GNU bug report logs - #62678
[PATCH] services: nginx: Harden php-location settings.

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Tobias Geerinckx-Rice <me <at> tobias.gr>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#62678: closed ([PATCH] services: nginx: Harden php-location
 settings.)
Date: Fri, 07 Jul 2023 14:23:02 +0000

[Message part 1 (text/plain, inline)]

Your message dated Fri, 07 Jul 2023 16:22:01 +0200
with message-id <87wmzber45.fsf <at> nckx>
and subject line Re: [bug#62678] [PATCH] services: nginx: Harden php-location settings.
has caused the debbugs.gnu.org bug report #62678,
regarding [PATCH] services: nginx: Harden php-location settings.
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
62678: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=62678
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Bruno Victal <mirai <at> makinata.eu>
To: guix-patches <at> gnu.org
Cc: Bruno Victal <mirai <at> makinata.eu>
Subject: [PATCH] services: nginx: Harden php-location settings.
Date: Wed,  5 Apr 2023 16:34:08 +0100

Incorporate advice from [2], which mitigates httpoxy[1] vulnerability and
disallows passing non-php files to the PHP backend.

[1]: <https://httpoxy.org/>
[2]: <https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi/>,
note 4.

* gnu/services/web.scm (nginx-php-location): Only pass existing php files to
backend. Mitigate httpoxy vulnerability.
---

Tested with: make check-system TESTS="nginx php-fpm"

 gnu/services/web.scm | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/gnu/services/web.scm b/gnu/services/web.scm
index d56e893527..f5ed027bb4 100644
--- a/gnu/services/web.scm
+++ b/gnu/services/web.scm
@@ -1123,6 +1123,10 @@ (define* (nginx-php-location
    (uri "~ \\.php$")
    (body (list
           "fastcgi_split_path_info ^(.+\\.php)(/.+)$;"
+          ;; Mitigate https://httpoxy.org/ vulnerabilities
+          "fastcgi_param HTTP_PROXY \"\";"
+          ;; Only pass existing php files to the backend.
+          "if (!-f $document_root$fastcgi_script_name) { return 404; }"
           (string-append "fastcgi_pass unix:" socket ";")
           "fastcgi_index index.php;"
           (list "include " nginx-package "/share/nginx/conf/fastcgi.conf;")))))

base-commit: 6311493d7a6271bfbc51f4693857f9a12fe9965d
-- 
2.39.2

[Message part 3 (message/rfc822, inline)]

From: Tobias Geerinckx-Rice <me <at> tobias.gr>
To: Bruno Victal <mirai <at> makinata.eu>
Cc: 62678-done <at> debbugs.gnu.org
Subject: Re: [bug#62678] [PATCH] services: nginx: Harden php-location settings.
Date: Fri, 07 Jul 2023 16:22:01 +0200

[Message part 4 (text/plain, inline)]

Hi Bruno,

Bruno Victal 写道：
> Incorporate advice from [2], which mitigates httpoxy[1] 
> vulnerability and
> disallows passing non-php files to the PHP backend.
>
> [1]: <https://httpoxy.org/>
> [2]: 
> <https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi/>,
> note 4.

This is a better comment than commit message.  I made it so and 
pushed your changes as commit 
cbc14b3baea457cf2718b85f767d39ff3911ce91.

Thanks!

T G-R

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.