PHP :: Request #68019 :: FPM INI settings from Env

Request #68019	FPM INI settings from Env
Submitted:	2014-09-13 23:37 UTC	Modified:	2021-12-04 18:19 UTC
From:	manuel-php at mausz dot at	Assigned:	bukka (profile)
Status:	Assigned	Package:	FPM related
PHP Version:	Irrelevant	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	manuel-php at mausz dot at
New email:
PHP Version:		OS:

New Comment:

[2014-09-13 23:37 UTC] manuel-php at mausz dot at

Description:
------------
Setting up PHP-FPM with Apache has been improved recently. However unless most other HTTP servers Apache supports modifying the environment variables from .htaccess files. Since PHP-FPM supports passing INI settings from environment this combination allows the user to modify any INI settings.
A simple example is:
SetEnv PHP_ADMIN_VALUE "enable_dl=1"

Related to this is another security problem mentioned in the script referenced in https://bugs.php.net/bug.php?id=63965. This script tries to connect to the FPM socket and change the INI settings for new workers.

I don't know of a good solution. Apache admins could disallow directives like SetEnv, SetEnvIf, BrowserMatch, etc.. however they're quite useful for CGI an FCGI support. So the best solution I came up with is adding a new configuration setting which enables/disables reading PHP_ADMIN_VALUE from environment.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2014-12-30 09:01 UTC] stas@php.net

-Assigned To: +Assigned To: fat

[2017-10-24 07:45 UTC] kalle@php.net

-Status: Assigned +Status: Open -Assigned To: fat +Assigned To:

[2021-12-04 18:19 UTC] bukka@php.net

-Type: Security +Type: Feature/Change Request -Assigned To: +Assigned To: bukka

[2021-12-04 18:19 UTC] bukka@php.net

This is well known and it's on purpose and there are already requests about this so nothing secret about it. I will keep it open as feature request until planned mitigations (e.g. configurable disabling of PHP_ADMIN_VALUE) are implemented.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 14:01:32 2024 UTC