

set this settings on php.ini
xdebus.remote_host=
xdebug.remote_enable=0

call any php file.
the return request ALWAY try to write a cookie
XDEBUG_SESSION=<default_ide_key>

if you set
xdebug.remote_enable=1
the remote_host will be EVER contacted, also when the request doesn't include any xdebug session trigger.

TagsNo tags attached.
Operating System
PHP Version7.1.20-7.1.24

Relationships

has duplicate 0001604 resolvedderick xdebug ALWAYS trigger session. xdebug.remote_autostart=0 ignored when xdebug.remote_host is set. 

Activities

alexo

2019-01-15 14:58

reporter   ~0004805

i've tried to fix and make a PR on the fly...
https://github.com/xdebug/xdebug/pull/440

don't blame me for the rude attempt.

hope you can improve it.

thanks

derick

2019-01-22 22:08

administrator   ~0004827

I can see there is something odd going on here. I don't think your fix is correct, but I will have a look once Xdebug 2.7.0 has been released. Thanks for reporting this issue!

derick

2020-11-14 10:38

administrator   ~0005531

https://github.com/xdebug/xdebug/pull/687

derick

2020-11-14 10:49

administrator   ~0005532

https://github.com/xdebug/xdebug/pull/687

Issue History

Date Modified Username Field Change
2019-01-15 14:30 alexo New Issue
2019-01-15 14:58 alexo Note Added: 0004805
2019-01-22 22:08 derick Note Added: 0004827
2019-01-22 22:08 derick Assigned To => derick
2019-01-22 22:08 derick Status new => acknowledged
2019-01-22 22:11 derick Relationship added has duplicate 0001604
2019-08-05 19:18 derick Target Version => 3.0dev
2020-03-12 16:35 derick Category Usage problems (Wrong Results) => Variable Display
2020-03-12 16:37 derick Category Variable Display => Step Debugging
2020-11-14 10:38 derick Status acknowledged => assigned
2020-11-14 10:38 derick Note Added: 0005531
2020-11-14 10:49 derick Status assigned => closed
2020-11-14 10:49 derick Resolution open => fixed
2020-11-14 10:49 derick Fixed in Version => 3.0.0RC1
2020-11-14 10:49 derick Note Added: 0005532
2020-11-14 16:15 derick Target Version 3.0dev => 3.0.0RC1