From f860c20a96d9d844aad53f81dfcfc72f30ff977e Mon Sep 17 00:00:00 2001 From: Valentin Bartenev Date: Tue, 28 Jan 2020 19:18:26 +0300 Subject: [PATCH] PHP: added check for the ".php" extension. A check for the ".php" extension is added to prevent execution of files with arbitrary extensions in cases where "index" and "script" options aren't used. --- src/nxt_php_sapi.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/src/nxt_php_sapi.c b/src/nxt_php_sapi.c index 0f6ce686..26bf915f 100644 --- a/src/nxt_php_sapi.c +++ b/src/nxt_php_sapi.c @@ -599,20 +599,27 @@ nxt_php_request_handler(nxt_unit_request_info_t *req) path.start = nxt_unit_sptr_get(&r->path); if (nxt_php_script_filename.start == NULL) { + nxt_str_null(&script_name); + ctx->path_info.start = (u_char *) strstr((char *) path.start, ".php/"); if (ctx->path_info.start != NULL) { ctx->path_info.start += 4; path.length = ctx->path_info.start - path.start; ctx->path_info.length = r->path_length - path.length; - } - if (path.start[path.length - 1] == '/') { + } else if (path.start[path.length - 1] == '/') { script_name = nxt_php_index; } else { - script_name.length = 0; - script_name.start = NULL; + if (nxt_slow_path(path.length < 4 + || nxt_memcmp(path.start + (path.length - 4), + ".php", 4))) + { + nxt_unit_request_done(req, NXT_UNIT_ERROR); + + return; + } } ctx->script_filename.length = nxt_php_root.length + path.length