enforce php default document_root behaviour, to not show external files

unbit · Feb 17, 2018 · 0a480f4 · 0a480f4
1 parent b4d7422
commit 0a480f4
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/plugins/php/php_plugin.c b/plugins/php/php_plugin.c
@@ -17,6 +17,7 @@ struct uwsgi_php {
 	struct uwsgi_string_list *vars;
 	struct uwsgi_string_list *constants;
 	char *docroot;
+	size_t docroot_len;
 	char *app;
 	char *app_qs;
 	char *fallback;
@@ -631,6 +632,8 @@ int uwsgi_php_init(void) {
 			uwsgi_log("unable to set php docroot to %s\n", orig_docroot);
 			exit(1);
 		}
+		uwsgi_log("PHP document root set to %s\n", uphp.docroot);
+		uphp.docroot_len = strlen(uphp.docroot);
 	}
 
 	if (uphp.sapi_name) {
@@ -849,6 +852,7 @@ int uwsgi_php_request(struct wsgi_request *wsgi_req) {
 	free(filename);
 	real_filename_len = strlen(real_filename);
 
+	// first check for valid doc roots
 	if (uphp.allowed_docroot) {
 		struct uwsgi_string_list *usl = uphp.allowed_docroot;
 		while(usl) {
@@ -861,6 +865,16 @@ int uwsgi_php_request(struct wsgi_request *wsgi_req) {
 		uwsgi_log("PHP security error: %s is not under an allowed docroot\n", real_filename);
 		return -1;
 	}
+	// then for default docroot (if any)
+	else if (uphp.docroot)
+	{
+		if (!uwsgi_starts_with(real_filename, real_filename_len, uphp.docroot, uphp.docroot_len)) {
+			goto secure;
+		}
+		uwsgi_403(wsgi_req);
+		uwsgi_log("PHP security error: %s is not under the default docroot\n", real_filename);
+		return -1;
+	}
 
 secure: