GNU bug report logs

#62678 [PATCH] services: nginx: Harden php-location settings.

PackageSource(s)Maintainer(s)
guix-patches PTS Buildd Popcon
Full log

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

Received: (at submit) by debbugs.gnu.org; 5 Apr 2023 15:34:54 +0000
From debbugs-submit-bounces@debbugs.gnu.org Wed Apr 05 11:34:54 2023
Received: from localhost ([127.0.0.1]:52459 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pk59j-0007Ia-IW
	for submit@debbugs.gnu.org; Wed, 05 Apr 2023 11:34:54 -0400
Received: from lists.gnu.org ([209.51.188.17]:49246)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mirai@makinata.eu>) id 1pk59h-0007IT-On
 for submit@debbugs.gnu.org; Wed, 05 Apr 2023 11:34:38 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mirai@makinata.eu>) id 1pk59h-00043G-7M
 for guix-patches@gnu.org; Wed, 05 Apr 2023 11:34:37 -0400
Received: from smtpmciv1.myservices.hosting ([185.26.107.237])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mirai@makinata.eu>) id 1pk59f-0007ft-5U
 for guix-patches@gnu.org; Wed, 05 Apr 2023 11:34:36 -0400
Received: from mail1.netim.hosting (unknown [185.26.106.173])
 by smtpmciv1.myservices.hosting (Postfix) with ESMTP id E7E4F2098E
 for <guix-patches@gnu.org>; Wed,  5 Apr 2023 17:34:25 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
 by mail1.netim.hosting (Postfix) with ESMTP id 9431E800AA;
 Wed,  5 Apr 2023 17:34:25 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at mail1.netim.hosting
Received: from mail1.netim.hosting ([127.0.0.1])
 by localhost (mail1-2.netim.hosting [127.0.0.1]) (amavisd-new, port 10026)
 with ESMTP id 7AgZigszt7Uo; Wed,  5 Apr 2023 17:34:25 +0200 (CEST)
Received: from guix-nuc.home.arpa (unknown [10.192.1.83])
 (Authenticated sender: lumen@makinata.eu)
 by mail1.netim.hosting (Postfix) with ESMTPSA id EA9A2800A9;
 Wed,  5 Apr 2023 17:34:24 +0200 (CEST)
From: Bruno Victal <mirai@makinata.eu>
To: guix-patches@gnu.org
Subject: [PATCH] services: nginx: Harden php-location settings.
Date: Wed,  5 Apr 2023 16:34:08 +0100
Message-Id: <ad598ba1ce644a29c997139c82d790a3ac65f4b4.1680708757.git.mirai@makinata.eu>
X-Mailer: git-send-email 2.39.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=185.26.107.237; envelope-from=mirai@makinata.eu;
 helo=smtpmciv1.myservices.hosting
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
Cc: Bruno Victal <mirai@makinata.eu>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.0 (/)

Incorporate advice from [2], which mitigates httpoxy[1] vulnerability and
disallows passing non-php files to the PHP backend.

[1]: <https://httpoxy.org/>
[2]: <https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi/>,
note 4.

* gnu/services/web.scm (nginx-php-location): Only pass existing php files to
backend. Mitigate httpoxy vulnerability.
---

Tested with: make check-system TESTS="nginx php-fpm"

 gnu/services/web.scm | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/gnu/services/web.scm b/gnu/services/web.scm
index d56e893527..f5ed027bb4 100644
--- a/gnu/services/web.scm
+++ b/gnu/services/web.scm
@@ -1123,6 +1123,10 @@ (define* (nginx-php-location
    (uri "~ \\.php$")
    (body (list
           "fastcgi_split_path_info ^(.+\\.php)(/.+)$;"
+          ;; Mitigate https://httpoxy.org/ vulnerabilities
+          "fastcgi_param HTTP_PROXY \"\";"
+          ;; Only pass existing php files to the backend.
+          "if (!-f $document_root$fastcgi_script_name) { return 404; }"
           (string-append "fastcgi_pass unix:" socket ";")
           "fastcgi_index index.php;"
           (list "include " nginx-package "/share/nginx/conf/fastcgi.conf;")))))

base-commit: 6311493d7a6271bfbc51f4693857f9a12fe9965d
-- 
2.39.2

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 01:33:07 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.