FCGI_PARAMS FastCGI record format

Published: February 4, 2019

Tags:

Recently I was trying update Gopherus’ FastCGI payload to clear PHP-FPM’s security.limit_extensions value. Using Wireshark I knew I needed to edit an FCGI_PARAMS record.

Screenshot showing an FCGI_PARAMS record in Wireshark

However, no matter how much time I spent with Google I couldn’t find a decent explanation of the format of a FCGI_PARAMS record.

Fortunately, after going through the a FCGI_PARAMS record byte-by-byte in Wireshark, I figured out what was going on. Here I’m documenting my findings for anyone else who finds them selves in the same shoes…

How It Works

Let’s look at the example again.

Screenshot showing an FCGI_PARAMS name value pair  in Wireshark

In Wireshark there are two bytes (09 and 4b) before the key / value pair (PHP_VALUE = allow_url_include = On \ndisable_functions = \nauto_prepend_file = php://input). What are they?

It turns out the first byte is the length of the key and the second byte is the length of the value.

The entire Params component of a FCGI_PARAMS record is made up of key / value pairs in this format.

Actually Finding The Answer In The Spec.

It turns out this is explained in in the spec:

FastCGI transmits a name-value pair as the length of the name, followed by the length of the value, followed by the name, followed by the value.

https://fastcgi-archives.github.io/FastCGI_Specification.html#34-name-value-pairs

Sometimes, specs can be a bit dense and difficult to extract information out of, so hopefully you found this blog post useful.

Max Chadwick Hi, I'm Max!

I'm a software developer who mainly works in PHP, but also dabbles in Ruby and Go. Technical topics that interest me are monitoring, security and performance.

During the day I solve challenging technical problems at Something Digital where I mainly work with the Magento platform. I also blog about tech, work on open source and hunt for bugs.

If you'd like to get in touch with me the best way is on Twitter.