ProHoster > Blog > litaba tsa inthanete > Kotsi ho php-fpm e lumellang ts'ebetso ea khoutu e hole ho seva

Kotsi ho php-fpm e lumellang ts'ebetso ea khoutu e hole ho seva

Fumaneha tokiso ea tokiso ea PHP 7.3.11, 7.1.33 le 7.2.24, moo felisitsoe nyatsa bofokodi (CVE-2019-11043) katolosong ea PHP-FPM (FastCGI Process Manager), e u lumellang hore u phethe khoutu ea hau ho sistimi. Ho hlasela li-server tse sebelisang PHP-FPM hammoho le Nginx ho tsamaisa mangolo a PHP, e se e fumaneha phatlalatsa. sebetsa qhekella.

Tlhaselo e ka khoneha ho litlhophiso tsa nginx moo ho fetisetsa ho PHP-FPM ho etsoang ka ho arola likarolo tsa URL ho sebelisa "fastcgi_split_path_info" le ho hlalosa phapang ea tikoloho ea PATH_INFO, empa ntle le ho qala ho hlahloba boteng ba faele ho sebelisa "try_files $fastcgi_script_name" taelo kapa "haeba (!-f $) document_root$fastcgi_script_name)". Bothata ke bona hlaha litlhophisong tse fanoeng bakeng sa sethala sa NextCloud. Mohlala, litlhophiso tse nang le meaho e kang:

sebaka ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^ (. +? \. php) (/.*) $;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass php:9000;
}

U ka latela tharollo ea bothata ka lisebelisoa tsa kabo maqepheng ana: Debian, RHEL, Botho, SUSE/openSUSE, FreeBSD, Arch, Fedora. Joalo ka mokhoa oa ho sebetsa, o ka eketsa cheke bakeng sa boteng ba faele ea PHP e batloang kamora mohala oa "fastcgi_split_path_info":

try_files $fastcgi_script_name =404;

Bothata bo bakoa ke phoso ha ho etsoa lisupa faeleng sapi/fpm/fpm/fpm_main.c. Ha u fana ka pointer, ho nahanoa hore boleng ba PATH_INFO tikoloho e fetoha e tlameha ho ba le sehlomathiso se lumellanang le tsela e eang ho PHP script.
Haeba fastcgi_split_path_info directive e hlalosa ho arola tsela ea script ho sebelisoa poleloana e tloaelehileng e sa utloahaleng (mohlala, mehlala e mengata e fana ka maikutlo a ho sebelisa "^(+?\.php)(/.*)$"), joale mohlaseli a ka etsa bonnete ba hore boleng bo se nang letho bo ngotsoe ho PATH_INFO e fapaneng ea tikoloho. Tabeng ena, ho feta ka ho phethahatsa e entsoe ho ngola path_info[0] ho ea ho zero le ho letsetsa FCGI_PUTENV.

Ka ho kopa URL e hlophisitsoeng ka tsela e itseng, mohlaseli a ka finyella phetoho ea path_info pointer ho ea pele ea "_fcgi_data_seg" sebopeho, 'me ho ngola zero ho sena byte ho tla lebisa motsamaong oa "char* pos" pointer sebakeng sa memori se neng se le teng pele. E latelang e bitsoang FCGI_PUTENV e tla hlakola data e mohopolong ona ka boleng boo mohlaseli a ka bo laolang. Memori e boletsoeng e boetse e boloka boleng ba mefuta e meng ea FastCGI, 'me ka ho ngola lintlha tsa bona, mohlaseli a ka theha mofuta o iqapetsoeng oa PHP_VALUE mme a fihlela ts'ebetso ea khoutu ea bona.

Source: opennet.ru

Eketsa ka tlhaloso