[MediaWiki-commits] [Gerrit] Whitelist known php files for nginx - change (translatewiki)

2013-12-27 Thread jenkins-bot (Code Review) 
jenkins-bot has submitted this change and it was merged.

Change subject: Whitelist known php files for nginx
..


Whitelist known php files for nginx

Prevents execution of random php files through http requests.

Change-Id: I6be28933c97efda0aa67be8565fca7e393f0d272
---
M puppet/modules/nginx/files/translatewiki.net
1 file changed, 7 insertions(+), 1 deletion(-)

Approvals:
  Siebrand: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/puppet/modules/nginx/files/translatewiki.net 
b/puppet/modules/nginx/files/translatewiki.net
index 66ddc05..d291e1e 100644
--- a/puppet/modules/nginx/files/translatewiki.net
+++ b/puppet/modules/nginx/files/translatewiki.net
@@ -33,13 +33,19 @@
deny all;
}
 
-   location ~* \.php$ {
+   # Allowed php files, case sensitive
+   location ~ 
^/w/(i|index|load|api|opensearch_desc|profileinfo|webfiles/jserror)\.php$ {
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_buffers 16 4k;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME 
$document_root$fastcgi_script_name;
}
 
+   # Deny access to all php files except those above
+   location ~* \.php$ {
+   deny all;
+   }
+
location ~* ^/static/mainpage/.*\.jpg$ {
if ($http_accept ~ image/webp) {
add_header Vary Accept;

-- 
To view, visit https://gerrit.wikimedia.org/r/103560
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I6be28933c97efda0aa67be8565fca7e393f0d272
Gerrit-PatchSet: 1
Gerrit-Project: translatewiki
Gerrit-Branch: master
Gerrit-Owner: Nikerabbit niklas.laxst...@gmail.com
Gerrit-Reviewer: Siebrand siebr...@wikimedia.org
Gerrit-Reviewer: jenkins-bot

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] Whitelist known php files for nginx - change (translatewiki)

2013-12-24 Thread Nikerabbit (Code Review) 
Nikerabbit has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/103560


Change subject: Whitelist known php files for nginx
..

Whitelist known php files for nginx

Prevents execution of random php files through http requests.

Change-Id: I6be28933c97efda0aa67be8565fca7e393f0d272
---
M puppet/modules/nginx/files/translatewiki.net
1 file changed, 7 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/translatewiki 
refs/changes/60/103560/1

diff --git a/puppet/modules/nginx/files/translatewiki.net 
b/puppet/modules/nginx/files/translatewiki.net
index 66ddc05..d291e1e 100644
--- a/puppet/modules/nginx/files/translatewiki.net
+++ b/puppet/modules/nginx/files/translatewiki.net
@@ -33,13 +33,19 @@
deny all;
}
 
-   location ~* \.php$ {
+   # Allowed php files, case sensitive
+   location ~ 
^/w/(i|index|load|api|opensearch_desc|profileinfo|webfiles/jserror)\.php$ {
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_buffers 16 4k;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME 
$document_root$fastcgi_script_name;
}
 
+   # Deny access to all php files except those above
+   location ~* \.php$ {
+   deny all;
+   }
+
location ~* ^/static/mainpage/.*\.jpg$ {
if ($http_accept ~ image/webp) {
add_header Vary Accept;

-- 
To view, visit https://gerrit.wikimedia.org/r/103560
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I6be28933c97efda0aa67be8565fca7e393f0d272
Gerrit-PatchSet: 1
Gerrit-Project: translatewiki
Gerrit-Branch: master
Gerrit-Owner: Nikerabbit niklas.laxst...@gmail.com

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits