php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60763 Access denied. when file extension is .html
Submitted: 2012-01-15 23:27 UTC Modified: 2012-01-16 00:06 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: nbari at dalmp dot com Assigned:
Status: Closed Package: FPM related
PHP Version: 5.3.9 OS: FreeBSD / Mac OS
Private report: No CVE-ID:
 [2012-01-15 23:27 UTC] nbari at dalmp dot com
Description:
------------
When serving .html files as php an "Access denied." is displayed instead of the 
properly parsed page.

With php versions <= 5.3.8 the following configuration example works for nginx

--
server {
  server_name domain.tpl *.domain.tld;
  root   /home/sites/domain.tld/home/html;

  location ~ \.(php|htm|html)$ {
    fastcgi_pass   unix:/tmp/php-fpm.socket;  
    fastcgi_index  index.php;
    fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include        fastcgi_params;
  }

}
--

files on /home/sites/domain.tld/home/html are:

http://domain.tld/index.html <--- does not work with php-5.3.9 display an Access 
denied. 
http://domain.tld/test.php   <--- works 

Expected result:
----------------
properly parse the .html and display the content.

Actual result:
--------------
Access denied.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-01-16 00:06 UTC] nbari at dalmp dot com
php 5.3.9 adds support to chose what extensions to parse 

the solution was to add the next line the php-fpm.conf

security.limit_extensions = .php .html
 [2012-01-16 00:06 UTC] nbari at dalmp dot com
-Status: Open +Status: Closed
 [2012-01-16 21:52 UTC] dmilith at gmail dot com
It also happens on Debian Lenny. It's not system related.
 [2012-01-16 21:56 UTC] fat@php.net
Be aware that FPM is marked as *experimental* on 5.3.x. Which means that changes 
can break configurations between release.

It's the case between 5.3.8 and 5.3.9 as the security.limit_extensions 
configuration item has been added and it defaults to .php. If you need to execute 
other extensions, you have to change this setting.

++ fat

Note: the experimental flag has been removed in 5.4.x.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 02:02:27 2014 UTC