ProHoster > Блог > rongo ipurangi > Te whakaraeraetanga i roto i te php-fpm e taea ai te mahi waehere mamao i runga i te tūmau

Te whakaraeraetanga i roto i te php-fpm e taea ai te mahi waehere mamao i runga i te tūmau

Wātea nga putanga whakatika o PHP 7.3.11, 7.1.33 me 7.2.24, kei roto whakakorea arohaehae whakaraeraetanga (CVE-2019-11043) i roto i te toronga PHP-FPM (Kaiwhakahaere Tukatuka FastCGI) e taea ai e koe te mahi mamao i to waehere ki te punaha. Hei whakaeke i nga tūmau e whakamahi ana i te PHP-FPM ki te whakahaere i nga tuhinga PHP i te taha o Nginx, kua waatea noa ki te katoa. kaimahi whaihua.

Ka taea te whakaeke i roto i nga whirihoranga nginx e mahia ana te tuku whakamua i roto i te PHP-FPM ma te wehewehe i nga waahanga o te URL ma te whakamahi i te "fastcgi_split_path_info" me te tautuhi i te taurangi taiao PATH_INFO, engari me te kore e tirotiro i te oranga o te konae me te "try_files $fastcgi_script_name" tohutohu ranei te "mehemea (!-f $ document_root$fastcgi_script_name)". raruraru tae atu puta i roto i nga tautuhinga e tukuna ana mo te kaupapa NextCloud. Hei tauira, he whakaraerae nga whirihoranga me nga hanganga o te puka:

tauwāhi ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^ (. +? \. php) (/.*) $;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass php:9000;
}

Ka taea e koe te whai i te rapurongoā mo nga tohatoha i enei wharangi: Debian, RHEL, Ubuntu, SUSE/openSUSE, FreeBSD, kikorangi, Fedora. Hei mahi haumarutanga, i muri i te rarangi "fastcgi_split_path_info", ka taea e koe te taapiri i te haki mo te noho tonu o te konae PHP i tonoa:

try_files $fastcgi_script_name =404;

Ko te raruraru i puta mai i te hapa i te wa e raweke ana i nga tohutohu i roto i te konae sapi/fpm/fpm/fpm_main.c. Ina tautapahia he atatohu, ka kiia ko te uara o te taurangi taiao PATH_INFO kei roto he tohu tuatahi e rite ana ki te ara ki te tuhinga PHP.
Mena ka whakatauhia e te fastcgi_split_path_info te whakawehe i te ara ki te tuhinga ma te whakamahi i te whakahuatanga auau e aro ana ki te tuku o te tohu raina hou (hei tauira, i roto i nga tauira maha ka whakaarohia kia whakamahia "^(.+?\.php)(/. *)$"), katahi ka taea e te kaiwhaiwhai te tuhi i tetahi uara kore ki te taurangi taiao PATH_INFO. I roto i tenei take, haere tonu i runga i te mahi kawea tuhi path_info[0] ki te kore me te waea FCGI_PUTENV.

Ma te tono i tetahi URL kua whakahōputuhia i runga i tetahi huarahi, ka taea e te kaiwhaiwhai te neke i te tohu path_info ki te paita tuatahi o te hanganga "_fcgi_data_seg", me te tuhi kore ki tenei paita ka nekehia te tohu "char * pos" ki te waahi mahara o mua. Ko te FCGI_PUTENV ka karangahia i muri mai ka tuhirua i nga raraunga i roto i tenei mahara me te uara ka taea e te kaitukino te whakahaere. Ko te mahara kua tohua ka pupuri i nga uara o etahi atu taurangi FastCGI, a ma te tuhi i o raatau raraunga, ka taea e te kaiwhaiwhai te hanga i tetahi taurangi PHP_VALUE me te whakatutuki i te whakatinanatanga o tana waehere.

Source: opennet.ru

Tāpiri i te kōrero