Merge pull request #88 from linuxserver/fix-httpoxy-3.14-php8

nemchik · web-flow · commit 8cb49b735b60 · 2021-10-27T09:45:43.000-05:00
Mitigate https://httpoxy.org/ vulnerabilities.
diff --git a/Dockerfile b/Dockerfile
@@ -23,7 +23,11 @@ RUN \
     php8-xmlwriter \
     php8-zlib && \
   echo "**** configure nginx ****" && \
-  echo 'fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> \
+  echo 'fastcgi_param  HTTP_PROXY         ""; # https://httpoxy.org/' >> \
+    /etc/nginx/fastcgi_params && \
+  echo 'fastcgi_param  PATH_INFO          $fastcgi_path_info; # http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_split_path_info' >> \
+    /etc/nginx/fastcgi_params && \
+  echo 'fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name; # https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi/#connecting-nginx-to-php-fpm' >> \
     /etc/nginx/fastcgi_params && \
   rm -f /etc/nginx/http.d/default.conf && \
   echo "**** fix logrotate ****" && \
diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64
@@ -23,7 +23,11 @@ RUN \
     php8-xmlwriter \
     php8-zlib && \
   echo "**** configure nginx ****" && \
-  echo 'fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> \
+  echo 'fastcgi_param  HTTP_PROXY         ""; # https://httpoxy.org/' >> \
+    /etc/nginx/fastcgi_params && \
+  echo 'fastcgi_param  PATH_INFO          $fastcgi_path_info; # http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_split_path_info' >> \
+    /etc/nginx/fastcgi_params && \
+  echo 'fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name; # https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi/#connecting-nginx-to-php-fpm' >> \
     /etc/nginx/fastcgi_params && \
   rm -f /etc/nginx/http.d/default.conf && \
   echo "**** fix logrotate ****" && \
diff --git a/Dockerfile.armhf b/Dockerfile.armhf
@@ -23,7 +23,11 @@ RUN \
     php8-xmlwriter \
     php8-zlib && \
   echo "**** configure nginx ****" && \
-  echo 'fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;' >> \
+  echo 'fastcgi_param  HTTP_PROXY         ""; # https://httpoxy.org/' >> \
+    /etc/nginx/fastcgi_params && \
+  echo 'fastcgi_param  PATH_INFO          $fastcgi_path_info; # http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html#fastcgi_split_path_info' >> \
+    /etc/nginx/fastcgi_params && \
+  echo 'fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name; # https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi/#connecting-nginx-to-php-fpm' >> \
     /etc/nginx/fastcgi_params && \
   rm -f /etc/nginx/http.d/default.conf && \
   echo "**** fix logrotate ****" && \
diff --git a/root/defaults/default b/root/defaults/default
@@ -1,26 +1,26 @@
 server {
-	listen 80 default_server;
+    listen 80 default_server;
 
-	listen 443 ssl;
+    listen 443 ssl;
 
-	root /config/www;
-	index index.html index.htm index.php;
+    root /config/www;
+    index index.html index.htm index.php;
 
-	server_name _;
+    server_name _;
 
-	ssl_certificate /config/keys/cert.crt;
-	ssl_certificate_key /config/keys/cert.key;
+    ssl_certificate /config/keys/cert.crt;
+    ssl_certificate_key /config/keys/cert.key;
 
-	client_max_body_size 0;
+    client_max_body_size 0;
 
-	location / {
-		try_files $uri $uri/ /index.html /index.php?$args =404;
-	}
+    location / {
+        try_files $uri $uri/ /index.html /index.php?$args =404;
+    }
 
-	location ~ \.php$ {
-		fastcgi_split_path_info ^(.+\.php)(/.+)$;
-		fastcgi_pass 127.0.0.1:9000;
-		fastcgi_index index.php;
-		include /etc/nginx/fastcgi_params;
-	}
+    location ~ ^(.+\.php)(.*)$ {
+        fastcgi_split_path_info ^(.+\.php)(.*)$;
+        fastcgi_pass 127.0.0.1:9000;
+        fastcgi_index index.php;
+        include /etc/nginx/fastcgi_params;
+    }
 }
