Message ID | ad598ba1ce644a29c997139c82d790a3ac65f4b4.1680708757.git.mirai@makinata.eu |
---|---|
State | New |
Headers | show |
Series | [bug#62678] services: nginx: Harden php-location settings. | expand |
I wonder if we should at least make the HTTP_PROXY variable configurable. It may need to be set to something else then "" in some scenarios. I don't know...
Hi Jonathan, On 2023-04-05 21:19, Jonathan Brielmaier wrote: > I wonder if we should at least make the HTTP_PROXY variable > configurable. It may need to be set to something else then "" in some > scenarios. I don't know... No, there's no legitimate reason for this, since 'PROXY' is not a standard HTTP header according to [1]. PROXY being passed to a cgi application as HTTP_PROXY is what the exploit is about, since HTTP_PROXY is recognized as a variable for configuring proxies (for curl, wget, etc.) Allowing HTTP_PROXY to be set remotely (due to a confusion with the non-standard 'PROXY' header) is simply incomprehensible. Regarding user intent, that is, configuring the proxy used by the cgi application by setting HTTP_PROXY via nginx? I don't have this use-case but IMO it feels like an extreme poor design, since it's exploiting a name confusion to change the system environment variables for the cgi application. If for some reason you really need this, you can always use the regular nginx-location-configuration to manually craft a php-location. [1]: https://www.iana.org/assignments/http-fields/http-fields.xhtml Cheers, Bruno
Hi Bruno, Bruno Victal 写道: > Incorporate advice from [2], which mitigates httpoxy[1] > vulnerability and > disallows passing non-php files to the PHP backend. > > [1]: <https://httpoxy.org/> > [2]: > <https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi/>, > note 4. This is a better comment than commit message. I made it so and pushed your changes as commit cbc14b3baea457cf2718b85f767d39ff3911ce91. Thanks! T G-R
diff --git a/gnu/services/web.scm b/gnu/services/web.scm index d56e893527..f5ed027bb4 100644 --- a/gnu/services/web.scm +++ b/gnu/services/web.scm @@ -1123,6 +1123,10 @@ (define* (nginx-php-location (uri "~ \\.php$") (body (list "fastcgi_split_path_info ^(.+\\.php)(/.+)$;" + ;; Mitigate https://httpoxy.org/ vulnerabilities + "fastcgi_param HTTP_PROXY \"\";" + ;; Only pass existing php files to the backend. + "if (!-f $document_root$fastcgi_script_name) { return 404; }" (string-append "fastcgi_pass unix:" socket ";") "fastcgi_index index.php;" (list "include " nginx-package "/share/nginx/conf/fastcgi.conf;")))))