Edit report at https://bugs.php.net/bug.php?id=55181&edit=1
ID: 55181 Patch added by: f...@php.net Reported by: f...@php.net Summary: Enhance security by limiting the script extension Status: Analyzed Type: Feature/Change Request Package: FPM related Operating System: any PHP Version: 5.3.6 Assigned To: fat Block user comment: N Private report: N New Comment: The following patch has been added/updated: Patch Name: fpm-extensions.v2.patch Revision: 1310393984 URL: https://bugs.php.net/patch-display.php?bug=55181&patch=fpm-extensions.v2.patch&revision=1310393984 Previous Comments: ------------------------------------------------------------------------ [2011-07-11 08:36:13] f...@php.net The following patch has been added/updated: Patch Name: fpm-extensions.v1.patch Revision: 1310387773 URL: https://bugs.php.net/patch-display.php?bug=55181&patch=fpm-extensions.v1.patch&revision=1310387773 ------------------------------------------------------------------------ [2011-07-11 08:29:37] f...@php.net Description: ------------ If the web server in front of FPM is misconfigured, FPM can parse and execute PHP code from any kind of files (test.php, test.txt, test.jpg, test.css, ...). It should be possible to limit the extension of the primary script FPM will execute. Something like (in pool configuration) security.limit_extensions = .php if the primary script does not end with .php, an access denied is returned (403). ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=55181&edit=1
