PHP-FPM Chroot with cgi.fix_pathinfo=0 causes Access to the script has been denied

Discussion in 'Developers' Forum' started by branov, Apr 1, 2020.

  1. branov

    branov Member

    In website set up with FPM Chroot enabled and accessing to Prestashop URL like example.com/admin813pcfrzb/index.php/configure/advanced/emails/ I got error Access to the script has been denied (see security.limit_extensions)

    I can see in the ''php_fpm_pool.conf.master'' condition:

    Code:
    <tmpl_if name='php_fpm_chroot'>
    chroot = <tmpl_var name='php_fpm_chroot_dir'>
    php_admin_value[doc_root] = <tmpl_var name='php_fpm_chroot_web_folder'>
    php_admin_value[cgi.fix_pathinfo] = 0
    </tmpl_if>
    
    there is cgi.fix_pathinfo value configured to 0.

    May I ask you why is this configuration there? Why you change this value (I have in my default php.ini configured value to 1) to false?

    Refer to this https://serverfault.com/a/701500 there should be enough when is configured ''security.limit_extensions'' variable. The referred post however did not mention about chroot enviroment. So, there is the reason why I am asking if there is some special condition which requires to set this value to 0 and what should be the best solution of problem described above regarding to cgi.fix_pathinfo.

    Thanks.
     
  2. Jesse Norell

    Jesse Norell ISPConfig Developer ISPConfig Developer

    Does prestashop work with cgi.fix_pathinfo = 1?

    I can't answer why that is done, but my guess is it might be a misunderstanding of what cgi.fix_pathinfo does (eg. thinking it fixes the path info relative to the chroot), or maybe simply following some old, bad advice (such as the first comments at http://auntitled.blogspot.com/2011/10/chroot-php-fpm-and-apache.html, which is the first link I got in one of my google searches).
     
  3. branov

    branov Member

    Yes, Prestashop works perfectly with cgi.fix_pathinfo = 1

    That's the reason why I am confused about this forced setting and the reason why I am asking if this is not obsolete already and should be changed. PHP's default is cgi.fix_pathinfo = 1
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    I haven't implemented the chroot feature myself, so I can't tell you why it was set like this. It might be that it's wrong and can be changed or removed.
     
  5. branov

    branov Member

    We completely migrated to FPM chroot with ISPConfig. This was the first issue we detected and after all my research I guess, this option / line we talk about could be removed/changed. I will do some more testing with Wordpress and some other opensource systems. What are the steps I can do regarding removing this? Post this issue into git issue tracker or push merge request to ispconfig git repository from my git fork with this change?
     
    Jesse Norell likes this.
  6. Jesse Norell

    Jesse Norell ISPConfig Developer ISPConfig Developer

    Both/Either. That is a one line change (delete that line), you can even use the 'edit file' feature in gitlab to quickly create a merge request.
     
  7. branov

    branov Member

    Ok, understand. Thanks. After couple more tests and final confirmation I will do that.
     

Share This Page