Pulogalamu ya ProHoster > Blog > nkhani zapaintaneti > Chiwopsezo mu php-fpm chomwe chimalola kugwiritsa ntchito ma code akutali pa seva

Chiwopsezo mu php-fpm chomwe chimalola kugwiritsa ntchito ma code akutali pa seva

Ipezeka kumasulidwa kwa PHP 7.3.11, 7.1.33 ndi 7.2.24, momwe kuthetsedwa wotsutsa kusatetezeka (CVE-2019-11043) mu PHP-FPM (FastCGI Process Manager) yomwe imakupatsani mwayi wogwiritsa ntchito code yanu pakompyuta. Kuukira ma seva omwe amagwiritsa ntchito PHP-FPM kuyendetsa zolemba za PHP molumikizana ndi Nginx, ikupezeka kale pagulu. wogwira ntchito dyera masuku pamutu.

Kuwukirako kumatheka mu makonzedwe a nginx momwe kutumiza mu PHP-FPM kumayendetsedwa ndikugawa magawo a ulalo pogwiritsa ntchito "fastcgi_split_path_info" ndikutanthauzira PATH_INFO kusinthika kwa chilengedwe, koma osayang'ana koyamba kukhalapo kwa fayiloyo ndi "try_files $fastcgi_script_name" malangizo kapena "ngati (!-f $ document_root$fastcgi_script_name)". vuto kuphatikizapo zikuwoneka m'makonzedwe operekedwa pa nsanja ya NextCloud. Mwachitsanzo, masinthidwe okhala ndi mawonekedwe a fomu ali pachiwopsezo:

malo ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^ (. +? \. php) (/.*) $;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass php:9000;
}

Mutha kutsata zovuta pakugawa patsamba awa: Debian, RHEL, Ubuntu, SUSE/OpenSUSE, FreeBSD, Chipilala, Fedora. Monga njira yachitetezo, pambuyo pa mzere wa "fastcgi_split_path_info", mutha kuwonjezera cheke ngati fayilo ya PHP yofunsidwa:

try_files $fastcgi_script_name =404;

Vutoli limadza chifukwa cha zolakwika pamene mukuwongolera zolozera mufayilo sapi/fpm/fpm/fpm_main.c. Popereka cholozera, zimaganiziridwa kuti mtengo wa PATH_INFO kusintha kwa chilengedwe kumakhala ndi chiyambi chomwe chikugwirizana ndi njira yopita ku PHP script.
Ngati malangizo a fastcgi_split_path_info anena za kugawa njira yopita ku script pogwiritsa ntchito mawu okhazikika omwe amakhudzidwa ndi kutumizidwa kwa mzere watsopano (mwachitsanzo, m'zitsanzo zambiri akulimbikitsidwa kugwiritsa ntchito "^(+?\.php)(/. *)$"), ndiye wowukirayo atha kukwanitsa kulemba mtengo wopanda kanthu ku PATH_INFO zosinthika zachilengedwe. Pankhaniyi, kuwonjezera pa kuphedwa zidachitidwa kulemba path_info[0] mpaka ziro ndikuyitana FCGI_PUTENV.

Popempha ulalo wopangidwa mwanjira inayake, wowukira amatha kusuntha path_info pointer kupita kumalo oyamba a "_fcgi_data_seg", ndipo kulemba ziro ku byte iyi kumasuntha cholozera cha "char * pos" kumalo okumbukira omwe apita kale. FCGI_PUTENV yoyitanidwa yotsatira idzalemba zomwe zili muchikumbutsochi ndi mtengo womwe wowukirayo atha kuwongolera. Zokumbukira zomwe zatchulidwazi zimasunganso zofunikira zamitundu ina ya FastCGI, ndipo polemba deta yawo, wowukirayo amatha kupanga mtundu wa PHP_VALUE ndikukwaniritsa ma code ake.

Source: opennet.ru

Kuwonjezera ndemanga