php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #55181 Enhance security by limiting the script extension
Submitted: 2011-07-11 08:29 UTC Modified: 2011-10-08 19:52 UTC
From: fat@php.net Assigned: fat (profile)
Status: Closed Package: FPM related
PHP Version: 5.3.6 OS: any
Private report: No CVE-ID: None
View Developer Edit
 [2011-07-11 08:29 UTC] fat@php.net 
Description:
------------
If the web server in front of FPM is misconfigured, FPM can parse and execute PHP 
code from any kind of files (test.php, test.txt, test.jpg, test.css, ...).

It should be possible to limit the extension of the primary script FPM will 
execute.

Something like (in pool configuration)
security.limit_extensions = .php

if the primary script does not end with .php, an access denied is returned (403).

Patches

fpm-extensions.v2.patch (last revision 2011-07-11 14:19 UTC by fat@php.net)
fpm-extensions.v1.patch (last revision 2011-07-11 12:36 UTC by fat@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-07-11 08:29 UTC] fat@php.net
-Status: Open +Status: Analyzed -Assigned To: +Assigned To: fat
 [2011-07-11 08:36 UTC] fat@php.net 
The following patch has been added/updated:

Patch Name: fpm-extensions.v1.patch
Revision:   1310387773
URL:        https://bugs.php.net/patch-display.php?bug=55181&patch=fpm-extensions.v1.patch&revision=1310387773
 [2011-07-11 10:19 UTC] fat@php.net 
The following patch has been added/updated:

Patch Name: fpm-extensions.v2.patch
Revision:   1310393984
URL:        https://bugs.php.net/patch-display.php?bug=55181&patch=fpm-extensions.v2.patch&revision=1310393984
 [2011-07-12 19:00 UTC] fat@php.net 
Automatic comment from SVN on behalf of fat
Revision: http://svn.php.net/viewvc/?view=revision&revision=313186
Log: - Implemented FR #55181 (Enhance security by limiting access to user defined extensions)
 [2011-07-12 19:01 UTC] fat@php.net 
Commited on 5.4.

Waiting to 5.3.7 to be released to backport this to 5.3.
 [2011-10-08 13:42 UTC] fat@php.net 
Automatic comment from SVN on behalf of fat
Revision: http://svn.php.net/viewvc/?view=revision&revision=317894
Log: - Backported FR #55181 from 5.4 branch (Enhance security by limiting access to user defined extensions)
 [2011-10-08 19:52 UTC] fat@php.net
-Status: Analyzed +Status: Closed
 [2011-10-08 19:52 UTC] fat@php.net 
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2012-01-13 08:57 UTC] laph at gmx dot net 
This is a massive functionality change, breaking every application that doesn't 
stick to the ".php" File-Extension when upgrading from 5.3.8 to 5.3.9 since if 
"security.limit_extensions" is unset, it's limited to ".php".

Additionally this new configuration setting is not documented in the FPM-Docs. 

Please, don't do such changes in minor releases. Or at lease document them 
properly!
 [2012-01-14 12:16 UTC] public at grik dot net 
it would be MUCH better if you do the same way it's done with date.timezone: if 
the setting is not defined, it gives a warning on PHP start

now everyone blindly upgrading to a minor release with the same php-fpm.conf are 
shooting their feet
 [2012-01-16 10:32 UTC] gwenmael dot rouxel at neovote dot com 
As said by the previous commenter...

My servers are installed by an automated script, which gets PHP-FPM from the debian packages. 
So the version was silently upgraded, and I was scratching my head for the whole weekend trying to figure out this. Only this morning did I stumble upon the changelog and was able to make configuration changes.

A warning in the PHP FPM log would really be useful indeed.
 [2012-05-03 13:16 UTC] cbarry at artspan dot com 
The default for this new setting should not be '.php'.  There are many reasons that people may choose different file extensions (or no extension at all), and this new feature will break all those pages. ('Access Denied.' message)

I've found that a way to change this setting is to use:
security.limit_extensions = FALSE

Which should be the default, or at least documented in the configuration files

Using PHP 5.3.10-1ubuntu3 (latest available version for ubuntu precise)
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Oct 30 22:00:01 2025 UTC