maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity

add new security.limit_extensions setting to fpm-daemon settings

Browse Source 
Signed-off-by: Michael Kaufmann (d00p) <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann (d00p)
2018-01-10 15:20:19 +01:00
parent 281b131c62
commit f2a79d4d96
11 changed files with 63 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
admin_phpsettings.php
View File

@@ -417,6 +417,7 @@ if ($page == 'overview') {
$max_spare_servers = isset($_POST['max_spare_servers']) ? (int) $_POST['max_spare_servers'] : 0; $max_spare_servers = isset($_POST['max_spare_servers']) ? (int) $_POST['max_spare_servers'] : 0;
$max_requests = isset($_POST['max_requests']) ? (int) $_POST['max_requests'] : 0; $max_requests = isset($_POST['max_requests']) ? (int) $_POST['max_requests'] : 0;
$idle_timeout = isset($_POST['idle_timeout']) ? (int) $_POST['idle_timeout'] : 0; $idle_timeout = isset($_POST['idle_timeout']) ? (int) $_POST['idle_timeout'] : 0;
$limit_extensions = validate($_POST['limit_extensions'], 'limit_extensions');
if (strlen($description) == 0 || strlen($description) > 50) { if (strlen($description) == 0 || strlen($description) > 50) {
standard_error('descriptioninvalid'); standard_error('descriptioninvalid');
@@ -433,7 +434,8 @@ if ($page == 'overview') {
`min_spare_servers` = :min_spare_servers, `min_spare_servers` = :min_spare_servers,
`max_spare_servers` = :max_spare_servers, `max_spare_servers` = :max_spare_servers,
`max_requests` = :max_requests, `max_requests` = :max_requests,
`idle_timeout` = :idle_timeout `idle_timeout` = :idle_timeout,
`limit_extensions` = :limit_extensions
"); ");
$ins_data = array( $ins_data = array(
'desc' => $description, 'desc' => $description,
@@ -445,7 +447,8 @@ if ($page == 'overview') {
'min_spare_servers' => $min_spare_servers, 'min_spare_servers' => $min_spare_servers,
'max_spare_servers' => $max_spare_servers, 'max_spare_servers' => $max_spare_servers,
'max_requests' => $max_requests, 'max_requests' => $max_requests,
'idle_timeout' => $idle_timeout 'idle_timeout' => $idle_timeout,
'limit_extensions' => $limit_extensions
); );
Database::pexecute($ins_stmt, $ins_data); Database::pexecute($ins_stmt, $ins_data);
@@ -543,6 +546,7 @@ if ($page == 'overview') {
$max_spare_servers = isset($_POST['max_spare_servers']) ? (int) $_POST['max_spare_servers'] : $result['max_spare_servers']; $max_spare_servers = isset($_POST['max_spare_servers']) ? (int) $_POST['max_spare_servers'] : $result['max_spare_servers'];
$max_requests = isset($_POST['max_requests']) ? (int) $_POST['max_requests'] : $result['max_requests']; $max_requests = isset($_POST['max_requests']) ? (int) $_POST['max_requests'] : $result['max_requests'];
$idle_timeout = isset($_POST['idle_timeout']) ? (int) $_POST['idle_timeout'] : $result['idle_timeout']; $idle_timeout = isset($_POST['idle_timeout']) ? (int) $_POST['idle_timeout'] : $result['idle_timeout'];
$limit_extensions = validate($_POST['limit_extensions'], 'limit_extensions');
if (strlen($description) == 0 || strlen($description) > 50) { if (strlen($description) == 0 || strlen($description) > 50) {
standard_error('descriptioninvalid'); standard_error('descriptioninvalid');
@@ -559,7 +563,8 @@ if ($page == 'overview') {
`min_spare_servers` = :min_spare_servers, `min_spare_servers` = :min_spare_servers,
`max_spare_servers` = :max_spare_servers, `max_spare_servers` = :max_spare_servers,
`max_requests` = :max_requests, `max_requests` = :max_requests,
`idle_timeout` = :idle_timeout `idle_timeout` = :idle_timeout,
`limit_extensions` = :limit_extensions
WHERE `id` = :id WHERE `id` = :id
"); ");
$upd_data = array( $upd_data = array(
@@ -573,6 +578,7 @@ if ($page == 'overview') {
'max_spare_servers' => $max_spare_servers, 'max_spare_servers' => $max_spare_servers,
'max_requests' => $max_requests, 'max_requests' => $max_requests,
'idle_timeout' => $idle_timeout, 'idle_timeout' => $idle_timeout,
'limit_extensions' => $limit_extensions,
'id' => $id 'id' => $id
); );
Database::pexecute($upd_stmt, $upd_data); Database::pexecute($upd_stmt, $upd_data);

3
install/froxlor.sql
View File

@@ -590,7 +590,7 @@ INSERT INTO `panel_settings` (`settinggroup`, `varname`, `value`) VALUES
('panel', 'password_special_char', '!?<>§$%+#=@'), ('panel', 'password_special_char', '!?<>§$%+#=@'),
('panel', 'customer_hide_options', ''), ('panel', 'customer_hide_options', ''),
('panel', 'version', '0.9.38.8'), ('panel', 'version', '0.9.38.8'),
('panel', 'db_version', '201801100'); ('panel', 'db_version', '201801101');
DROP TABLE IF EXISTS `panel_tasks`; DROP TABLE IF EXISTS `panel_tasks`;
@@ -770,6 +770,7 @@ CREATE TABLE `panel_fpmdaemons` (
`max_spare_servers` int(4) NOT NULL DEFAULT '35', `max_spare_servers` int(4) NOT NULL DEFAULT '35',
`max_requests` int(4) NOT NULL DEFAULT '0', `max_requests` int(4) NOT NULL DEFAULT '0',
`idle_timeout` int(4) NOT NULL DEFAULT '30', `idle_timeout` int(4) NOT NULL DEFAULT '30',
`limit_extensions` varchar(255) NOT NULL default '.php',
PRIMARY KEY (`id`), PRIMARY KEY (`id`),
UNIQUE KEY `reload` (`reload_cmd`), UNIQUE KEY `reload` (`reload_cmd`),
UNIQUE KEY `config` (`config_dir`) UNIQUE KEY `config` (`config_dir`)

9
install/updates/froxlor/0.9/update_0.9.inc.php
View File

@@ -3752,3 +3752,12 @@ if (isDatabaseVersion('201801091')) {
updateToDbVersion('201801100'); updateToDbVersion('201801100');
} }
if (isDatabaseVersion('201801100')) {
showUpdateStep("Adding field for security.limit_extensions fpm-setting");
Database::query("ALTER TABLE `" . TABLE_PANEL_FPMDAEMONS . "` ADD `limit_extensions` varchar(255) NOT NULL default '.php';");
lastStepStatus(0);
updateToDbVersion('201801101');
}

2
lib/classes/phpinterface/class.phpinterface_fpm.php
View File

@@ -192,6 +192,7 @@ class phpinterface_fpm
$fpm_max_spare_servers = (int) $this->_fpm_cfg['max_spare_servers']; $fpm_max_spare_servers = (int) $this->_fpm_cfg['max_spare_servers'];
$fpm_requests = (int) $this->_fpm_cfg['max_requests']; $fpm_requests = (int) $this->_fpm_cfg['max_requests'];
$fpm_process_idle_timeout = (int) $this->_fpm_cfg['idle_timeout']; $fpm_process_idle_timeout = (int) $this->_fpm_cfg['idle_timeout'];
$fpm_limit_extensions = $this->_fpm_cfg['limit_extensions'];
if ($fpm_children == 0) { if ($fpm_children == 0) {
$fpm_children = 1; $fpm_children = 1;
@@ -255,6 +256,7 @@ class phpinterface_fpm
} }
$fpm_config .= ';chroot = ' . makeCorrectDir($this->_domain['documentroot']) . "\n"; $fpm_config .= ';chroot = ' . makeCorrectDir($this->_domain['documentroot']) . "\n";
$fpm_config .= 'security.limit_extensions = '.$fpm_limit_extensions . "\n";
$tmpdir = makeCorrectDir(Settings::Get('phpfpm.tmpdir') . '/' . $this->_domain['loginname'] . '/'); $tmpdir = makeCorrectDir(Settings::Get('phpfpm.tmpdir') . '/' . $this->_domain['loginname'] . '/');
if (! is_dir($tmpdir)) { if (! is_dir($tmpdir)) {

9
lib/formfields/admin/phpconfig/formfield.fpmconfig_add.php
View File

@@ -81,6 +81,15 @@ return array(
'desc' => $lng['serversettings']['phpfpm_settings']['idle_timeout']['description'], 'desc' => $lng['serversettings']['phpfpm_settings']['idle_timeout']['description'],
'type' => 'int', 'type' => 'int',
'value' => 30 'value' => 30
),
'limit_extensions' => array(
'label' => $lng['serversettings']['phpfpm_settings']['limit_extensions']['title'],
'desc' => $lng['serversettings']['phpfpm_settings']['limit_extensions']['description'],
'type' => 'string',
'string_delimiter' => ' ',
'string_regexp' => '^\.[a-z]([a-z0-9]+)',
'string_emptyallowed' => false,
'value' => '.php'
) )
) )
) )

9
lib/formfields/admin/phpconfig/formfield.fpmconfig_edit.php
View File

@@ -82,6 +82,15 @@ return array(
'desc' => $lng['serversettings']['phpfpm_settings']['idle_timeout']['description'], 'desc' => $lng['serversettings']['phpfpm_settings']['idle_timeout']['description'],
'type' => 'int', 'type' => 'int',
'value' => $result['idle_timeout'] 'value' => $result['idle_timeout']
),
'limit_extensions' => array(
'label' => $lng['serversettings']['phpfpm_settings']['limit_extensions']['title'],
'desc' => $lng['serversettings']['phpfpm_settings']['limit_extensions']['description'],
'type' => 'string',
'string_delimiter' => ' ',
'string_regexp' => '^\.[a-z]([a-z0-9]+)',
'string_emptyallowed' => false,
'value' => $result['limit_extensions']
) )
) )
) )

2
lib/version.inc.php
View File

@@ -19,7 +19,7 @@
$version = '0.9.38.8'; $version = '0.9.38.8';
// Database version (YYYYMMDDC where C is a daily counter) // Database version (YYYYMMDDC where C is a daily counter)
$dbversion = '201801100'; $dbversion = '201801101';
// Distribution branding-tag (used for Debian etc.) // Distribution branding-tag (used for Debian etc.)
$branding = ''; $branding = '';

2
lng/english.lng.php
View File

@@ -2094,3 +2094,5 @@ $lng['error']['nowildcardwithletsencryptv2'] = 'Let\'s Encrypt can only validate
$lng['admin']['phpsettings']['pass_authorizationheader'] = 'Add "-pass-header Authorization" / "CGIPassAuth On" to vhosts'; $lng['admin']['phpsettings']['pass_authorizationheader'] = 'Add "-pass-header Authorization" / "CGIPassAuth On" to vhosts';
$lng['serversettings']['ssl']['ssl_protocols']['title'] = 'Configure the TLS protocol version'; $lng['serversettings']['ssl']['ssl_protocols']['title'] = 'Configure the TLS protocol version';
$lng['serversettings']['ssl']['ssl_protocols']['description'] = 'This is a list of ssl protocols that you want (or don\'t want) to use when using SSL. <b>Notice:</b> Some older browsers may not support the newest protcol versions.<br /><br /><b>Default value is:</b><pre>TLSv1, TLSv1.2</pre>'; $lng['serversettings']['ssl']['ssl_protocols']['description'] = 'This is a list of ssl protocols that you want (or don\'t want) to use when using SSL. <b>Notice:</b> Some older browsers may not support the newest protcol versions.<br /><br /><b>Default value is:</b><pre>TLSv1, TLSv1.2</pre>';
$lng['serversettings']['phpfpm_settings']['limit_extensions']['title'] = 'Allowed extensions';
$lng['serversettings']['phpfpm_settings']['limit_extensions']['description'] = 'Limits the extensions of the main script FPM will allow to parse. This can prevent configuration mistakes on the web server side. You should only limit FPM to .php extensions to prevent malicious users to use other extensions to execute php code. Default value: .php';

2
lng/german.lng.php
View File

@@ -1745,3 +1745,5 @@ $lng['error']['nowildcardwithletsencryptv2'] = 'Let\'s Encrypt kann in ACME v2 W
$lng['admin']['phpsettings']['pass_authorizationheader'] = 'Füge "-pass-header Authorization" / "CGIPassAuth On" in Vhosts ein'; $lng['admin']['phpsettings']['pass_authorizationheader'] = 'Füge "-pass-header Authorization" / "CGIPassAuth On" in Vhosts ein';
$lng['serversettings']['ssl']['ssl_protocols']['title'] = 'SSL Protokollversion festlegen'; $lng['serversettings']['ssl']['ssl_protocols']['title'] = 'SSL Protokollversion festlegen';
$lng['serversettings']['ssl']['ssl_protocols']['description'] = 'Dies ist eine Liste von SSL/TLS Protokollversionen die genutzt werden sollen (oder auch nicht genutzt werden sollen), wenn SSL verwendet wird. <b>Hinweis:</b> Ältere Browser sind möglicherweise nicht vollständig zum neusten Protokoll kompatibel.<br /><br /><b>Standard-Wert ist:</b><pre>TLSv1, TLSv1.2</pre>'; $lng['serversettings']['ssl']['ssl_protocols']['description'] = 'Dies ist eine Liste von SSL/TLS Protokollversionen die genutzt werden sollen (oder auch nicht genutzt werden sollen), wenn SSL verwendet wird. <b>Hinweis:</b> Ältere Browser sind möglicherweise nicht vollständig zum neusten Protokoll kompatibel.<br /><br /><b>Standard-Wert ist:</b><pre>TLSv1, TLSv1.2</pre>';
$lng['serversettings']['phpfpm_settings']['limit_extensions']['title'] = 'Erlaubte Dateiendungen';
$lng['serversettings']['phpfpm_settings']['limit_extensions']['description'] = 'Beschränkt die Dateierweiterungen des Haupt-Skripts, das FPM zu parsen erlaubt. Dies kann Konfigurationsfehler auf der Webserverseite verhindern. Sie sollten FPM nur auf .php Erweiterungen beschränken, um zu verhindern, dass bösartige Nutzter andere Erweiterungen verwenden, um PHP Code auszuführen. Standardwert: .php';

10
scripts/jobs/cron_tasks.inc.http.10.apache.php
View File

@@ -327,7 +327,15 @@ class apache extends HttpConfigBase
// mod_proxy stuff for apache-2.4 // mod_proxy stuff for apache-2.4
if (Settings::Get('system.apache24') == '1' && Settings::Get('phpfpm.use_mod_proxy') == '1') { if (Settings::Get('system.apache24') == '1' && Settings::Get('phpfpm.use_mod_proxy') == '1') {
$this->virtualhosts_data[$vhosts_filename] .= ' <FilesMatch \.php$>' . "\n"; $filesmatch = $phpconfig['limit_extensions'];
$extensions = explode(" ", $filesmatch);
$filesmatch = "";
foreach ($extensions as $ext) {
$filesmatch .= $ext.'|';
}
// start block, cut off last pipe and close block
$filesmatch = '('.substr($filesmatch, -1).')';
$this->virtualhosts_data[$vhosts_filename] .= ' <FilesMatch \.'.$filesmatch.'$>'. "\n";
$this->virtualhosts_data[$vhosts_filename] .= ' SetHandler proxy:unix:' . $php->getInterface()->getSocketFile() . '|fcgi://localhost' . "\n"; $this->virtualhosts_data[$vhosts_filename] .= ' SetHandler proxy:unix:' . $php->getInterface()->getSocketFile() . '|fcgi://localhost' . "\n";
$this->virtualhosts_data[$vhosts_filename] .= ' </FilesMatch>' . "\n"; $this->virtualhosts_data[$vhosts_filename] .= ' </FilesMatch>' . "\n";
if ($phpconfig['pass_authorizationheader'] == '1') { if ($phpconfig['pass_authorizationheader'] == '1') {

10
scripts/jobs/cron_tasks.inc.http.15.apache_fcgid.php
View File

@@ -44,7 +44,15 @@ class apache_fcgid extends apache
if (Settings::Get('system.apache24') == '1' if (Settings::Get('system.apache24') == '1'
&& Settings::Get('phpfpm.use_mod_proxy') == '1' && Settings::Get('phpfpm.use_mod_proxy') == '1'
) { ) {
$php_options_text.= ' <FilesMatch \.php$>'. "\n"; $filesmatch = $phpconfig['limit_extensions'];
$extensions = explode(" ", $filesmatch);
$filesmatch = "";
foreach ($extensions as $ext) {
$filesmatch .= $ext.'|';
}
// start block, cut off last pipe and close block
$filesmatch = '('.substr($filesmatch, -1).')';
$php_options_text.= ' <FilesMatch \.'.$filesmatch.'$>'. "\n";
$php_options_text.= ' SetHandler proxy:unix:' . $php->getInterface()->getSocketFile() . '|fcgi://localhost'. "\n"; $php_options_text.= ' SetHandler proxy:unix:' . $php->getInterface()->getSocketFile() . '|fcgi://localhost'. "\n";
$php_options_text.= ' </FilesMatch>' . "\n"; $php_options_text.= ' </FilesMatch>' . "\n";