I-ProHoster > Блог > izindaba ze-inthanethi > Ukuba sengozini ku-php-fpm evumela ukwenziwa kwekhodi okukude kuseva

Ukuba sengozini ku-php-fpm evumela ukwenziwa kwekhodi okukude kuseva

Iyatholakala ukukhishwa kokulungisa kwe-PHP 7.3.11, 7.1.33 kanye no-7.2.24, lapho kuqedwe okugxekayo ukuba sengozini (CVE-2019-11043) kusandiso se-PHP-FPM (FastCGI Process Manager), esikuvumela ukuthi usebenzise ukude ikhodi yakho kusistimu. Ukuhlasela amaseva asebenzisa i-PHP-FPM ngokuhlanganyela ne-Nginx ukusebenzisa imibhalo ye-PHP, isivele itholakala esidlangalaleni. isisebenzi ukuxhaphaza.

Ukuhlasela kungenzeka ekucushweni kwe-nginx lapho ukudlulisela phambili ku-PHP-FPM kwenziwa ngokuhlukanisa izingxenye ze-URL kusetshenziswa i-“fastcgi_split_path_info” nokuchaza okuguquguqukayo kwemvelo ye-PATH_INFO, kodwa ngaphandle kokuhlola kuqala ubukhona befayela kusetshenziswa i-“try_files $fastcgi_script_name” isiyalelo noma “uma (!-f $) document_root$fastcgi_script_name)". Inkinga futhi liyavela kuzilungiselelo ezinikelwe yesikhulumi se-NextCloud. Isibonelo, ukucupha okunezakhiwo ezifana nalezi:

indawo ~ [^/]\.php(/|$) {
i-fastcgi_split_path_info ^ (. +? \. php) (/.*) $;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass php:9000;
}

Ungakwazi ukulandelela ukuxazululwa kwenkinga kumakhithi wokusabalalisa kulawa makhasi: Debian, RHEL, Ubuntu, SUSE/openSUSE, I-FreeBSD, Arch, Fedora. Njengendlela yokusebenza, ungangeza isheke lokuba khona kwefayela le-PHP eliceliwe ngemuva komugqa othi “fastcgi_split_path_info”:

zama_files $fastcgi_script_name =404;

Inkinga ibangelwa iphutha lapho kushintshwa izikhombi kufayela sapi/fpm/fpm/fpm_main.c. Lapho unikeza i-pointer, kucatshangwa ukuthi inani le-PATH_INFO eguquguqukayo yemvelo kufanele liqukathe isiqalo esifana nendlela eya kuskripthi se-PHP.
Uma i-fastcgi_split_path_info isiyalelo sicacisa ukuhlukanisa indlela yeskripthi kusetshenziswa isisho esivamile esizwela umugqa omusha (isibonelo, izibonelo eziningi ziphakamisa ukuthi kusetshenziswe okuthi "^(+?\.php)(/.*)$"), khona-ke umhlaseli angaqinisekisa ukuthi inani elingenalutho libhalwe ku-PATH_INFO okuguquguqukayo kwemvelo. Kulokhu, qhubeka phambili ekubulaweni kwenziwe ukubhala i-path_info[0] iye kuziro futhi ishayele i-FCGI_PUTENV.

Ngokucela i-URL efomethwe ngendlela ethile, umhlaseli angakwazi ukuzuza ukuguqulwa kwesikhombisi se-path_info siye kubhayithi yokuqala yesakhiwo se-“_fcgi_data_seg”, futhi ukubhala uziro kule byte kuzoholela ekunyakazeni kwe-“char* pos” i-pointer endaweni yenkumbulo ebekwe ngaphambilini. Okulandelayo okubizwa nge-FCGI_PUTENV kuzocisha idatha ekule nkumbulo ngevelu umhlaseli angakwazi ukulilawula. Imemori eshiwo iphinde igcine amanani wezinye izinto eziguquguqukayo ze-FastCGI, futhi ngokubhala idatha yazo, umhlaseli angakha okuguquguqukayo kwe-PHP_VALUE okuqanjiwe futhi azuze ukusetshenziswa kwekhodi yakhe.

Source: opennet.ru

Engeza amazwana