From 8ba5a4889f77b5f8eddd09806f918a31bd27ec06 Mon Sep 17 00:00:00 2001
From: Pavel Raiskup <praiskup@redhat.com>
Date: Tue, 2 Feb 2021 19:30:03 +0100
Subject: [PATCH] copr: backend: execute PHP only for dir-generator.php

---
 .../backend/templates/lighttpd/lighttpd.conf  | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/roles/copr/backend/templates/lighttpd/lighttpd.conf b/roles/copr/backend/templates/lighttpd/lighttpd.conf
index 6b4e067820..fa03a1eb57 100644
--- a/roles/copr/backend/templates/lighttpd/lighttpd.conf
+++ b/roles/copr/backend/templates/lighttpd/lighttpd.conf
@@ -88,8 +88,6 @@ server.modules = (
 {% endif %}
 )
 
-cgi.assign = ( ".php" => "/usr/bin/php-cgi" )
-
 ##
 #######################################################################
 
@@ -309,9 +307,26 @@ server.max-keep-alive-idle = 2
 ## index-file.names            = ( "index.php", "index.rb", "index.html",
 ##                                 "index.htm", "default.htm" )
 ##
+
+# Warning: This is sooo ugly.
+#
+# We only ever want to enable PHP CGI for the index generator file
+# 'dir-generator.phpj, nothing else - so people can not execute their own
+# scripts.  IOW, non-conditional 'cgi.assign' can not be used!
+#
+# To make 'index-file.names' work correctly, we have to set 'cg.assign'
+# conditionally only on paths that both (a) end by slash (= directories) and
+# (b) do not contain 'dir-generator' string.  This guards against
+# '/some/dir-generator.php/' hacks.
+
 index-file.names = (
   "/dir-generator.php"
 )
+$HTTP["url"] =~ "/$" {
+  $HTTP["url"] !~ "dir-generator" {
+    cgi.assign = ( "/dir-generator.php" => "/usr/bin/php-cgi" )
+  }
+}
 
 ##
 ## deny access the file-extensions