Edit report at https://bugs.php.net/bug.php?id=55181&edit=1
ID: 55181 Comment by: [email protected] Reported by: [email protected] Summary: Enhance security by limiting the script extension Status: Analyzed Type: Feature/Change Request Package: FPM related Operating System: any PHP Version: 5.3.6 Assigned To: fat Block user comment: N Private report: N New Comment: Commited on 5.4. Waiting to 5.3.7 to be released to backport this to 5.3. Previous Comments: ------------------------------------------------------------------------ [2011-07-12 19:00:39] [email protected] Automatic comment from SVN on behalf of fat Revision: http://svn.php.net/viewvc/?view=revision&revision=313186 Log: - Implemented FR #55181 (Enhance security by limiting access to user defined extensions) ------------------------------------------------------------------------ [2011-07-11 10:19:45] [email protected] The following patch has been added/updated: Patch Name: fpm-extensions.v2.patch Revision: 1310393984 URL: https://bugs.php.net/patch-display.php?bug=55181&patch=fpm-extensions.v2.patch&revision=1310393984 ------------------------------------------------------------------------ [2011-07-11 08:36:13] [email protected] The following patch has been added/updated: Patch Name: fpm-extensions.v1.patch Revision: 1310387773 URL: https://bugs.php.net/patch-display.php?bug=55181&patch=fpm-extensions.v1.patch&revision=1310387773 ------------------------------------------------------------------------ [2011-07-11 08:29:37] [email protected] Description: ------------ If the web server in front of FPM is misconfigured, FPM can parse and execute PHP code from any kind of files (test.php, test.txt, test.jpg, test.css, ...). It should be possible to limit the extension of the primary script FPM will execute. Something like (in pool configuration) security.limit_extensions = .php if the primary script does not end with .php, an access denied is returned (403). ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=55181&edit=1
