From 3bd8b8115414ca3167068fec8d3f080c8ee67404 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Mon, 7 Sep 2020 05:43:20 -0400 Subject: [PATCH 1/3] Prevents Apache from serving CLI scripts --- .gitignore | 4 ++-- .htaccess-dist | 3 +++ bin/.htaccess | 10 ++++++++++ 3 files changed, 15 insertions(+), 2 deletions(-) create mode 100644 bin/.htaccess diff --git a/.gitignore b/.gitignore index 2d8acf0160..3250fb0761 100644 --- a/.gitignore +++ b/.gitignore @@ -71,8 +71,8 @@ venv/ /addons /addon -#ignore .htaccess -.htaccess +#ignore base .htaccess +/.htaccess #ignore filesystem storage default path /storage diff --git a/.htaccess-dist b/.htaccess-dist index a671cc680a..3c90982515 100644 --- a/.htaccess-dist +++ b/.htaccess-dist @@ -1,3 +1,6 @@ +# This file is meant to be copied to ".htaccess" on Apache-powered web servers. +# The created .htaccess file can be edited manually and will not be overwritten by Friendica updates. + Options -Indexes AddType application/x-java-archive .jar AddType audio/ogg .oga diff --git a/bin/.htaccess b/bin/.htaccess new file mode 100644 index 0000000000..716a932e1c --- /dev/null +++ b/bin/.htaccess @@ -0,0 +1,10 @@ +# This file prevents browser access to Friendica command-line scripts on Apache-powered web servers. +# It isn't meant to be edited manually, please check the base Friendica folder for the .htaccess-dist file instead. + + + Require all denied + + + Order Allow,Deny + Deny from all + From 06632536f3a93dbe33cdc2aa67d9daad191ac696 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Mon, 7 Sep 2020 05:51:26 -0400 Subject: [PATCH 2/3] Forbid non-CLI access to command-line scripts --- bin/auth_ejabberd.php | 5 +++++ bin/console.php | 5 +++++ bin/daemon.php | 5 +++++ bin/testargs.php | 4 ++++ bin/wait-for-connection | 5 +++++ bin/worker.php | 5 +++++ 6 files changed, 29 insertions(+) diff --git a/bin/auth_ejabberd.php b/bin/auth_ejabberd.php index fa71faf263..e921829163 100755 --- a/bin/auth_ejabberd.php +++ b/bin/auth_ejabberd.php @@ -51,6 +51,11 @@ * */ +if (php_sapi_name() !== 'cli') { + header($_SERVER["SERVER_PROTOCOL"] . ' 403 Forbidden'); + exit(); +} + use Dice\Dice; use Friendica\App\Mode; use Friendica\Util\ExAuth; diff --git a/bin/console.php b/bin/console.php index 27522d8554..4d5b4c79c2 100755 --- a/bin/console.php +++ b/bin/console.php @@ -20,6 +20,11 @@ * */ +if (php_sapi_name() !== 'cli') { + header($_SERVER["SERVER_PROTOCOL"] . ' 403 Forbidden'); + exit(); +} + use Dice\Dice; use Psr\Log\LoggerInterface; diff --git a/bin/daemon.php b/bin/daemon.php index 596f4de56f..3fe803d6fc 100755 --- a/bin/daemon.php +++ b/bin/daemon.php @@ -23,6 +23,11 @@ * This script was taken from http://php.net/manual/en/function.pcntl-fork.php */ +if (php_sapi_name() !== 'cli') { + header($_SERVER["SERVER_PROTOCOL"] . ' 403 Forbidden'); + exit(); +} + use Dice\Dice; use Friendica\Core\Logger; use Friendica\Core\Worker; diff --git a/bin/testargs.php b/bin/testargs.php index b7d7125f7a..9aed353037 100644 --- a/bin/testargs.php +++ b/bin/testargs.php @@ -26,6 +26,10 @@ * */ +if (php_sapi_name() !== 'cli') { + header($_SERVER["SERVER_PROTOCOL"] . ' 403 Forbidden'); + exit(); +} if (($_SERVER["argc"] > 1) && isset($_SERVER["argv"][1])) { echo $_SERVER["argv"][1]; diff --git a/bin/wait-for-connection b/bin/wait-for-connection index b6c03a6705..de860e9849 100755 --- a/bin/wait-for-connection +++ b/bin/wait-for-connection @@ -24,6 +24,11 @@ * Usage: php bin/wait-for-connection {HOST} {PORT} [{TIMEOUT}] */ +if (php_sapi_name() !== 'cli') { + header($_SERVER["SERVER_PROTOCOL"] . ' 403 Forbidden'); + exit(); +} + $timeout = 60; switch ($argc) { case 4: diff --git a/bin/worker.php b/bin/worker.php index 1b70a20955..833e5b0020 100755 --- a/bin/worker.php +++ b/bin/worker.php @@ -21,6 +21,11 @@ * Starts the background processing */ +if (php_sapi_name() !== 'cli') { + header($_SERVER["SERVER_PROTOCOL"] . ' 403 Forbidden'); + exit(); +} + use Dice\Dice; use Friendica\App; use Friendica\Core\Update; From ae045eff41f2199a631a46f2dc265f3786406dda Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Mon, 7 Sep 2020 05:51:58 -0400 Subject: [PATCH 3/3] Update nginx sample config with location deny for bin/ folder --- mods/sample-nginx.config | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/mods/sample-nginx.config b/mods/sample-nginx.config index 71d3785516..b90e1fe29f 100644 --- a/mods/sample-nginx.config +++ b/mods/sample-nginx.config @@ -141,4 +141,9 @@ server { location ~ /\. { deny all; } + + # deny access to the CLI scripts + location ^~ /bin { + deny all; + } }