fa'asa'oga fa'asa'oga o le PHP 7.3.11, 7.1.33 ma le 7.2.24, lea kriтическая (CVE-2019-11043) i le PHP-FPM (FastCGI Process Manager) faʻaopoopoga, lea e mafai ai ona e faʻatinoina mamao lau code i luga o le polokalama. Ina ia osofaʻia 'auʻaunaga e faʻaogaina le PHP-FPM faʻatasi ma Nginx e faʻatautaia PHP scripts, ua uma ona avanoa lautele. .
O le osofaʻiga e mafai i le nginx configurations lea e tuʻuina atu i le PHP-FPM e faʻatinoina e ala i le vavaeeseina o vaega o le URL e faʻaaoga ai le "fastcgi_split_path_info" ma le faʻamalamalamaina o le PATH_INFO fesuiaiga o le siosiomaga, ae aunoa ma le siakiina muamua o le i ai o le faila e faʻaaoga ai le "try_files $fastcgi_script_name" faatonuga po'o le "afai (!-f $) document_root$fastcgi_script_name)". O le faafitauli foi i faʻatulagaga o loʻo ofoina atu mo le NextCloud platform. Mo se faʻataʻitaʻiga, fetuutuunaiga ma fausaga e pei o:
nofoaga ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^ (. +? \. php) (/.*) $;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass php:9000;
}
E mafai ona e siaki le fofo o le faʻafitauli i pusa tufatufaina i luga o itulau nei: , , , , , , . I le avea ai o se fofo, e mafai ona e faʻaopoopoina se siaki mo le i ai o le faila PHP talosaga pe a maeʻa le laina "fastcgi_split_path_info":
try_files $fastcgi_script_name =404;
O le faʻafitauli e mafua mai i se mea sese pe a faʻaogaina faʻailoga i totonu o se faila . Pe a tuʻuina atu se faʻailoga, e faʻapea o le tau o le PATH_INFO siosiomaga fesuiaiga e tatau ona i ai se prefix e fetaui ma le ala i le PHP script.
Afai o le fa'atonuga a fastcgi_split_path_info o lo'o fa'amaoti ai le vaeluaina o le ala fa'amaufa'ailoga e fa'aaoga ai se fa'amatalaga masani fou-maaleale (mo se fa'ata'ita'iga, o le tele o fa'ata'ita'iga o lo'o fautua mai e fa'aaoga le "^(.+?\.php)(/.*)$"), ona mafai lea e se tagata osofa'i ona mautinoa o se le aoga gaogao ua tusia i le PATH_INFO siosiomaga fesuiaiga. I lenei tulaga, e sili atu i le faʻatinoga tusia le path_info[0] i le zero ma valaau FCGI_PUTENV.
E ala i le talosagaina o se URL faʻapipiʻi i se auala patino, e mafai e le tagata osofaʻi ona ausia se suiga o le path_info pointer i le muamua byte o le "_fcgi_data_seg" fausaga, ma le tusia o se zero i lenei byte o le a taʻitaʻia ai le gaioiga o le "char * pos" fa'asino ile vaega e manatua ai. Ole isi igoa ole FCGI_PUTENV ole a fa'asolo fa'amaumauga i lenei manatua ma se tau e mafai e le tagata osofa'i ona pulea. O le manatua faʻapitoa e teuina ai foi tau o isi fesuiaiga FastCGI, ma e ala i le tusiaina o latou faʻamatalaga, e mafai e se tagata osofaʻi ona fatuina se fesuiaiga PHP_VALUE faʻamaonia ma ausia le faʻatinoina o la latou code.
puna: opennet.ru