New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
/status?json&full is not suppressed when access.suppress_path used #10116
Comments
Any idea? |
@theophileds I just tested it with the docker container directly with my fastcgi client as well as with nginx but don't see the issue (it's correctly suppressing /status for me). My config is following:
The whole setup is here: https://github.com/bukka/php-util/tree/19f627bb491c17675c893d7161d3bf07dd00e730/tests/fpm/access-suppress-path-status - if you want to run it locally, you will need to modify nginx pid and root file or just create nginx in the container (I was lazy to do that as I have got already local nginx setup...). Would you be able to create a similar setup (feel free to use docker compose if that's easier) where the issue is visible or at least describe in detail steps how to reproduce it. |
Thank you @bukka for your answer. I've got some exciting news to share! I was able to successfully hide /status requests using the command
However, I noticed that some /status requests are still being logged from the php-fpm_exporter. I used tcpdump to inspect the network frames, and after further investigation, I discovered that the following parameters were used:
I've finally managed to understand that the faulty parameter was QUERY_STRING as when I set it back to an empty string, the requests were no longer being logged. |
Ah I see. This looks to me like this was done on purpose: php-src/sapi/fpm/fpm/fpm_log.c Lines 498 to 501 in 3030d95
/status* ) and / or explicit suppression of queries (/status?json&full ) could be introduced.
@maaarghk is the original author of this feature so might be also good to hear is thoughts on this. |
Ah yeah, the intention here was to ensure things like bots making attempts at SQL injection or other vulns couldn't sneak them in behind the suppression. I do think that it's worthwhile to keep that in since some big frameworks with spotty security records use things like a health_check.php which loads up a large surface area to test database connections can be made. Explicit suppression of specific query strings feels like a good middle ground to me. |
I'm realising from the initial post that %Q%q must not be in the default access.format which I suppose is sort of ironic. |
I put it on my list but I have got bunch of other priorities so it might take me some time. Of course I would be happy to review a PR if someone else implements it sooner. |
@bukka I took a look at this because it seems simple enough on the surface but left with far more questions than I entered :) There is a solution which feels sort of tidy to me, which is to update fpm access log so that REQUEST_URI is optional because the cgi spec itself doesn't define it, and there are definitely widely used status check implementations out there which don't send it (manual and php-fpm-healthcheck) hence the fallback. Currently Anyway, I feel like you probably understand the context and reasons behind this, so I suppose the questions summarise to:
|
@maaarghk I have done some investigation and I think we should not change
Access log In terms of this issue I think we just need to do filtering on |
yes I meant Back on topic: The issue with filtering on
I suppose you can see the related issue that if someone who uses a front-controller + router wants the actual request URI in their fpm access log right now, On wildcards I do think it's a bit of a foot gun for the php script / front-controller use cases where potentially a wide surface area is loaded in and might be exploitable from |
I think we could get around a need for extra buffer by comparing parts of the filtered path with
This is very simplified as some further checks would need to be done (e.g. if path info or query set) but hopefully you get the idea.
Are you sure about this? I thought that the REQUEST_URI would be usually |
Hello, in case someone else is having this issue, a quick workaround is to use the separate socket for status endpoints offered by PHP-FPM with
You don't even need to add the |
Description
The following php-fpm configuration is supposed to not log requests made on /status:
However, the Docker container running from the image php:8.2-fpm, is still logging it:
Is this the expected behavior?
PHP Version
8.2.0
Operating System
No response
The text was updated successfully, but these errors were encountered: