Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

.htaccess deny code execution not working for Apache + php-fpm #6766

Closed
magenx opened this issue Sep 27, 2016 · 3 comments
Closed

.htaccess deny code execution not working for Apache + php-fpm #6766

magenx opened this issue Sep 27, 2016 · 3 comments
Assignees
@BaDos
Labels
bug report Component: Setup Issue: Ready for Work Gate 4. Acknowledged. Issue is added to backlog and ready for development

Comments

@magenx
Copy link

magenx commented Sep 27, 2016
edited
Loading

  1. Magento 2.1.1
  2. cPanel EasyApache 4 (edge)
  3. apache 2.4 + php-fpm

Steps to reproduce

  1. upload php file to pub/media/
  2. execute in browser

Expected result

  1. code execution in some folders must be denied

Actual result

  1. php files executed and working good

as a quick test, this works for any handler:

<FilesMatch \.(ph.+|sh.+|htm.+|cgi|[aj]sp|p[ly])$>
Order allow,deny
Deny from all
</FilesMatch>
@magenx magenx changed the title .htaccess deny code execution in some folders .htaccess deny code execution not working for Apache + php-fpm Sep 27, 2016
@BaDos BaDos self-assigned this Nov 8, 2016
@BaDos
Copy link
Contributor

BaDos commented Nov 8, 2016

Hi, @magenx

Thank you for your feedback!
Internal ticket MAGETWO-60633 was created.

@BaDos BaDos added the Issue: Ready for Work Gate 4. Acknowledged. Issue is added to backlog and ready for development label Nov 8, 2016
mmansoor-magento pushed a commit that referenced this issue Nov 11, 2016
@oshmyheliuk
MAGETWO-60633: [Github] .htaccess deny code execution not working for…
47c3523 
… Apache + php-fpm #6766
mmansoor-magento pushed a commit that referenced this issue Nov 11, 2016
@oshmyheliuk
MAGETWO-60633: [Github] .htaccess deny code execution not working for…
c848b93 
… Apache + php-fpm #6766
mmansoor-magento pushed a commit that referenced this issue Nov 11, 2016
@oshmyheliuk
MAGETWO-60633: [Github] .htaccess deny code execution not working for…
febe7d5 
… Apache + php-fpm #6766
mmansoor-magento pushed a commit that referenced this issue Nov 11, 2016
@MomotenkoNatalia
Merge pull request #583 from magento-falcons/MAGETWO-60647
d403ec9 
Fixed issues:
- MAGETWO-60647: Delivery of bug fixes for Sample Data and Import/Export
- MAGETWO-56787: [GITHUB][PR] Added call to action to compile command error #4134
- MAGETWO-56786: [GITHUB][PR] Ensure composer.json exists #4121
- MAGETWO-57799: cannot upgrade 2.0 => 2.1 with auto_increment > 1
- MAGETWO-59715: Impossible to import additional_images with labels which have a comma separator
- MAGETWO-60633: [Github] .htaccess deny code execution not working for Apache + php-fpm #6766
- MAGETWO-46636: Nginx doesn't redirect to setup page when using port
@veloraven
Copy link
Contributor

This issue was fixed for develop branch.
Closed.

@korostii
Copy link
Contributor

Hi @veloraven,
This seems to be a security issue.
Is there a backport planned to 2.0.x and 2.1.x?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@BaDos BaDos

Labels
bug report Component: Setup Issue: Ready for Work Gate 4. Acknowledged. Issue is added to backlog and ready for development
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@BaDos @magenx @veloraven @korostii