Edit report at https://bugs.php.net/bug.php?id=55181&edit=1

 ID:                 55181
 Comment by:         cbarry at artspan dot com
 Reported by:        f...@php.net
 Summary:            Enhance security by limiting the script extension
 Status:             Closed
 Type:               Feature/Change Request
 Package:            FPM related
 Operating System:   any
 PHP Version:        5.3.6
 Assigned To:        fat
 Block user comment: N
 Private report:     N

 New Comment:

The default for this new setting should not be '.php'.  There are many reasons 
that people may choose different file extensions (or no extension at all), and 
this new feature will break all those pages. ('Access Denied.' message)

I've found that a way to change this setting is to use:
security.limit_extensions = FALSE

Which should be the default, or at least documented in the configuration files

Using PHP 5.3.10-1ubuntu3 (latest available version for ubuntu precise)


Previous Comments:
------------------------------------------------------------------------
[2012-01-16 10:32:37] gwenmael dot rouxel at neovote dot com

As said by the previous commenter...

My servers are installed by an automated script, which gets PHP-FPM from the 
debian packages. 
So the version was silently upgraded, and I was scratching my head for the 
whole weekend trying to figure out this. Only this morning did I stumble upon 
the changelog and was able to make configuration changes.

A warning in the PHP FPM log would really be useful indeed.

------------------------------------------------------------------------
[2012-01-14 12:16:44] public at grik dot net

it would be MUCH better if you do the same way it's done with date.timezone: if 
the setting is not defined, it gives a warning on PHP start

now everyone blindly upgrading to a minor release with the same php-fpm.conf 
are 
shooting their feet

------------------------------------------------------------------------
[2012-01-13 08:57:15] laph at gmx dot net

This is a massive functionality change, breaking every application that doesn't 
stick to the ".php" File-Extension when upgrading from 5.3.8 to 5.3.9 since if 
"security.limit_extensions" is unset, it's limited to ".php".

Additionally this new configuration setting is not documented in the FPM-Docs. 

Please, don't do such changes in minor releases. Or at lease document them 
properly!

------------------------------------------------------------------------
[2011-10-08 19:52:26] f...@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.



------------------------------------------------------------------------
[2011-10-08 13:42:08] f...@php.net

Automatic comment from SVN on behalf of fat
Revision: http://svn.php.net/viewvc/?view=revision&revision=317894
Log: - Backported FR #55181 from 5.4 branch (Enhance security by limiting 
access to user defined extensions)

------------------------------------------------------------------------


The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at

    https://bugs.php.net/bug.php?id=55181


-- 
Edit this bug report at https://bugs.php.net/bug.php?id=55181&edit=1

Reply via email to