fix: ensure $SERVER["PHP_SELF"] always starts with a slash (#2172)

dunglas · web-flow · commit c30fef09d3db · 2026-02-09T13:51:55.000+01:00
Closes #2166.
diff --git a/cgi.go b/cgi.go
@@ -145,7 +145,7 @@ func addKnownVariablesToServer(fc *frankenPHPContext, trackVarsArray *C.zval) {
 		packCgiVariable(keys["REMOTE_PORT"], port),
 		packCgiVariable(keys["DOCUMENT_ROOT"], fc.documentRoot),
 		packCgiVariable(keys["PATH_INFO"], fc.pathInfo),
-		packCgiVariable(keys["PHP_SELF"], request.URL.Path),
+		packCgiVariable(keys["PHP_SELF"], ensureLeadingSlash(request.URL.Path)),
 		packCgiVariable(keys["DOCUMENT_URI"], fc.docURI),
 		packCgiVariable(keys["SCRIPT_FILENAME"], fc.scriptFilename),
 		packCgiVariable(keys["SCRIPT_NAME"], fc.scriptName),
@@ -340,7 +340,16 @@ func sanitizedPathJoin(root, reqPath string) string {
 
 const separator = string(filepath.Separator)
 
+func ensureLeadingSlash(path string) string {
+	if path == "" || path[0] == '/' {
+		return path
+	}
+
+	return "/" + path
+}
+
 func toUnsafeChar(s string) *C.char {
 	sData := unsafe.StringData(s)
+
 	return (*C.char)(unsafe.Pointer(sData))
 }
diff --git a/cgi_test.go b/cgi_test.go
@@ -0,0 +1,33 @@
+package frankenphp
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestEnsureLeadingSlash(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		input    string
+		expected string
+	}{
+		{"/index.php", "/index.php"},
+		{"index.php", "/index.php"},
+		{"/", "/"},
+		{"", ""},
+		{"/path/to/script.php", "/path/to/script.php"},
+		{"path/to/script.php", "/path/to/script.php"},
+		{"/index.php/path/info", "/index.php/path/info"},
+		{"index.php/path/info", "/index.php/path/info"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.input + "-" + tt.expected, func(t *testing.T) {
+			t.Parallel()
+
+			assert.Equal(t, tt.expected, ensureLeadingSlash(tt.input), "ensureLeadingSlash(%q)", tt.input)
+		})
+	}
+}
