php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #68019 FPM INI settings from Env
Submitted: 2014-09-13 23:37 UTC Modified: 2021-12-04 18:19 UTC
From: manuel-php at mausz dot at Assigned: bukka (profile)
Status: Assigned Package: FPM related
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: manuel-php at mausz dot at
New email:
PHP Version: OS:

 

 [2014-09-13 23:37 UTC] manuel-php at mausz dot at
Description:
------------
Setting up PHP-FPM with Apache has been improved recently. However unless most other HTTP servers Apache supports modifying the environment variables from .htaccess files. Since PHP-FPM supports passing INI settings from environment this combination allows the user to modify any INI settings.
A simple example is:
SetEnv PHP_ADMIN_VALUE "enable_dl=1"

Related to this is another security problem mentioned in the script referenced in https://bugs.php.net/bug.php?id=63965. This script tries to connect to the FPM socket and change the INI settings for new workers.

I don't know of a good solution. Apache admins could disallow directives like SetEnv, SetEnvIf, BrowserMatch, etc.. however they're quite useful for CGI an FCGI support. So the best solution I came up with is adding a new configuration setting which enables/disables reading PHP_ADMIN_VALUE from environment.



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-12-30 09:01 UTC] stas@php.net
-Assigned To: +Assigned To: fat
 [2017-10-24 07:45 UTC] kalle@php.net
-Status: Assigned +Status: Open -Assigned To: fat +Assigned To:
 [2021-12-04 18:19 UTC] bukka@php.net
-Type: Security +Type: Feature/Change Request -Assigned To: +Assigned To: bukka
 [2021-12-04 18:19 UTC] bukka@php.net
This is well known and it's on purpose and there are already requests about this so nothing secret about it. I will keep it open as feature request until planned mitigations (e.g. configurable disabling of PHP_ADMIN_VALUE) are implemented.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 07 19:01:28 2024 UTC