Question
php-fpm security.limit_extension issue
I run Nginx + php5-fpm with Ajenti on Debian. This is the issue error.log gives me on one of the websites:
2015/03/16 10:44:03 [error] 1487#0: *95 FastCGI sent in stderr: “Access to the script ’/srv/test/index.php/author-login’ has been denied (see security.limit_extensions)” while reading response header from upstream, client: xxx.xxx.xxx.xxx, server: xxx.xx, request: “GET /index.php/author-login HTTP/1.1”, upstream: “fastcgi://unix:/var/run/ajenti-v-php-fcgi-test2-php-fcgi-0.sock:”, host: “xxx.xxx”, referrer: “xxx.xxx”
How can I repair security.limit_exceptions?
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
×
looks like it is trying to append your request to index.php
If you uncomment the following line (in www.conf)(or append it to the config file for your php-fpm pool):
and just add the necessary extensions.
To allow all extensions just leave the space after it blank:
Then restart php-fpm and you should be good to go
Thanks for this @tomearl98. Fixed my issue!
Note, for Ubuntu users - the file is:
This is a extremely insecure solution. The problem is to do with pathinfo, not the extensions. If you fix the pathinfo, then it will work.
Turning off the extensions limit will allow (if applicable) things like uploaded images that have PHP in to be executed.
This isn’t to say you should entirely rely on extensions limits, and not protect the upload path though.