[PATCH] services: nginx: Harden php-location settings.

Done

Details

3 participants

Jonathan Brielmaier
Tobias Geerinckx-Rice
Bruno Victal

Owner: unassigned

Submitted by: Bruno Victal

Severity: normal

Bruno Victal wrote on 5 Apr 2023 17:34

Recipients:(address . guix-patches@gnu.org)(name . Bruno Victal)(address . mirai@makinata.eu)

Message-ID:ad598ba1ce644a29c997139c82d790a3ac65f4b4.1680708757.git.mirai@makinata.eu

Incorporate advice from [2], which mitigates httpoxy[1] vulnerability and

disallows passing non-php files to the PHP backend.

[1]: https://httpoxy.org/

[2]: https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi/,

note 4.

* gnu/services/web.scm (nginx-php-location): Only pass existing php files to

backend. Mitigate httpoxy vulnerability.

---

Tested with: make check-system TESTS="nginx php-fpm"

gnu/services/web.scm | 4 ++++

1 file changed, 4 insertions(+)

Toggle diff (19 lines)diff --git a/gnu/services/web.scm b/gnu/services/web.scm
index d56e893527..f5ed027bb4 100644
--- a/gnu/services/web.scm
+++ b/gnu/services/web.scm
@@ -1123,6 +1123,10 @@ (define* (nginx-php-location
    (uri "~ \\.php$")
    (body (list
           "fastcgi_split_path_info ^(.+\\.php)(/.+)$;"
+          ;; Mitigate https://httpoxy.org/ vulnerabilities
+          "fastcgi_param HTTP_PROXY \"\";"
+          ;; Only pass existing php files to the backend.
+          "if (!-f $document_root$fastcgi_script_name) { return 404; }"
           (string-append "fastcgi_pass unix:" socket ";")
           "fastcgi_index index.php;"
           (list "include " nginx-package "/share/nginx/conf/fastcgi.conf;")))))

base-commit: 6311493d7a6271bfbc51f4693857f9a12fe9965d
-- 
2.39.2

Jonathan Brielmaier wrote on 5 Apr 2023 22:19

Recipients:(address . 62678@debbugs.gnu.org)

Message-ID:068a52bd-8597-a449-c452-4c110f645ca0@web.de

I wonder if we should at least make the HTTP_PROXY variable
configurable. It may need to be set to something else then "" in some
scenarios. I don't know...

Bruno Victal wrote on 6 Apr 2023 15:11

Recipients:(name . Jonathan Brielmaier)(address . jonathan.brielmaier@web.de)(address . 62678@debbugs.gnu.org)

Message-ID:65a26f2b-0ef5-b9ac-b4df-4e3b73ad4474@makinata.eu

Hi Jonathan,

On 2023-04-05 21:19, Jonathan Brielmaier wrote:

Toggle quote (4 lines)

> I wonder if we should at least make the HTTP_PROXY variable

> configurable. It may need to be set to something else then "" in some

> scenarios. I don't know...

No, there's no legitimate reason for this, since 'PROXY' is not

a standard HTTP header according to [1]. PROXY being passed to a cgi application

as HTTP_PROXY is what the exploit is about, since HTTP_PROXY is recognized as

a variable for configuring proxies (for curl, wget, etc.)

Allowing HTTP_PROXY to be set remotely (due to a confusion with the non-standard 'PROXY' header)

is simply incomprehensible.

Regarding user intent, that is, configuring the proxy used by the cgi application by

setting HTTP_PROXY via nginx?

I don't have this use-case but IMO it feels like an extreme poor design, since it's

exploiting a name confusion to change the system environment variables for the

cgi application.

If for some reason you really need this, you can always use the regular

nginx-location-configuration to manually craft a php-location.

[1]: https://www.iana.org/assignments/http-fields/http-fields.xhtml

Cheers,

Bruno

Bruno Victal wrote on 22 Jun 2023 15:33

control-msg

Recipients:(name . control)(address . control@debbugs.gnu.org)

Message-ID:4e7e3d93-01e3-da95-fc0a-fc07dd7e0734@makinata.eu

close 58166

tag 62678 + security

quit

Tobias Geerinckx-Rice wrote on 7 Jul 2023 16:22

Re: [bug#62678] [PATCH] services: nginx: Harden php-location settings.

Recipients:(name . Bruno Victal)(address . mirai@makinata.eu)(address . 62678-done@debbugs.gnu.org)

Message-ID:87wmzber45.fsf@nckx

Hi Bruno,

Bruno Victal ???

Toggle quote (9 lines)

> Incorporate advice from [2], which mitigates httpoxy[1]

> vulnerability and

> disallows passing non-php files to the PHP backend.

> [1]: <https://httpoxy.org/>

> [2]:

> <https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi/>,

> note 4.

This is a better comment than commit message. I made it so and

pushed your changes as commit

cbc14b3baea457cf2718b85f767d39ff3911ce91.

Thanks!

T G-R

-----BEGIN PGP SIGNATURE-----

iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCZKggOg0cbWVAdG9iaWFz

LmdyAAoJEA2w/4hPVW15N1gA/0p4sLULM7SdMhyD1XLP6pWJ/a4ZmKzdA1lJv98Y

fHE0APwKaqXe+r15WzkH9KX9gtsrvq2OnEfiGTYisoyzEpfRAA==

=EMsW

-----END PGP SIGNATURE-----

Closed

Your comment

This issue is archived.

To comment on this conversation send an email to 62678@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 62678

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date