jenkins-bot has submitted this change and it was merged.
Change subject: Whitelist known php files for nginx
......................................................................
Whitelist known php files for nginx
Prevents execution of random php files through http requests.
Change-Id: I6be28933c97efda0aa67be8565fca7e393f0d272
---
M puppet/modules/nginx/files/translatewiki.net
1 file changed, 7 insertions(+), 1 deletion(-)
Approvals:
Siebrand: Looks good to me, approved
jenkins-bot: Verified
diff --git a/puppet/modules/nginx/files/translatewiki.net
b/puppet/modules/nginx/files/translatewiki.net
index 66ddc05..d291e1e 100644
--- a/puppet/modules/nginx/files/translatewiki.net
+++ b/puppet/modules/nginx/files/translatewiki.net
@@ -33,13 +33,19 @@
deny all;
}
- location ~* \.php$ {
+ # Allowed php files, case sensitive
+ location ~
^/w/(i|index|load|api|opensearch_desc|profileinfo|webfiles/jserror)\.php$ {
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_buffers 16 4k;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME
$document_root$fastcgi_script_name;
}
+ # Deny access to all php files except those above
+ location ~* \.php$ {
+ deny all;
+ }
+
location ~* ^/static/mainpage/.*\.jpg$ {
if ($http_accept ~ "image/webp") {
add_header Vary Accept;
--
To view, visit https://gerrit.wikimedia.org/r/103560
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I6be28933c97efda0aa67be8565fca7e393f0d272
Gerrit-PatchSet: 1
Gerrit-Project: translatewiki
Gerrit-Branch: master
Gerrit-Owner: Nikerabbit <niklas.laxst...@gmail.com>
Gerrit-Reviewer: Siebrand <siebr...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
