Question

php-fpm security.limit_extension issue

I run Nginx + php5-fpm with Ajenti on Debian. This is the issue error.log gives me on one of the websites:

2015/03/16 10:44:03 [error] 1487#0: *95 FastCGI sent in stderr: “Access to the script ‘/srv/test/index.php/author-login’ has been denied (see security.limit_extensions)” while reading response header from upstream, client: xxx.xxx.xxx.xxx, server: xxx.xx, request: “GET /index.php/author-login HTTP/1.1”, upstream: “fastcgi://unix:/var/run/ajenti-v-php-fcgi-test2-php-fcgi-0.sock:”, host: “xxx.xxx”, referrer: “xxx.xxx

How can I repair security.limit_exceptions?

Subscribe
Share

This is a extremely insecure solution. The problem is to do with pathinfo, not the extensions. If you fix the pathinfo, then it will work.

Turning off the extensions limit will allow (if applicable) things like uploaded images that have PHP in to be executed.

This isn’t to say you should entirely rely on extensions limits, and not protect the upload path though.

If you uncomment the following line (in www.conf)(or append it to the config file for your php-fpm pool):

security.limit_extensions = .php .php3 .php4 .php5

and just add the necessary extensions.

To allow all extensions just leave the space after it blank:

security.limit_extensions = 

Then restart php-fpm and you should be good to go

Thanks for this @tomearl98. Fixed my issue!

Note, for Ubuntu users - the file is:

/etc/php5/fpm/php-fpm.conf

This comment has been deleted

looks like it is trying to append your request to index.php


Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Just to add a simple fix for problems i was having. Mine was a small mistake in the nginx config that made PHP fpm try and deal with all the file (.js .jpg etc) This was because i had location / { all i had to do is change this so fpm only dealt with php files location ~ /.*\.php$ {

Just to add a simple fix for problems i was having. Mine was a small mistake in the nginx config that made PHP fpm try and deal with all the file (.js .jpg etc) This was because i had location / { all i had to do is change this so fpm only dealt with php files location ~ /.*\.php$ {

FPM’s security.limit_extension setting is used to limit the extensions of the main script it will be allowed to parse. It prevents malicious code from being executed. The default value is simply .php It can be configured in /etc/php5/fpm/pool.d/www.conf

Though your issue like is elsewhere. The first thing I would check is that the cgi.fix_pathinfo setting in your /etc/php5/fpm/php.ini file is set to:

cgi.fix_pathinfo=0

See our tutorial on setting up Nginx and PHP for more info.

FPM’s security.limit_extension setting is used to limit the extensions of the main script it will be allowed to parse. It prevents malicious code from being executed. The default value is simply .php It can be configured in /etc/php5/fpm/pool.d/www.conf

Though your issue like is elsewhere. The first thing I would check is that the cgi.fix_pathinfo setting in your /etc/php5/fpm/php.ini file is set to:

cgi.fix_pathinfo=0

See our tutorial on setting up Nginx and PHP for more info.

Using PHP-FPM

If If i set

cgi.fix_pathinfo=0

Then i get an access denied message from owncloud. And could not make it work by uncommenting

security.limit_extensions = .php .php3 .php4 .php5 .php7

So i had to go back to cgi.fix_pathinfo=1

This comment has been deleted

Hi, i’ve same problem… i’ve a server configured as other tutorial (Nginx as a Web Server and Reverse Proxy for Apache on One Ubuntu 14.04 Droplet) my joomla sites has “Access Denied” only for Frontend if php.ini-> cgi.fix_pathinfo=0 with cgi.fix_pathinfo=1 all working fine

what can i do ? thanks for help