保护Apache和PHP-FPM
[英]Securing Apache and PHP-FPM
问题描述
Given 
特定
ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/var/www/$1
how can one prevent malicious code execution when a fake image is uploaded in a folder which is then called via 当假图像上传到文件夹中时,如何防止恶意代码执行,然后通过该文件夹进行调用
http://www.foo.bar/uploads/malicious.jpg/fake.php
If I understand correctly, the request above will let Apache pass it to PHP-FPM which will execute /uploads/malicious.jpg. 如果我理解正确,上面的请求将让Apache将它传递给PHP-FPM,它将执行/uploads/malicious.jpg。
I know I could add an .htaccess file in the uploads folder that removes the ProxyPassMatch, but this is something my customers don't know and they could end up being compromised. 我知道我可以在uploads文件夹中添加一个删除ProxyPassMatch的.htaccess文件,但这是我的客户不知道的,他们最终可能会受到损害。
1 个解决方案
解决方案1
2 已采纳 2013-11-28 07:09:51
There's a new setting in php-fpm since php 5.3.9, 'security.limit_extensions', that limits which files php-fpm will execute. php-fpm中有一个新的设置,因为php 5.3.9,'security.limit_extensions',它限制了php-fpm将执行的文件。 The default is '.php', so the 'malicious.jpg' would not be executed. 默认为'.php',因此不会执行'malicious.jpg'。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.