Enhance security by limiting the script extension

Request #55181	Enhance security by limiting the script extension
Submitted:	2011-07-11 08:29 UTC	Modified:	2011-10-08 19:52 UTC
From:	fat@php.net	Assigned:	fat (profile)
Status:	Closed	Package:	FPM related
PHP Version:	5.3.6	OS:	any
Private report:	No	CVE-ID:	None

[2011-07-11 08:29 UTC] fat@php.net

Description:
------------
If the web server in front of FPM is misconfigured, FPM can parse and execute PHP 
code from any kind of files (test.php, test.txt, test.jpg, test.css, ...).

It should be possible to limit the extension of the primary script FPM will 
execute.

Something like (in pool configuration)
security.limit_extensions = .php

if the primary script does not end with .php, an access denied is returned (403).

Patches

fpm-extensions.v2.patch (last revision 2011-07-11 14:19 UTC by fat@php.net)
fpm-extensions.v1.patch (last revision 2011-07-11 12:36 UTC by fat@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2011-07-11 08:29 UTC] fat@php.net

-Status: Open +Status: Analyzed -Assigned To: +Assigned To: fat

[2011-07-12 19:01 UTC] fat@php.net

Commited on 5.4.

Waiting to 5.3.7 to be released to backport this to 5.3.

[2011-10-08 19:52 UTC] fat@php.net

-Status: Analyzed +Status: Closed

[2011-10-08 19:52 UTC] fat@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

[2012-01-13 08:57 UTC] laph at gmx dot net

This is a massive functionality change, breaking every application that doesn't 
stick to the ".php" File-Extension when upgrading from 5.3.8 to 5.3.9 since if 
"security.limit_extensions" is unset, it's limited to ".php".

Additionally this new configuration setting is not documented in the FPM-Docs. 

Please, don't do such changes in minor releases. Or at lease document them 
properly!

[2012-01-14 12:16 UTC] public at grik dot net

it would be MUCH better if you do the same way it's done with date.timezone: if 
the setting is not defined, it gives a warning on PHP start

now everyone blindly upgrading to a minor release with the same php-fpm.conf are 
shooting their feet

[2012-01-16 10:32 UTC] gwenmael dot rouxel at neovote dot com

As said by the previous commenter...

My servers are installed by an automated script, which gets PHP-FPM from the debian packages. 
So the version was silently upgraded, and I was scratching my head for the whole weekend trying to figure out this. Only this morning did I stumble upon the changelog and was able to make configuration changes.

A warning in the PHP FPM log would really be useful indeed.

[2012-05-03 13:16 UTC] cbarry at artspan dot com

The default for this new setting should not be '.php'.  There are many reasons that people may choose different file extensions (or no extension at all), and this new feature will break all those pages. ('Access Denied.' message)

I've found that a way to change this setting is to use:
security.limit_extensions = FALSE

Which should be the default, or at least documented in the configuration files

Using PHP 5.3.10-1ubuntu3 (latest available version for ubuntu precise)