Nginx+PHP 解决跨站漏洞
下载php源码,执行./configure命令,然后修改main/fopen_wrappers.c文件
/* Check if the path is too long so we can give a more useful error
* message. */
if (strlen(path) > (MAXPATHLEN - 1)) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "File name is longer than the maximum allowed path length on this platform (%d): %s", MAXPATHLEN, path);
errno = EINVAL;
return -1;
}
* message. */
if (strlen(path) > (MAXPATHLEN - 1)) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "File name is longer than the maximum allowed path length on this platform (%d): %s", MAXPATHLEN, path);
errno = EINVAL;
return -1;
}
在此段后面添加如下代码
char *env_doc_root;
if(PG(doc_root)){
env_doc_root = estrdup(PG(doc_root));
}else{
env_doc_root = sapi_getenv("DOCUMENT_ROOT", sizeof("DOCUMENT_ROOT")-1 TSRMLS_CC);
}
if(env_doc_root){
int res_root = php_check_specific_open_basedir(env_doc_root, path TSRMLS_CC);
efree(env_doc_root);
if (res_root == 0) {
return 0;
}
if (res_root == -2) {
errno = EPERM;
return -1;
}
}
if(PG(doc_root)){
env_doc_root = estrdup(PG(doc_root));
}else{
env_doc_root = sapi_getenv("DOCUMENT_ROOT", sizeof("DOCUMENT_ROOT")-1 TSRMLS_CC);
}
if(env_doc_root){
int res_root = php_check_specific_open_basedir(env_doc_root, path TSRMLS_CC);
efree(env_doc_root);
if (res_root == 0) {
return 0;
}
if (res_root == -2) {
errno = EPERM;
return -1;
}
}
即可解决php+nginx因nginx产生的跨站安全问题
当然还有其他办法,但是此法根治
修改后
make ZEND_EXTRA_LIBS='-liconv'
make install
之后修改php.ini
军哥的是/usr/local/php/etc/php.ini
open_basedir = "/tmp/:/var/tmp/"
修改后重启下php进程就生效了
另,修改后,探针将看不到VPS CPU 内存 uptime等信息
如需要开启探针,则修改上面的PHP.INI为
open_basedir = "/tmp/:/var/tmp/:/proc/"
即可
浙公网安备 33010602011771号