FCGI_PARAMS FastCGI record format
Published: February 4, 2019
Recently I was trying update Gopherus’ FastCGI payload to clear PHP-FPM’s
security.limit_extensions value. Using Wireshark I knew I needed to edit an
However, no matter how much time I spent with Google I couldn’t find a decent explanation of the format of a
Fortunately, after going through the a
FCGI_PARAMS record byte-by-byte in Wireshark, I figured out what was going on. Here I’m documenting my findings for anyone else who finds them selves in the same shoes…
How It Works
Let’s look at the example again.
In Wireshark there are two bytes (
4b) before the key / value pair (
PHP_VALUE = allow_url_include = On \ndisable_functions = \nauto_prepend_file = php://input). What are they?
It turns out the first byte is the length of the key and the second byte is the length of the value.
PHP_VALUEis 9 characters long in decimal, or
allow_url_include = On \ndisable_functions = \nauto_prepend_file = php://inputis 75 characters long in decimal, or
Params component of a
FCGI_PARAMS record is made up of key / value pairs in this format.
Actually Finding The Answer In The Spec.
It turns out this is explained in in the spec:
FastCGI transmits a name-value pair as the length of the name, followed by the length of the value, followed by the name, followed by the value.
Sometimes, specs can be a bit dense and difficult to extract information out of, so hopefully you found this blog post useful.