httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Httpd Wiki] Update of "PHP-FPM" by thumbs
Date Thu, 14 Mar 2013 01:25:33 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.

The "PHP-FPM" page has been changed by thumbs:
http://wiki.apache.org/httpd/PHP-FPM?action=diff&rev1=1&rev2=2

  
  __Don't forget to reload apache after making any changes to a vhost or other configuration
file.__
  
+ ==== Caveat ====
+ One might be tempted to point out that a greedy ProxyPassMatch directive might allow some
malicious content uploaded by a HTTP client to be served.
+ 
+ This is by no means a comprehensive security document, but instead will point out a possible
injection vector that could be generated from the directives in this document.
+ 
+ Take, for example:
+ 
+ `/uploads/malicious.jpg/lalalaalala.php`
+ 
+ Would lead php-fpm to process that file (/uploads/malicious.jpg), and without certain sanity
check, possibly lead to a compromised server.
+ 
+ This, of course, is not recommended. Content uploaded using php should be saved safely outside
the DocumentRoot, and the pathinfo should be scrutinized.
+ 
+ Additionally, php-fpm should check if the script being invoked is allowed.
+ 
+ If such restrictions cannot be implemented easily, then checks could be performed prior
to proxying with a RewriteCond or FallbackResource to ensure that the URI is not altered by
the HTTP client.
+ 

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message