|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #55181 Enhance security by limiting the script extension
Submitted: 2011-07-11 08:29 UTC Modified: 2011-10-08 19:52 UTC
From: Assigned: fat
Status: Closed Package: FPM related
PHP Version: 5.3.6 OS: any
Private report: No CVE-ID:
 [2011-07-11 08:29 UTC]
If the web server in front of FPM is misconfigured, FPM can parse and execute PHP 
code from any kind of files (test.php, test.txt, test.jpg, test.css, ...).

It should be possible to limit the extension of the primary script FPM will 

Something like (in pool configuration)
security.limit_extensions = .php

if the primary script does not end with .php, an access denied is returned (403).


fpm-extensions.v2.patch (last revision 2011-07-11 14:19 UTC) by
fpm-extensions.v1.patch (last revision 2011-07-11 12:36 UTC) by

Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2011-07-11 08:29 UTC]
-Status: Open +Status: Analyzed -Assigned To: +Assigned To: fat
 [2011-07-11 08:36 UTC]
The following patch has been added/updated:

Patch Name: fpm-extensions.v1.patch
Revision:   1310387773
 [2011-07-11 10:19 UTC]
The following patch has been added/updated:

Patch Name: fpm-extensions.v2.patch
Revision:   1310393984
 [2011-07-12 19:00 UTC]
Automatic comment from SVN on behalf of fat
Log: - Implemented FR #55181 (Enhance security by limiting access to user defined extensions)
 [2011-07-12 19:01 UTC]
Commited on 5.4.

Waiting to 5.3.7 to be released to backport this to 5.3.
 [2011-10-08 13:42 UTC]
Automatic comment from SVN on behalf of fat
Log: - Backported FR #55181 from 5.4 branch (Enhance security by limiting access to user defined extensions)
 [2011-10-08 19:52 UTC]
-Status: Analyzed +Status: Closed
 [2011-10-08 19:52 UTC]
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at

 For Windows:
Thank you for the report, and for helping us make PHP better.

 [2012-01-13 08:57 UTC] laph at gmx dot net
This is a massive functionality change, breaking every application that doesn't 
stick to the ".php" File-Extension when upgrading from 5.3.8 to 5.3.9 since if 
"security.limit_extensions" is unset, it's limited to ".php".

Additionally this new configuration setting is not documented in the FPM-Docs. 

Please, don't do such changes in minor releases. Or at lease document them 
 [2012-01-14 12:16 UTC] public at grik dot net
it would be MUCH better if you do the same way it's done with date.timezone: if 
the setting is not defined, it gives a warning on PHP start

now everyone blindly upgrading to a minor release with the same php-fpm.conf are 
shooting their feet
 [2012-01-16 10:32 UTC] gwenmael dot rouxel at neovote dot com
As said by the previous commenter...

My servers are installed by an automated script, which gets PHP-FPM from the debian packages. 
So the version was silently upgraded, and I was scratching my head for the whole weekend trying to figure out this. Only this morning did I stumble upon the changelog and was able to make configuration changes.

A warning in the PHP FPM log would really be useful indeed.
 [2012-05-03 13:16 UTC] cbarry at artspan dot com
The default for this new setting should not be '.php'.  There are many reasons that people may choose different file extensions (or no extension at all), and this new feature will break all those pages. ('Access Denied.' message)

I've found that a way to change this setting is to use:
security.limit_extensions = FALSE

Which should be the default, or at least documented in the configuration files

Using PHP 5.3.10-1ubuntu3 (latest available version for ubuntu precise)
PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Sun Oct 04 11:01:30 2015 UTC