groove/Part-DB-server
1
0
Fork 0
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2026-06-30 14:31:35 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

Block access to all php and phar files that are uploaded into the media folder

Browse source
This commit is contained in:
Jan Böhmer 2026-06-07 20:40:15 +02:00
parent c2ec0ee12b
commit 6e5d1c967f
5 changed files with 29 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
.docker/frankenphp/Caddyfile
View file

@ -51,5 +51,9 @@
# Disable Topics tracking if not enabled explicitly: https://github.com/jkarlin/topics # Disable Topics tracking if not enabled explicitly: https://github.com/jkarlin/topics
header ?Permissions-Policy "browsing-topics=()" header ?Permissions-Policy "browsing-topics=()"
# Prevent PHP execution in the media upload directory
@php_in_media path_regexp (?i)^/media/.*\.(php[3-8]?|phar|phtml|pht|phps)$
respond @php_in_media 403
php_server php_server
} }

8
.docker/symfony.conf
View file

@ -15,6 +15,14 @@
AllowOverride All AllowOverride All
</Directory> </Directory>
# Prevent PHP execution in the media upload directory (server-level, not .htaccess,
# because public/media is a Docker volume and .htaccess there may not be present)
<Directory /var/www/html/public/media>
<FilesMatch "(?i)\.(php[3-8]?|phar|phtml|pht|phps)$">
Require all denied
</FilesMatch>
</Directory>
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn, # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg. # error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular # It is also possible to configure the loglevel for particular

5
docs/installation/nginx.md
View file

@ -53,6 +53,11 @@ server {
return 404; return 404;
} }
# Prevent PHP execution in the media upload directory
location ~* ^/media/.*\.(php[3-8]?|phar|phtml|pht|phps)$ {
return 403;
}
# Set Content-Security-Policy for svg files, to block embedded javascript in there # Set Content-Security-Policy for svg files, to block embedded javascript in there
location ~* \.svg$ { location ~* \.svg$ {
add_header Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none';"; add_header Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none';";

1
public/media/.gitignore vendored
View file

@ -1,3 +1,4 @@
# Ignore everything except this .gitignore # Ignore everything except this .gitignore
* *
!.gitignore !.gitignore
!.htaccess

10
public/media/.htaccess Normal file
View file

@ -0,0 +1,10 @@
# Deny access to PHP and PHP-like files to prevent remote code execution
<FilesMatch "(?i)\.(php[3-8]?|phar|phtml|pht|phps)$">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</FilesMatch>