ProHoster > Ibhulogi > iindaba ze-intanethi > Ubuthathaka be-PHP-fpm obuvumela ukwenziwa kwekhowudi ekude kumncedisi

Ubuthathaka be-PHP-fpm obuvumela ukwenziwa kwekhowudi ekude kumncedisi

Iyafumaneka ukukhutshwa kwezilungiso ze-PHP 7.3.11, 7.1.33 kunye ne-7.2.24, apho isusiwe gxeka ukuba sesichengeni (CVE-2019-11043) kwi-PHP-FPM (Umphathi weNkqubo ye-FastCGI), ekuvumela ukuba wenze ukude ikhowudi yakho kwinkqubo. Ukuhlasela abancedisi abasebenzisa i-PHP-FPM ngokubambisana ne-Nginx ukuqhuba imibhalo ye-PHP, sele ifumaneka esidlangalaleni. iyasebenza ukuxhaphaza.

Uhlaselo lunokwenzeka kuqwalaselo lwe-nginx apho ugqithiso lwe-PHP-FPM lwenziwa ngokwahlula iinxalenye ze-URL usebenzisa “fastcgi_split_path_info” kunye nokuchaza i-PATH_INFO imo eguquguqukayo, kodwa ngaphandle kokujonga kuqala ubukho befayile usebenzisa “try_files $fastcgi_script_name” umyalelo okanye "ukuba (!-f $) document_root$fastcgi_script_name)". Ingxaki nayo ibonakala kwiisetingi ezinikezelweyo kwiqonga le-NextCloud. Umzekelo, ulungelelwaniso olunezakhiwo ezifana:

indawo ~ [^/]\.php(/|$) {
Ukukhawulezisa i-fastcgi_split_path_info ^ (. +? \. php) (/.*) $;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass php:9000;
}

Ungakwazi ukulandelela isisombululo sengxaki kwiikhithi zokusasaza kula maphepha: Debian, RHEL, Ubuntu, SUSE/openSUSE, FreeBSD, igophe, Fedora. Njengendlela yokusebenza, unokongeza itshekhi yobukho befayile ye-PHP eceliweyo emva komgca othi “fastcgi_split_path_info”:

try_files $fastcgi_script_name =404;

Ingxaki ibangelwa yimpazamo xa kusenziwa izikhombisi kwifayile sapi/fpm/fpm/fpm_main.c. Xa unikezela ngesalathisi, kucingelwa ukuba ixabiso le-PATH_INFO imo eguquguqukayo kufuneka iqulathe isimaphambili esihambelana nomendo weskripthi se-PHP.
Ukuba i-fastcgi_split_path_info isiyalelo sichaza ukwahlula umendo wescript usebenzisa umgca omtsha-uvakalelo lwentetho eqhelekileyo (umzekelo, imizekelo emininzi icebisa ukuba kusetyenziswe "^(+?\.php)(/.*)$"), ngoko umhlaseli unokuqinisekisa ukuba i ixabiso elingenanto libhalwe PATH_INFO umahluko wemeko-bume. Kule meko, ngakumbi kunye nokuphunyezwa iqhutywe ukubhala path_info[0] ukuya kwiqanda kwaye ufowunele FCGI_PUTENV.

Ngokucela i-URL efomathiweyo ngendlela ethile, umhlaseli unokufezekisa utshintsho lwe-path_info pointer ukuya kwi-byte yokuqala yesakhiwo "_fcgi_data_seg", kwaye ukubhala i-zero kule byte kuya kukhokelela ekuhambeni kwe "char * pos" isalathisi kwindawo yenkumbulo ebekwe ngaphambili. Okulandelayo okubizwa ngokuba yiFCGI_PUTENV kuya kubhala ngaphezulu idatha kule nkumbulo ngexabiso umhlaseli anokulawula. Imemori ekhankanyiweyo ikwagcina amaxabiso ezinye izinto eziguquguqukayo ze-FastCGI, kwaye ngokubhala idatha yazo, umhlaseli unokudala i-PHP_VALUE eguquguqukayo kwaye afezekise ukwenziwa kwekhowudi yabo.

umthombo: opennet.ru

Yongeza izimvo