php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #55181 Enhance security by limiting the script extension
Submitted: 2011-07-11 08:29 UTC Modified: 2011-10-08 19:52 UTC
From: fat@php.net Assigned: fat
Status: Closed Package: FPM related
PHP Version: 5.3.6 OS: any
Private report: No CVE-ID:
 [2011-07-11 08:29 UTC] fat@php.net
Description:
------------
If the web server in front of FPM is misconfigured, FPM can parse and execute PHP 
code from any kind of files (test.php, test.txt, test.jpg, test.css, ...).

It should be possible to limit the extension of the primary script FPM will 
execute.

Something like (in pool configuration)
security.limit_extensions = .php

if the primary script does not end with .php, an access denied is returned (403).


Patches

fpm-extensions.v2.patch (last revision 2011-07-11 14:19 UTC) by fat@php.net)
fpm-extensions.v1.patch (last revision 2011-07-11 12:36 UTC) by fat@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-07-11 08:29 UTC] fat@php.net
-Status: Open +Status: Analyzed -Assigned To: +Assigned To: fat
 [2011-07-11 08:36 UTC] fat@php.net
The following patch has been added/updated:

Patch Name: fpm-extensions.v1.patch
Revision:   1310387773
URL:        https://bugs.php.net/patch-display.php?bug=55181&patch=fpm-extensions.v1.patch&revision=1310387773
 [2011-07-11 10:19 UTC] fat@php.net
The following patch has been added/updated:

Patch Name: fpm-extensions.v2.patch
Revision:   1310393984
URL:        https://bugs.php.net/patch-display.php?bug=55181&patch=fpm-extensions.v2.patch&revision=1310393984
 [2011-07-12 19:00 UTC] fat@php.net
Automatic comment from SVN on behalf of fat
Revision: http://svn.php.net/viewvc/?view=revision&revision=313186
Log: - Implemented FR #55181 (Enhance security by limiting access to user defined extensions)
 [2011-07-12 19:01 UTC] fat@php.net
Commited on 5.4.

Waiting to 5.3.7 to be released to backport this to 5.3.
 [2011-10-08 13:42 UTC] fat@php.net
Automatic comment from SVN on behalf of fat
Revision: http://svn.php.net/viewvc/?view=revision&revision=317894
Log: - Backported FR #55181 from 5.4 branch (Enhance security by limiting access to user defined extensions)
 [2011-10-08 19:52 UTC] fat@php.net
-Status: Analyzed +Status: Closed
 [2011-10-08 19:52 UTC] fat@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2012-01-13 08:57 UTC] laph at gmx dot net
This is a massive functionality change, breaking every application that doesn't 
stick to the ".php" File-Extension when upgrading from 5.3.8 to 5.3.9 since if 
"security.limit_extensions" is unset, it's limited to ".php".

Additionally this new configuration setting is not documented in the FPM-Docs. 

Please, don't do such changes in minor releases. Or at lease document them 
properly!
 [2012-01-14 12:16 UTC] public at grik dot net
it would be MUCH better if you do the same way it's done with date.timezone: if 
the setting is not defined, it gives a warning on PHP start

now everyone blindly upgrading to a minor release with the same php-fpm.conf are 
shooting their feet
 [2012-01-16 10:32 UTC] gwenmael dot rouxel at neovote dot com
As said by the previous commenter...

My servers are installed by an automated script, which gets PHP-FPM from the debian packages. 
So the version was silently upgraded, and I was scratching my head for the whole weekend trying to figure out this. Only this morning did I stumble upon the changelog and was able to make configuration changes.

A warning in the PHP FPM log would really be useful indeed.
 [2012-05-03 13:16 UTC] cbarry at artspan dot com
The default for this new setting should not be '.php'.  There are many reasons that people may choose different file extensions (or no extension at all), and this new feature will break all those pages. ('Access Denied.' message)

I've found that a way to change this setting is to use:
security.limit_extensions = FALSE

Which should be the default, or at least documented in the configuration files

Using PHP 5.3.10-1ubuntu3 (latest available version for ubuntu precise)
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 20:01:57 2014 UTC