[PATCH] services: nginx: Harden php-location settings.

Done

Details

3 participants

Jonathan Brielmaier
Tobias Geerinckx-Rice
Bruno Victal

Owner: unassigned

Submitted by: Bruno Victal

Severity: normal

Bruno Victal wrote on 5 Apr 2023 17:34

Recipients:(address . guix-patches@gnu.org)(name . Bruno Victal)(address . mirai@makinata.eu)

Message-ID:ad598ba1ce644a29c997139c82d790a3ac65f4b4.1680708757.git.mirai@makinata.eu

Incorporate advice from [2], which mitigates httpoxy[1] vulnerability and

disallows passing non-php files to the PHP backend.

[1]: https://httpoxy.org/

[2]: https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi/,

note 4.

* gnu/services/web.scm (nginx-php-location): Only pass existing php files to

backend. Mitigate httpoxy vulnerability.

---

Tested with: make check-system TESTS="nginx php-fpm"

gnu/services/web.scm | 4 ++++

1 file changed, 4 insertions(+)

Toggle diff (19 lines)diff --git a/gnu/services/web.scm b/gnu/services/web.scm
index d56e893527..f5ed027bb4 100644
--- a/gnu/services/web.scm
+++ b/gnu/services/web.scm
@@ -1123,6 +1123,10 @@ (define* (nginx-php-location
    (uri "~ \\.php$")
    (body (list
           "fastcgi_split_path_info ^(.+\\.php)(/.+)$;"
+          ;; Mitigate https://httpoxy.org/ vulnerabilities
+          "fastcgi_param HTTP_PROXY \"\";"
+          ;; Only pass existing php files to the backend.
+          "if (!-f $document_root$fastcgi_script_name) { return 404; }"
           (string-append "fastcgi_pass unix:" socket ";")
           "fastcgi_index index.php;"
           (list "include " nginx-package "/share/nginx/conf/fastcgi.conf;")))))

base-commit: 6311493d7a6271bfbc51f4693857f9a12fe9965d
-- 
2.39.2

Jonathan Brielmaier wrote on 5 Apr 2023 22:19

Recipients:(address . 62678@debbugs.gnu.org)

Message-ID:068a52bd-8597-a449-c452-4c110f645ca0@web.de

I wonder if we should at least make the HTTP_PROXY variable
configurable. It may need to be set to something else then "" in some
scenarios. I don't know...

Bruno Victal wrote on 6 Apr 2023 15:11

Recipients:(name . Jonathan Brielmaier)(address . jonathan.brielmaier@web.de)(address . 62678@debbugs.gnu.org)

Message-ID:65a26f2b-0ef5-b9ac-b4df-4e3b73ad4474@makinata.eu

Hi Jonathan,

On 2023-04-05 21:19, Jonathan Brielmaier wrote:

Toggle quote (4 lines)

> I wonder if we should at least make the HTTP_PROXY variable

> configurable. It may need to be set to something else then "" in some

> scenarios. I don't know...

No, there's no legitimate reason for this, since 'PROXY' is not

a standard HTTP header according to [1]. PROXY being passed to a cgi application

as HTTP_PROXY is what the exploit is about, since HTTP_PROXY is recognized as

a variable for configuring proxies (for curl, wget, etc.)

Allowing HTTP_PROXY to be set remotely (due to a confusion with the non-standard 'PROXY' header)

is simply incomprehensible.

Regarding user intent, that is, configuring the proxy used by the cgi application by

setting HTTP_PROXY via nginx?

I don't have this use-case but IMO it feels like an extreme poor design, since it's

exploiting a name confusion to change the system environment variables for the

cgi application.

If for some reason you really need this, you can always use the regular

nginx-location-configuration to manually craft a php-location.

[1]: https://www.iana.org/assignments/http-fields/http-fields.xhtml

Cheers,

Bruno

Bruno Victal wrote on 22 Jun 2023 15:33

control-msg

Recipients:(name . control)(address . control@debbugs.gnu.org)

Message-ID:4e7e3d93-01e3-da95-fc0a-fc07dd7e0734@makinata.eu

close 58166

tag 62678 + security

quit

Tobias Geerinckx-Rice wrote on 7 Jul 2023 16:22

Re: [bug#62678] [PATCH] services: nginx: Harden php-location settings.

Recipients:(name . Bruno Victal)(address . mirai@makinata.eu)(address . 62678-done@debbugs.gnu.org)

Message-ID:87wmzber45.fsf@nckx

Hi Bruno,

Bruno Victal ???

Toggle quote (9 lines)

> Incorporate advice from [2], which mitigates httpoxy[1]

> vulnerability and

> disallows passing non-php files to the PHP backend.

> [1]: <https://httpoxy.org/>

> [2]:

> <https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi/>,

> note 4.

This is a better comment than commit message. I made it so and

pushed your changes as commit

cbc14b3baea457cf2718b85f767d39ff3911ce91.

Thanks!

T G-R

-----BEGIN PGP SIGNATURE-----

iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCZKggOg0cbWVAdG9iaWFz

LmdyAAoJEA2w/4hPVW15N1gA/0p4sLULM7SdMhyD1XLP6pWJ/a4ZmKzdA1lJv98Y

fHE0APwKaqXe+r15WzkH9KX9gtsrvq2OnEfiGTYisoyzEpfRAA==

=EMsW

-----END PGP SIGNATURE-----

Closed

Your comment

This issue is archived.

To comment on this conversation send an email to 62678@debbugs.gnu.org

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date