chimo (2015-10-05 09:15:23 -0400) wrote:
> On 2015-10-05 07:18, Ivan Vilata i Balaguer wrote:
> >
> >I'm attaching a small patch to the sample NginX configuration file to
> >strengthen it a little bit against PHP files uploaded to
> >application-writable directories, to avoid e.g. a user attaching a
> >PHP file which could be run with installation user permissions.
> >Maybe GNU social already has some built-in checks for this, I
> >don't know.
> >
> >I tried to open a bug/feature request for this in the
> >[Phabricator](https://bugz.foocorp.net/), but registration address
> >validation emails seem to not be sent (I've tried several times on
> >different days, checked the spam folder and the receiving server mail
> >logs, but no trace).
>
> The codebase and issue tracker for GNU social has been moved to
> https://git.gnu.io/gnu/gnu-social
Umm, <https://gnu.io/social/resources/> still points to the Phabricator
web page, maybe it should be updated. I was able to register in GitLab
and create [issue #78](https://git.gnu.io/gnu/gnu-social/issues/78) with
the patch attached to it.
> The .diff file you attached only contains the following on my end: "dl
> oct 5 13:18:02 CEST 2015"
Sorry, it looks like I messed it. I'm attaching the patch (although
it's also attached to the issue above).
Thanks!
--
Ivan Vilata i Balaguer -- https://elvil.net/
diff --git a/nginx.conf.sample b/nginx.conf.sample
index d05c676..bb8748a 100644
--- a/nginx.conf.sample
+++ b/nginx.conf.sample
@@ -30,8 +30,12 @@ server {
# Index
index index.php;
+ # Disable PHP where files can be uploaded
+ location ~ ^/(avatar|background|file)/.+\.php$ {
+ }
+
# PHP
- location ~ \.php {
+ location ~ ^/.+\.php$ {
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
# Remove the "fastcgi_pass" line above and uncomment
# the one below to use TCP sockets instead of Unix sockets
