Bug #63965 [Com]: php-fpm site-specific settings go global
Edit report at https://bugs.php.net/bug.php?id=63965edit=1
ID: 63965
Comment by: 63965 dot phpbug at tomvalentine dot net
Reported by:markku dot niskanen at gmail dot com
Summary:php-fpm site-specific settings go global
Status: Assigned
Type: Bug
Package:FPM related
Operating System: Centos 6.2
PHP Version:5.3.20
Assigned To:fat
Block user comment: N
Private report: N
New Comment:
The problem with this is that when setting a value through fastcgi_param
PHP_ADMIN_VAlUE (or PHP_VALUE) is that when php-fpm receives this value it is
applied only to the child process that receives the request.
E.g. you have a pool of 5 processes, only one of thoses processes gets the
value when the request is passed to it. When the child process is restarted
(after max requests or max time) it loses the PHP_ADMIN_VALUE.
The side effect of this is some unpredictability as by requesting info.php from
another server block, depending on which child process serves out info.php, you
may get different results.
PHP-FPM also has rubbish security as any FCGI client can pass requests to it by
default. E.g. nginx, php/python/perl scripts
You can sometimes limit who can access the php-fpm server by:
- If running as a unix domain socket, set listen.owner listen.group to the
user and group of the webserver which will not work if php-fpm and webserver
are running as the same user and group. And set listen.mode to 0600 so that
only the specified user can connect to it (renders listen.group pointless)
However from fpm.conf Many BSD-derived systems allow connections regardless of
permissions.
- If php-fpm is listening as a TCP server then you have to use a firewall to
limit the connections between FCGI client and PHP-FPM (even if it is through
localhost)
Other similar bugs: 53611 54309
Previous Comments:
[2013-04-19 10:42:54] steven dot hartland at multiplay dot co dot uk
This is a very nasty security risk, with settings applied to trusted hosts
being
leaked to other vhosts.
It essentially means that if PHP_VALUE or PHP_ADMIN_VALUE is used then every
value
set must then be explicitly set for every vhost otherwise the settings leak.
This will also cause random behaviour dependent on request order.
This should be reclassified as security and FPM module
[2013-01-11 10:41:43] markku dot niskanen at gmail dot com
The setup code got broken during upload but you should get the idea.
[2013-01-11 10:40:26] markku dot niskanen at gmail dot com
Description:
# this is an nginx configuration for *.thiscustomer.com
# it should ONLY affect *.thiscustomer.com, no other domains
server {
server_name .thiscustomer.com;
#... normal stuff removed ...
location ~ \.php$ {
# now set for THIS site
fastcgi_param PHP_VALUE
auto_prepend_file=/home/thiscustomer/lib/modules/ThisModule.class.php;
# ..other normal stuff from this on...
}
}
Test script:
---
Now first simply go any other site, say www.thatcustomer.com on the same
server and everything works fine.
Then go to www.thiscustomer.com (the example site) and everything works fine.
Then again go to www.thatcustomer.com and you will see that you will have an
open_basedir restriction, PHP trying to load file (prepending)
/home/thiscustomer/lib/modules/ThisModule.class.php
So the auto_prepend_file value is changed GLOBALLY and permanently until some
other domain changes it again. The same goes for ANY PHP_VALUE or
PHP_ADMIN_VALUE but this is the one that will definitely break all sites.
Tested in PHP 5.3.19 and 5.3.20, two different servers, two different operating
systems (Centos 5.8 and Centos 6.2).
--
Edit this bug report at https://bugs.php.net/bug.php?id=63965edit=1
Bug #63965 [Com]: php-fpm site-specific settings go global
Edit report at https://bugs.php.net/bug.php?id=63965edit=1
ID: 63965
Comment by: 63965 dot phpbug at tomvalentine dot net
Reported by:markku dot niskanen at gmail dot com
Summary:php-fpm site-specific settings go global
Status: Assigned
Type: Bug
Package:FPM related
Operating System: Centos 6.2
PHP Version:5.3.20
Assigned To:fat
Block user comment: N
Private report: N
New Comment:
PS. I wrote up a test script to test the settings on my PHP server:
http://tomvalentine.net/misc/socket.php.txt
Previous Comments:
[2013-05-20 14:22:07] 63965 dot phpbug at tomvalentine dot net
The problem with this is that when setting a value through fastcgi_param
PHP_ADMIN_VAlUE (or PHP_VALUE) is that when php-fpm receives this value it is
applied only to the child process that receives the request.
E.g. you have a pool of 5 processes, only one of thoses processes gets the
value when the request is passed to it. When the child process is restarted
(after max requests or max time) it loses the PHP_ADMIN_VALUE.
The side effect of this is some unpredictability as by requesting info.php from
another server block, depending on which child process serves out info.php, you
may get different results.
PHP-FPM also has rubbish security as any FCGI client can pass requests to it by
default. E.g. nginx, php/python/perl scripts
You can sometimes limit who can access the php-fpm server by:
- If running as a unix domain socket, set listen.owner listen.group to the
user and group of the webserver which will not work if php-fpm and webserver
are running as the same user and group. And set listen.mode to 0600 so that
only the specified user can connect to it (renders listen.group pointless)
However from fpm.conf Many BSD-derived systems allow connections regardless of
permissions.
- If php-fpm is listening as a TCP server then you have to use a firewall to
limit the connections between FCGI client and PHP-FPM (even if it is through
localhost)
Other similar bugs: 53611 54309
[2013-04-19 10:42:54] steven dot hartland at multiplay dot co dot uk
This is a very nasty security risk, with settings applied to trusted hosts
being
leaked to other vhosts.
It essentially means that if PHP_VALUE or PHP_ADMIN_VALUE is used then every
value
set must then be explicitly set for every vhost otherwise the settings leak.
This will also cause random behaviour dependent on request order.
This should be reclassified as security and FPM module
[2013-01-11 10:41:43] markku dot niskanen at gmail dot com
The setup code got broken during upload but you should get the idea.
[2013-01-11 10:40:26] markku dot niskanen at gmail dot com
Description:
# this is an nginx configuration for *.thiscustomer.com
# it should ONLY affect *.thiscustomer.com, no other domains
server {
server_name .thiscustomer.com;
#... normal stuff removed ...
location ~ \.php$ {
# now set for THIS site
fastcgi_param PHP_VALUE
auto_prepend_file=/home/thiscustomer/lib/modules/ThisModule.class.php;
# ..other normal stuff from this on...
}
}
Test script:
---
Now first simply go any other site, say www.thatcustomer.com on the same
server and everything works fine.
Then go to www.thiscustomer.com (the example site) and everything works fine.
Then again go to www.thatcustomer.com and you will see that you will have an
open_basedir restriction, PHP trying to load file (prepending)
/home/thiscustomer/lib/modules/ThisModule.class.php
So the auto_prepend_file value is changed GLOBALLY and permanently until some
other domain changes it again. The same goes for ANY PHP_VALUE or
PHP_ADMIN_VALUE but this is the one that will definitely break all sites.
Tested in PHP 5.3.19 and 5.3.20, two different servers, two different operating
systems (Centos 5.8 and Centos 6.2).
--
Edit this bug report at https://bugs.php.net/bug.php?id=63965edit=1
#48936 [Bgs]: No input file specified on NTFS mount points
ID: 48936 User updated by: phpbug at tomvalentine dot net Reported By: phpbug at tomvalentine dot net Status: Bogus Bug Type: *General Issues Operating System: Windows Vista PHP Version: 5.3.0 New Comment: think the other bug is 48778 -sorry, didn't see this when i searched to see if it had been logged already, I either had the search results with date ascending, and/or didn't use quite the same terms to search with. Previous Comments: [2009-07-16 13:30:39] paj...@php.net and which other bug is it? [2009-07-16 13:28:47] j...@php.net Please do not submit the same bug more than once. An existing bug report already describes this very problem. Even if you feel that your issue is somewhat different, the resolution is likely to be the same. Thank you for your interest in PHP. [2009-07-15 22:42:28] phpbug at tomvalentine dot net Description: If a partition is mounted in Windows into an empty folder, as opposed to a drive letter, php-cgi version = 5.3.10 will return No input file specified. and if logging to an error log, log this error: [15-Jul-2009 23:24:36] PHP Warning: Unknown: failed to open stream: No error in Unknown on line 0 The script is called either from the windows command prompt (as administrator), of through nginx/fastcgi server combination n:\ is actually the partition mounted via drive letter c:\torrents is the same partition mounted via empty folder I have also tried the latest snapshots Reproduce code: --- C:\php-5.3.0-nts-Win32-VC6-x86php-cgi -f n:\hi.php -n C:\php-5.3.0-nts-Win32-VC6-x86php-cgi -f c:\torrents\hi.php -n Expected result: hello world (or whatever php script actually does) Actual result: -- No input file specified. -- Edit this bug report at http://bugs.php.net/?id=48936edit=1
#48936 [NEW]: No input file specified on NTFS mount points
From: phpbug at tomvalentine dot net Operating system: Windows Vista PHP version: 5.3.0 PHP Bug Type: *General Issues Bug description: No input file specified on NTFS mount points Description: If a partition is mounted in Windows into an empty folder, as opposed to a drive letter, php-cgi version = 5.3.10 will return No input file specified. and if logging to an error log, log this error: [15-Jul-2009 23:24:36] PHP Warning: Unknown: failed to open stream: No error in Unknown on line 0 The script is called either from the windows command prompt (as administrator), of through nginx/fastcgi server combination n:\ is actually the partition mounted via drive letter c:\torrents is the same partition mounted via empty folder I have also tried the latest snapshots Reproduce code: --- C:\php-5.3.0-nts-Win32-VC6-x86php-cgi -f n:\hi.php -n C:\php-5.3.0-nts-Win32-VC6-x86php-cgi -f c:\torrents\hi.php -n Expected result: hello world (or whatever php script actually does) Actual result: -- No input file specified. -- Edit bug report at http://bugs.php.net/?id=48936edit=1 -- Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=48936r=trysnapshot52 Try a CVS snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=48936r=trysnapshot53 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=48936r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=48936r=fixedcvs Fixed in CVS and need be documented: http://bugs.php.net/fix.php?id=48936r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=48936r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=48936r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=48936r=needscript Try newer version: http://bugs.php.net/fix.php?id=48936r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=48936r=support Expected behavior: http://bugs.php.net/fix.php?id=48936r=notwrong Not enough info: http://bugs.php.net/fix.php?id=48936r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=48936r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=48936r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=48936r=php4 Daylight Savings:http://bugs.php.net/fix.php?id=48936r=dst IIS Stability: http://bugs.php.net/fix.php?id=48936r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=48936r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=48936r=float No Zend Extensions: http://bugs.php.net/fix.php?id=48936r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=48936r=mysqlcfg
