Comments (4)
Temporarily, if someone needs the updated image, you can find it here (forked from this repo). I set it up in docker hub to rebuild the images automatically if the base image is updated.
from php-fpm.
(I think) Laradock is not exploitable by default.
To be vulnerable you need a specific configuration in nginx, such as:
The full list of preconditions
- Nginx + php-fpm, location ~ [^/].php(/|$) must be forwarded to php-fpm (maybe the regexp can be stricter, see this).
- The fastcgi_split_path_info directive must be there and contain a regexp starting with ^ and ending with $, so we can break it with a newline character.
- There must be a PATH_INFO variable assignment via statement fastcgi_param PATH_INFO $fastcgi_path_info;. Also SCRIPT_FILENAME must be set using fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; (there might be a constant path instead of $document_root). At first, we thought these are always present in the fastcgi_params file, but it's not true.
- No file existence checks like try_files $uri =404 or if (-f $uri). If Nginx drops requests to non-existing scripts before FastCGI forwarding, our requests never reach php-fpm. Adding this is also the easiest way to patch.
- This exploit works only for PHP 7+, but the bug itself is present in earlier versions (see below).
So when looking at the nginx default.conf laradock is not vulnerable, BUT it will be a GOOD idea to update it.
from php-fpm.
Thanks @jrbecart. I agree with your assessment which is why I have left it unpatched at the moment (vs. creating my own base image). But as you said, it would be a good idea to update it anyway. And since from what I can tell, there isn't really any work except to re-run the build, I thought this issue would turnaround quickly.
from php-fpm.
now, auto build and push image to docker hub every week.
https://github.com/laradock/php-fpm/actions
from php-fpm.
Related Issues (20)
- php-ext-enable imagick ;fi' returned a non-zero code: 100 HOT 1
- Please create a tag as `laradock/php-fpm:2.2-7.3` on dockerhub HOT 2
- Not building on Raspberry Pi HOT 4
- Add WebP support HOT 3
- Installing extra modules
- PHP 7.2 version outdated
- 7.4 image?
- 7.3 to latest stable
- Cannot get latest 7.3.13 fpm
- [question] Using the latest and stable tags HOT 2
- Cannot get latest 7.3.16 fpm HOT 2
- memory leak - issue latest build HOT 7
- PHP 8 support?
- M1 chip support HOT 2
- PHP 8.1 support?
- Will there be PHP 8.2 support?
- PHP 5.6/7.0 apt update 404 Not Found HOT 1
- Bug Report - Issue with Curl after updating new build introding curl 7.88.1 HOT 1
- How to add php 8.3 in laradock? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from php-fpm.