PHP :: Request #68125 :: [FPM] check if script is in specified path before execute (ie docroot)

[FPM] check if script is in specified path before execute (ie docroot)

Submitted:

2014-10-01 18:20 UTC

Modified:

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

stefan at eriksson dot cn

Assigned:

Status:

Open

Package:

FPM related

PHP Version:

Irrelevant

OS:

Linux

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	stefan at eriksson dot cn
New email:
PHP Version:		OS:

New/Additional Comment:

[2014-10-01 18:20 UTC] stefan at eriksson dot cn

Description:
------------
I'm looking for a kind of middle ground between chrooted fpm environment and non-chrooted env.

Suphp offer:

;Path all scripts have to be in
docroot=/var/www/
;Check wheter script is within DOCUMENT_ROOT
check_vhost_docroot=true

Two different options to specify that a php script has to be in the docroot or else it wont execute. However if the script calls a binary for example with exec() /bin/convert this is doable,so it wont chroot the env just set a restriction on where the php files have to be. This will hinder fpm to run phpfiles added to /tmp etc.

From suphp docs:

check_vhost_docroot:
Checks wheter the script is within DOCUMENT_ROOT specified by the
webserver. This option is intended to avoid symbol links outside of the
webpage directory. You may want to disable it, when you are using
mod_vhost_alias or the Alias-directive.
This option is disabled by default, if at compile-time the
"--disable-check-docroot" option has been specified, otherwise it is
enabled by default.

docroot:
Patterns matching all allowed script directories. This is an
additional security check, especially when
check_vhost_docroot is disabled. Defaults to "/*" thus
allowing scripts in any location being run. May contain the
"*" character which matches zero to n characters excluding
the "/" character. Multiple values are allowed for this
setting. May contain variables as described above.

It would be great if php-fpm could offer the same feature as above, please let me know if there is any more info you need.

Patches

Add a Patch

Pull Requests

Add a Pull Request

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 18:01:28 2024 UTC