Dear Wiki user, You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.
The "PHP-FPM" page has been changed by thumbs: http://wiki.apache.org/httpd/PHP-FPM?action=diff&rev1=1&rev2=2 __Don't forget to reload apache after making any changes to a vhost or other configuration file.__ + ==== Caveat ==== + One might be tempted to point out that a greedy ProxyPassMatch directive might allow some malicious content uploaded by a HTTP client to be served. + + This is by no means a comprehensive security document, but instead will point out a possible injection vector that could be generated from the directives in this document. + + Take, for example: + + `/uploads/malicious.jpg/lalalaalala.php` + + Would lead php-fpm to process that file (/uploads/malicious.jpg), and without certain sanity check, possibly lead to a compromised server. + + This, of course, is not recommended. Content uploaded using php should be saved safely outside the DocumentRoot, and the pathinfo should be scrutinized. + + Additionally, php-fpm should check if the script being invoked is allowed. + + If such restrictions cannot be implemented easily, then checks could be performed prior to proxying with a RewriteCond or FallbackResource to ensure that the URI is not altered by the HTTP client. + --------------------------------------------------------------------- To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org For additional commands, e-mail: docs-h...@httpd.apache.org
