View Issue Details

IDProjectCategoryView StatusLast Update
0001608XdebugUsage problems (Wrong Results)public2019-01-22 22:08
ReporteralexoAssigned Toderick 
PrioritynormalSeveritymajorReproducibilityalways
Status acknowledgedResolutionopen 
PlatformANYOSANYOS VersionANY
Product Version2.6.0 
Target VersionFixed in Version 
Summary0001608: XDEBUG_CONFIG env var make sessions automatically START ever (at least send the XDEBUG_SESSION cookie)
DescriptionI think i've found a great bug inthe XDEBUG sources (linked to my previous issue 0001604 not yet answered).

My problem was that i've set (for any need) an EMPTY env var called XDEBUG_CONFIG, this make XDEBUG ALWAYS write a XDEBUG_SESSION cookie in response to any request, with the default IDE key.
This is a security issue as anyone is able to know that XDEBUG is enabled. (i was protected as used a firewalled dbgp-proxy, but it is a security issue)

THIS also make XDEBUG ever try to contact the xdebug.remote_host EVER when remote_enable=0 or remote_autostart=0
causing PERFORMANCE ISSUES (a call to the proxy/IDE for ALL the requests)

I arrived to this problem trough reading the C source and i saw this line:
https://github.com/xdebug/xdebug/blob/2be75478788e84f75662ad4c400697ff02b47b37/xdebug_com.c#L569

I'm not actually a C developer but wrote some driver in the past so i can quickly understand that getenv() return NULL only when the ENV_VAR *does not exist*... when it is empty getenv() return an empty string that in that IF evaluate to TRUE.

Actually i'm unable to make a fix/PR as i dont touch C lang since some time, so please make a PR yourself and TAG me on github if you have pleasure (my GitHub account is aledelgo)
Steps To ReproduceSet this in the php-fpm pool setting

env[XDEBUG_CONFIG] = $XDEBUG_CONFIG

set the env as empty on your system
XDEBUG_CONFIG=

set this settings on php.ini
xdebus.remote_host=
xdebug.remote_enable=0

call any php file.
the return request ALWAY try to write a cookie
XDEBUG_SESSION=<default_ide_key>

if you set
xdebug.remote_enable=1
the remote_host will be EVER contacted, also when the request doesn't include any xdebug session trigger.
TagsNo tags attached.
Operating System
PHP Version7.1.20-7.1.24

Relationships

has duplicate 0001604 resolvedderick xdebug ALWAYS trigger session. xdebug.remote_autostart=0 ignored when xdebug.remote_host is set. 

Activities

alexo

2019-01-15 14:58

reporter   ~0004805

i've tried to fix and make a PR on the fly...
https://github.com/xdebug/xdebug/pull/440

don't blame me for the rude attempt.

hope you can improve it.

thanks

derick

2019-01-22 22:08

administrator   ~0004827

I can see there is something odd going on here. I don't think your fix is correct, but I will have a look once Xdebug 2.7.0 has been released. Thanks for reporting this issue!

Issue History

Date Modified Username Field Change
2019-01-15 14:30 alexo New Issue
2019-01-15 14:58 alexo Note Added: 0004805
2019-01-22 22:08 derick Note Added: 0004827
2019-01-22 22:08 derick Assigned To => derick
2019-01-22 22:08 derick Status new => acknowledged
2019-01-22 22:11 derick Relationship added has duplicate 0001604