|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #68125 [FPM] check if script is in specified path before execute (ie docroot)
Submitted: 2014-10-01 18:20 UTC Modified: -
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: stefan at eriksson dot cn Assigned:
Status: Open Package: FPM related
PHP Version: Irrelevant OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: stefan at eriksson dot cn
New email:
PHP Version: OS:


 [2014-10-01 18:20 UTC] stefan at eriksson dot cn
I'm looking for a kind of middle ground between chrooted fpm environment and non-chrooted env.

Suphp offer:

;Path all scripts have to be in
;Check wheter script is within DOCUMENT_ROOT

Two different options to specify that a php script has to be in the docroot or else it wont execute. However if the script calls a binary for example with exec() /bin/convert this is doable,so it wont chroot the env just set a restriction on where the php files have to be. This will hinder fpm to run phpfiles added to /tmp etc.

From suphp docs:

  Checks wheter the script is within DOCUMENT_ROOT specified by the 
  webserver. This option is intended to avoid symbol links outside of the
  webpage directory. You may want to disable it, when you are using
  mod_vhost_alias or the Alias-directive.
  This option is disabled by default, if at compile-time the
  "--disable-check-docroot" option has been specified, otherwise it is
  enabled by default.

  Patterns matching all allowed script directories. This is an 
  additional security check, especially when 
  check_vhost_docroot is disabled. Defaults to "/*" thus
  allowing scripts in any location being run. May contain the 
  "*" character which matches zero to n characters excluding 
  the "/" character. Multiple values are allowed for this 
  setting. May contain variables as described above.

It would be great if php-fpm could offer the same feature as above, please let me know if there is any more info you need.


Add a Patch

Pull Requests

Add a Pull Request

PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Jul 21 23:01:29 2024 UTC