Edit report at https://bugs.php.net/bug.php?id=55181&edit=1
ID: 55181 Comment by: cbarry at artspan dot com Reported by: f...@php.net Summary: Enhance security by limiting the script extension Status: Closed Type: Feature/Change Request Package: FPM related Operating System: any PHP Version: 5.3.6 Assigned To: fat Block user comment: N Private report: N New Comment: The default for this new setting should not be '.php'. There are many reasons that people may choose different file extensions (or no extension at all), and this new feature will break all those pages. ('Access Denied.' message) I've found that a way to change this setting is to use: security.limit_extensions = FALSE Which should be the default, or at least documented in the configuration files Using PHP 5.3.10-1ubuntu3 (latest available version for ubuntu precise) Previous Comments: ------------------------------------------------------------------------ [2012-01-16 10:32:37] gwenmael dot rouxel at neovote dot com As said by the previous commenter... My servers are installed by an automated script, which gets PHP-FPM from the debian packages. So the version was silently upgraded, and I was scratching my head for the whole weekend trying to figure out this. Only this morning did I stumble upon the changelog and was able to make configuration changes. A warning in the PHP FPM log would really be useful indeed. ------------------------------------------------------------------------ [2012-01-14 12:16:44] public at grik dot net it would be MUCH better if you do the same way it's done with date.timezone: if the setting is not defined, it gives a warning on PHP start now everyone blindly upgrading to a minor release with the same php-fpm.conf are shooting their feet ------------------------------------------------------------------------ [2012-01-13 08:57:15] laph at gmx dot net This is a massive functionality change, breaking every application that doesn't stick to the ".php" File-Extension when upgrading from 5.3.8 to 5.3.9 since if "security.limit_extensions" is unset, it's limited to ".php". Additionally this new configuration setting is not documented in the FPM-Docs. Please, don't do such changes in minor releases. Or at lease document them properly! ------------------------------------------------------------------------ [2011-10-08 19:52:26] f...@php.net This bug has been fixed in SVN. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. For Windows: http://windows.php.net/snapshots/ Thank you for the report, and for helping us make PHP better. ------------------------------------------------------------------------ [2011-10-08 13:42:08] f...@php.net Automatic comment from SVN on behalf of fat Revision: http://svn.php.net/viewvc/?view=revision&revision=317894 Log: - Backported FR #55181 from 5.4 branch (Enhance security by limiting access to user defined extensions) ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=55181 -- Edit this bug report at https://bugs.php.net/bug.php?id=55181&edit=1