From f736ed7ef935bd81f7850e4370eb747a1b474c42 Mon Sep 17 00:00:00 2001 From: Pavel Raiskup Date: Fri, 10 Dec 2021 18:20:04 +0100 Subject: [PATCH] copr-be: dir-generator fix once more Seems like with lighttpd v1.4.61 we finally can match the index file request against the rewritten url, so it is secure! This allows us to prettily restrict the configuration to load the php script from only one possible location. --- .../backend/templates/lighttpd/lighttpd.conf | 18 +++++------------- 1 file changed, 5 insertions(+), 13 deletions(-) diff --git a/roles/copr/backend/templates/lighttpd/lighttpd.conf b/roles/copr/backend/templates/lighttpd/lighttpd.conf index 4becc3df4e..5da09c8f9e 100644 --- a/roles/copr/backend/templates/lighttpd/lighttpd.conf +++ b/roles/copr/backend/templates/lighttpd/lighttpd.conf @@ -304,24 +304,16 @@ server.max-keep-alive-idle = 2 ## "index.htm", "default.htm" ) ## -# Warning: This is sooo ugly. -# # We only ever want to enable PHP CGI for the index generator file # 'dir-generator.php', nothing else - so we are sure our users can not execute -# their own scripts. Therefore non-conditional 'cgi.assign' config can not be -# used. -# -# But to make the 'index-file.names' work correctly, we still have to set -# 'cgi.assign' conditionally - the trick is to do this only on paths that both -# (a) end with slash (= directories) and (b) do not contain 'dir-generator' -# string (guard against '/some/dir-generator.php/' or alike hacks). +# their own scripts. Therefore only conditional 'cgi.assign' can be used. + index-file.names = ( "/dir-generator.php" ) -$HTTP["url"] =~ "/$" { - $HTTP["url"] !~ "dir-generator" { - cgi.assign = ( "/dir-generator.php" => "/usr/bin/php-cgi" ) - } + +$HTTP["url"] == "/dir-generator.php" { + cgi.assign = ( "/dir-generator.php" => "/usr/bin/php-cgi" } ##