From debbugs-submit-bounces@debbugs.gnu.org Wed Apr 05 11:34:54 2023
Received: (at submit) by debbugs.gnu.org; 5 Apr 2023 15:34:54 +0000
Received: from localhost ([127.0.0.1]:52459 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pk59j-0007Ia-IW
	for submit@debbugs.gnu.org; Wed, 05 Apr 2023 11:34:54 -0400
Received: from lists.gnu.org ([209.51.188.17]:49246)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mirai@makinata.eu>) id 1pk59h-0007IT-On
 for submit@debbugs.gnu.org; Wed, 05 Apr 2023 11:34:38 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mirai@makinata.eu>) id 1pk59h-00043G-7M
 for guix-patches@gnu.org; Wed, 05 Apr 2023 11:34:37 -0400
Received: from smtpmciv1.myservices.hosting ([185.26.107.237])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mirai@makinata.eu>) id 1pk59f-0007ft-5U
 for guix-patches@gnu.org; Wed, 05 Apr 2023 11:34:36 -0400
Received: from mail1.netim.hosting (unknown [185.26.106.173])
 by smtpmciv1.myservices.hosting (Postfix) with ESMTP id E7E4F2098E
 for <guix-patches@gnu.org>; Wed,  5 Apr 2023 17:34:25 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
 by mail1.netim.hosting (Postfix) with ESMTP id 9431E800AA;
 Wed,  5 Apr 2023 17:34:25 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at mail1.netim.hosting
Received: from mail1.netim.hosting ([127.0.0.1])
 by localhost (mail1-2.netim.hosting [127.0.0.1]) (amavisd-new, port 10026)
 with ESMTP id 7AgZigszt7Uo; Wed,  5 Apr 2023 17:34:25 +0200 (CEST)
Received: from guix-nuc.home.arpa (unknown [10.192.1.83])
 (Authenticated sender: lumen@makinata.eu)
 by mail1.netim.hosting (Postfix) with ESMTPSA id EA9A2800A9;
 Wed,  5 Apr 2023 17:34:24 +0200 (CEST)
From: Bruno Victal <mirai@makinata.eu>
To: guix-patches@gnu.org
Subject: [PATCH] services: nginx: Harden php-location settings.
Date: Wed,  5 Apr 2023 16:34:08 +0100
Message-Id: <ad598ba1ce644a29c997139c82d790a3ac65f4b4.1680708757.git.mirai@makinata.eu>
X-Mailer: git-send-email 2.39.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=185.26.107.237; envelope-from=mirai@makinata.eu;
 helo=smtpmciv1.myservices.hosting
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
Cc: Bruno Victal <mirai@makinata.eu>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.0 (/)

Incorporate advice from [2], which mitigates httpoxy[1] vulnerability and
disallows passing non-php files to the PHP backend.

[1]: <https://httpoxy.org/>
[2]: <https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi/>,
note 4.

* gnu/services/web.scm (nginx-php-location): Only pass existing php files to
backend. Mitigate httpoxy vulnerability.
---

Tested with: make check-system TESTS="nginx php-fpm"

 gnu/services/web.scm | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/gnu/services/web.scm b/gnu/services/web.scm
index d56e893527..f5ed027bb4 100644
--- a/gnu/services/web.scm
+++ b/gnu/services/web.scm
@@ -1123,6 +1123,10 @@ (define* (nginx-php-location
    (uri "~ \\.php$")
    (body (list
           "fastcgi_split_path_info ^(.+\\.php)(/.+)$;"
+          ;; Mitigate https://httpoxy.org/ vulnerabilities
+          "fastcgi_param HTTP_PROXY \"\";"
+          ;; Only pass existing php files to the backend.
+          "if (!-f $document_root$fastcgi_script_name) { return 404; }"
           (string-append "fastcgi_pass unix:" socket ";")
           "fastcgi_index index.php;"
           (list "include " nginx-package "/share/nginx/conf/fastcgi.conf;")))))

base-commit: 6311493d7a6271bfbc51f4693857f9a12fe9965d
-- 
2.39.2





From debbugs-submit-bounces@debbugs.gnu.org Wed Apr 05 16:20:03 2023
Received: (at 62678) by debbugs.gnu.org; 5 Apr 2023 20:20:03 +0000
Received: from localhost ([127.0.0.1]:52727 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pk9bv-00081K-BT
	for submit@debbugs.gnu.org; Wed, 05 Apr 2023 16:20:03 -0400
Received: from mout.web.de ([212.227.17.12]:54787)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <jonathan.brielmaier@web.de>) id 1pk9bt-00080k-EJ
 for 62678@debbugs.gnu.org; Wed, 05 Apr 2023 16:20:01 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=s29768273;
 t=1680725995; i=jonathan.brielmaier@web.de;
 bh=88ulcPNUNlBGXgii26DN2inTJTSjqdVkia6RkI/lRCM=;
 h=X-UI-Sender-Class:Date:To:Subject:From;
 b=CpKo6O7VSpf5OQAQoMXpeQohWXlAP25KyAmmSmmzN3ptA9Q4vV5KoGhz0sThD2ezz
 gNUYflZMTN+dAnnLPZY01joVOiXLSe/84reOprmgiqncBX4T91yGdSAoZjHzGwn8JT
 xZSw0t8dev8sMiIOjD6gPQ/J1J8sJyLcE4wmVRCI2W+73lAQLk+BrSisc7KFjZ4oY2
 q++qiA2itvT7+7nUwKnOkljapcxK/a040vDmGU5iE30YrfyhIyL5d/j5iRmaHSeHGt
 4L/LEs5E564pBGbpNBsbtMotn7paxUG4bAnjcRmM9dHv5VX65KB5RMWbmiEbC9U3wM
 Vs8hjfYhlOECA==
X-UI-Sender-Class: 814a7b36-bfc1-4dae-8640-3722d8ec6cd6
Received: from [192.168.178.23] ([77.180.26.3]) by smtp.web.de (mrweb106
 [213.165.67.124]) with ESMTPSA (Nemesis) id 1MA4fI-1pZkGn1aVW-00BwCi for
 <62678@debbugs.gnu.org>; Wed, 05 Apr 2023 22:19:55 +0200
Message-ID: <068a52bd-8597-a449-c452-4c110f645ca0@web.de>
Date: Wed, 5 Apr 2023 22:19:55 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.9.0
To: 62678@debbugs.gnu.org
Subject: [PATCH] services: nginx: Harden php-location settings.
Content-Language: de-DE
From: Jonathan Brielmaier <jonathan.brielmaier@web.de>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:BA/rvfZVrg47HYjobtkFcH90XVt6FwGIa3zhjBTFiJ9klEEkv6L
 t6w5R7uZBCLaGGAge5cjKac5Lv3CeDuPYIc2Nw8wCiMApZs7gxDxOj7cvA2fYc8H9vXE4e/
 6RPt/lEs+B1htTXStlrP2tx9Fd77stXejBexsNU6FnWUD0FnXuGiDLWiIb8YqnQEyP3Mq+Z
 2Q3DIkxq8+W1sQtfE8PuQ==
X-Spam-Flag: NO
UI-OutboundReport: notjunk:1;M01:P0:mkZ3A6S5j7E=;jYqFAmcdxFhuiL9FHtE9OR9yrH9
 k7Js/fwe38uiNIpHzb9gOqHKxARkGkx7lU1CmkU2nvUt/m/rHpd8eWf2qesZfigjU6fpnVv9M
 WDULh76joI1RULnKjfhv+mmuNamhbL1aBzgO70vWTB2mGaJYJQLDvWA4lI1ls/LV/d8mLK5y8
 BggwHRjL8SMyykC9Tj/zuAOVjeTXYmrSuVwrtlxsjXVkumMENDGcz0gZWtfa7oK9bQqO2FuNz
 VsRXQcxWvy1jIn5A5dV/Jfzi2tKn2rUL5H3b1ECcKrXAmAXYRT3Fh1rDI+tftWmnHgMK/C3n8
 q36IpY54HXzeXhxY0QzbWfKd2hksLIjiPRLVwSH2Tdq1S0MTr5LRDFLOqbYyq3NawoAQEdBeY
 JOZz9OrqeCqGuxP1wNDsfBHKa3zx4t/Q9j4pYv/csNDKIQuAZcEyVBoOsdJx8gMMfV2aW95ru
 FZRqdXJibn69wvLkxDpEmitNDNuJamtLHVO4MnzHYkf2VvRK4qySnaUQFTTj2lZlkFKrzWH7i
 kOkTOHrcyTvjzsq1w9+tHwRaGBlkrxBzlt4PeUAf4ZHOdKC8KpOSjm9X7cc3OasOQRF1BYdf9
 C1ENkQ5jIhjWkxVRpKWlboaKRtbIJ/E+6T8ZYaAD70Jmzxp7vkKGpexi2+xa1Y+Nclc4LodG4
 qwolQwxONcxC/7GOKea6ordtU1dAoO66oFhlJaneExURgAlAxUXKSfHs9h9KGhFtVhVn/VAqh
 QfvmmsZ7CqhQK5m4vclDQ8ZTyRfft6SRe7SjJor0sABc151CnVdJJj8EcwIX1vuq33s2onOUp
 uLECbHvv1ciHUt38iuQc4OUDQUEx/PYO0oU+RNh6l+OJxO6sfbBg5TLQX+Q8ODg5UebkDjUtB
 paovvOTI080G8AJJm+MAiZsE4nMZUsd1uUdsmglDq9LefRXzt1xakGtgCBnFnBfJ7VLz/L22I
 ElIs9A==
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 62678
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

I wonder if we should at least make the HTTP_PROXY variable
configurable. It may need to be set to something else then "" in some
scenarios. I don't know...




From debbugs-submit-bounces@debbugs.gnu.org Thu Apr 06 09:11:50 2023
Received: (at 62678) by debbugs.gnu.org; 6 Apr 2023 13:11:50 +0000
Received: from localhost ([127.0.0.1]:53652 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pkPP4-0001J4-A3
	for submit@debbugs.gnu.org; Thu, 06 Apr 2023 09:11:50 -0400
Received: from smtpmciv3.myservices.hosting ([185.26.107.239]:39824)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mirai@makinata.eu>) id 1pkPP1-0001It-Pp
 for 62678@debbugs.gnu.org; Thu, 06 Apr 2023 09:11:49 -0400
Received: from mail1.netim.hosting (unknown [185.26.106.173])
 by smtpmciv3.myservices.hosting (Postfix) with ESMTP id 44874202E2;
 Thu,  6 Apr 2023 15:11:46 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
 by mail1.netim.hosting (Postfix) with ESMTP id F3AB8800A8;
 Thu,  6 Apr 2023 15:11:45 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at mail1.netim.hosting
Received: from mail1.netim.hosting ([127.0.0.1])
 by localhost (mail1-2.netim.hosting [127.0.0.1]) (amavisd-new, port 10026)
 with ESMTP id Tr-Y3DHWWlGZ; Thu,  6 Apr 2023 15:11:45 +0200 (CEST)
Received: from [192.168.1.239] (unknown [10.192.1.83])
 (Authenticated sender: lumen@makinata.eu)
 by mail1.netim.hosting (Postfix) with ESMTPSA id C1B13800A7;
 Thu,  6 Apr 2023 15:11:43 +0200 (CEST)
Message-ID: <65a26f2b-0ef5-b9ac-b4df-4e3b73ad4474@makinata.eu>
Date: Thu, 6 Apr 2023 14:11:43 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.9.1
Subject: Re: [bug#62678] [PATCH] services: nginx: Harden php-location settings.
Content-Language: en-US
To: Jonathan Brielmaier <jonathan.brielmaier@web.de>
References: <ad598ba1ce644a29c997139c82d790a3ac65f4b4.1680708757.git.mirai@makinata.eu>
 <068a52bd-8597-a449-c452-4c110f645ca0@web.de>
From: Bruno Victal <mirai@makinata.eu>
In-Reply-To: <068a52bd-8597-a449-c452-4c110f645ca0@web.de>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Spam-Score: -1.1 (-)
X-Debbugs-Envelope-To: 62678
Cc: 62678@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.1 (--)

Hi Jonathan,

On 2023-04-05 21:19, Jonathan Brielmaier wrote:
> I wonder if we should at least make the HTTP_PROXY variable
> configurable. It may need to be set to something else then "" in some
> scenarios. I don't know...

No, there's no legitimate reason for this, since 'PROXY' is not
a standard HTTP header according to [1]. PROXY being passed to a cgi application
as HTTP_PROXY is what the exploit is about, since HTTP_PROXY is recognized as
a variable for configuring proxies (for curl, wget, etc.)
Allowing HTTP_PROXY to be set remotely (due to a confusion with the non-standard 'PROXY' header)
is simply incomprehensible.

Regarding user intent, that is, configuring the proxy used by the cgi application by
setting HTTP_PROXY via nginx?
I don't have this use-case but IMO it feels like an extreme poor design, since it's
exploiting a name confusion to change the system environment variables for the
cgi application.

If for some reason you really need this, you can always use the regular
nginx-location-configuration to manually craft a php-location.


[1]: https://www.iana.org/assignments/http-fields/http-fields.xhtml


Cheers,
Bruno




From debbugs-submit-bounces@debbugs.gnu.org Thu Jun 22 09:33:14 2023
Received: (at control) by debbugs.gnu.org; 22 Jun 2023 13:33:14 +0000
Received: from localhost ([127.0.0.1]:35153 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1qCKQz-0002cK-SA
	for submit@debbugs.gnu.org; Thu, 22 Jun 2023 09:33:13 -0400
Received: from smtpmciv4.myservices.hosting ([185.26.107.240]:33462)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mirai@makinata.eu>) id 1qCKQy-0002cB-1V
 for control@debbugs.gnu.org; Thu, 22 Jun 2023 09:33:12 -0400
Received: from mail1.netim.hosting (unknown [185.26.106.173])
 by smtpmciv4.myservices.hosting (Postfix) with ESMTP id D36492076D
 for <control@debbugs.gnu.org>; Thu, 22 Jun 2023 15:33:09 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
 by mail1.netim.hosting (Postfix) with ESMTP id 4561180099
 for <control@debbugs.gnu.org>; Thu, 22 Jun 2023 15:33:09 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at mail1.netim.hosting
Received: from mail1.netim.hosting ([127.0.0.1])
 by localhost (mail1-2.netim.hosting [127.0.0.1]) (amavisd-new, port 10026)
 with ESMTP id XZ6_H5Yu7Msz for <control@debbugs.gnu.org>;
 Thu, 22 Jun 2023 15:33:09 +0200 (CEST)
Received: from [192.168.1.116] (unknown [10.192.1.83])
 (Authenticated sender: lumen@makinata.eu)
 by mail1.netim.hosting (Postfix) with ESMTPSA id ECDE280097
 for <control@debbugs.gnu.org>; Thu, 22 Jun 2023 15:33:08 +0200 (CEST)
Message-ID: <4e7e3d93-01e3-da95-fc0a-fc07dd7e0734@makinata.eu>
Date: Thu, 22 Jun 2023 14:33:08 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.12.0
From: Bruno Victal <mirai@makinata.eu>
Subject: control-msg
To: control <control@debbugs.gnu.org>
Content-Language: en-US
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: control
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

close 58166
tag 62678 + security

quit




From debbugs-submit-bounces@debbugs.gnu.org Fri Jul 07 10:22:46 2023
Received: (at 62678-done) by debbugs.gnu.org; 7 Jul 2023 14:22:46 +0000
Received: from localhost ([127.0.0.1]:43566 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1qHmM7-0000Dr-6T
	for submit@debbugs.gnu.org; Fri, 07 Jul 2023 10:22:46 -0400
Received: from tobias.gr ([80.241.217.52]:51456)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <me@tobias.gr>) id 1qHmM1-0000Dc-7J
 for 62678-done@debbugs.gnu.org; Fri, 07 Jul 2023 10:22:41 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=2018; bh=n0Hcu3i7Eb8iV
 VlMC2eUMKgpKQSQq+TrYuzc8UXbVRU=;
 h=in-reply-to:date:subject:cc:to:
 from:references; d=tobias.gr; b=J43yFXhZuvZ9zEDt+I4ej7Ge5iyAl55aA++Njl
 8Khz7NQwLmZCg76XaEuvs01RAHtb/LXrtYrUUz0jbFsk3dF3U1ItxXdTC5dtH7U4wwbYoW
 zmJYN7ggjxX6Gfcxt8LPfyakfqs3UwatgySUn4wbPXv3N4i4gmJcn9X3p+XdKXvBBpWuA2
 haDl/CFt2yXI97WVX4nstQlOW0d+px2nRie/7OoTHojEwkCPXVN9R42iWktW19S5OBepAT
 owod9UtmxT6cHpZu+1bA4+UWC2akzBbw1KI7H6fVyHQUykAj9y/YfauxFSYAc/BqJltQHv
 jnPd91QQ7/hf/ccjd9UsM+TQ==
Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id c84dddf4
 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); 
 Fri, 7 Jul 2023 14:22:21 +0000 (UTC)
References: <ad598ba1ce644a29c997139c82d790a3ac65f4b4.1680708757.git.mirai@makinata.eu>
From: Tobias Geerinckx-Rice <me@tobias.gr>
To: Bruno Victal <mirai@makinata.eu>
Subject: Re: [bug#62678] [PATCH] services: nginx: Harden php-location settings.
Date: Fri, 07 Jul 2023 16:22:01 +0200
In-reply-to: <ad598ba1ce644a29c997139c82d790a3ac65f4b4.1680708757.git.mirai@makinata.eu>
BIMI-Selector: v=BIMI1; s=default;
Message-ID: <87wmzber45.fsf@nckx>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 62678-done
Cc: 62678-done@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

--=-=-=
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable

Hi Bruno,

Bruno Victal =E5=86=99=E9=81=93=EF=BC=9A
> Incorporate advice from [2], which mitigates httpoxy[1]=20
> vulnerability and
> disallows passing non-php files to the PHP backend.
>
> [1]: <https://httpoxy.org/>
> [2]:=20
> <https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi/>,
> note 4.

This is a better comment than commit message.  I made it so and=20
pushed your changes as commit=20
cbc14b3baea457cf2718b85f767d39ff3911ce91.

Thanks!

T G-R

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCZKggOg0cbWVAdG9iaWFz
LmdyAAoJEA2w/4hPVW15N1gA/0p4sLULM7SdMhyD1XLP6pWJ/a4ZmKzdA1lJv98Y
fHE0APwKaqXe+r15WzkH9KX9gtsrvq2OnEfiGTYisoyzEpfRAA==
=EMsW
-----END PGP SIGNATURE-----
--=-=-=--




From unknown Sun Jun 22 04:20:58 2025
Received: (at fakecontrol) by fakecontrolmessage;
To: internal_control@debbugs.gnu.org
From: Debbugs Internal Request <help-debbugs@gnu.org>
Subject: Internal Control
Message-Id: bug archived.
Date: Sat, 05 Aug 2023 11:24:08 +0000
User-Agent: Fakemail v42.6.9

# This is a fake control message.
#
# The action:
# bug archived.
thanks
# This fakemail brought to you by your local debbugs
# administrator