httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <>
Subject [Httpd Wiki] Update of "PHP-FPM" by thumbs
Date Thu, 14 Mar 2013 01:25:33 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.

The "PHP-FPM" page has been changed by thumbs:

  __Don't forget to reload apache after making any changes to a vhost or other configuration
+ ==== Caveat ====
+ One might be tempted to point out that a greedy ProxyPassMatch directive might allow some
malicious content uploaded by a HTTP client to be served.
+ This is by no means a comprehensive security document, but instead will point out a possible
injection vector that could be generated from the directives in this document.
+ Take, for example:
+ `/uploads/malicious.jpg/lalalaalala.php`
+ Would lead php-fpm to process that file (/uploads/malicious.jpg), and without certain sanity
check, possibly lead to a compromised server.
+ This, of course, is not recommended. Content uploaded using php should be saved safely outside
the DocumentRoot, and the pathinfo should be scrutinized.
+ Additionally, php-fpm should check if the script being invoked is allowed.
+ If such restrictions cannot be implemented easily, then checks could be performed prior
to proxying with a RewriteCond or FallbackResource to ensure that the URI is not altered by
the HTTP client.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message