Req #55181 [Com]: Enhance security by limiting the script extension

Tue, 12 Jul 2011 16:01:44 -0700 

Edit report at https://bugs.php.net/bug.php?id=55181&edit=1

 ID:                 55181
 Comment by:         f...@php.net
 Reported by:        f...@php.net
 Summary:            Enhance security by limiting the script extension
 Status:             Analyzed
 Type:               Feature/Change Request
 Package:            FPM related
 Operating System:   any
 PHP Version:        5.3.6
 Assigned To:        fat
 Block user comment: N
 Private report:     N

 New Comment:

Commited on 5.4.

Waiting to 5.3.7 to be released to backport this to 5.3.


Previous Comments:
------------------------------------------------------------------------
[2011-07-12 19:00:39] f...@php.net

Automatic comment from SVN on behalf of fat
Revision: http://svn.php.net/viewvc/?view=revision&revision=313186
Log: - Implemented FR #55181 (Enhance security by limiting access to user 
defined extensions)

------------------------------------------------------------------------
[2011-07-11 10:19:45] f...@php.net

The following patch has been added/updated:

Patch Name: fpm-extensions.v2.patch
Revision:   1310393984
URL:        
https://bugs.php.net/patch-display.php?bug=55181&patch=fpm-extensions.v2.patch&revision=1310393984

------------------------------------------------------------------------
[2011-07-11 08:36:13] f...@php.net

The following patch has been added/updated:

Patch Name: fpm-extensions.v1.patch
Revision:   1310387773
URL:        
https://bugs.php.net/patch-display.php?bug=55181&patch=fpm-extensions.v1.patch&revision=1310387773

------------------------------------------------------------------------
[2011-07-11 08:29:37] f...@php.net

Description:
------------
If the web server in front of FPM is misconfigured, FPM can parse and execute 
PHP 
code from any kind of files (test.php, test.txt, test.jpg, test.css, ...).

It should be possible to limit the extension of the primary script FPM will 
execute.

Something like (in pool configuration)
security.limit_extensions = .php

if the primary script does not end with .php, an access denied is returned 
(403).



------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=55181&edit=1

Reply via email to