Merge pull request #9155 from MrPetovan/bug/9154-forbid-bin

Forbid non-CLI access to command-line scripts
This commit is contained in:
Tobias Diekershoff 2020-09-07 13:01:10 +02:00 committed by GitHub
commit 2f168d17f4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 49 additions and 2 deletions

4
.gitignore vendored
View file

@ -71,8 +71,8 @@ venv/
/addons /addons
/addon /addon
#ignore .htaccess #ignore base .htaccess
.htaccess /.htaccess
#ignore filesystem storage default path #ignore filesystem storage default path
/storage /storage

View file

@ -1,3 +1,6 @@
# This file is meant to be copied to ".htaccess" on Apache-powered web servers.
# The created .htaccess file can be edited manually and will not be overwritten by Friendica updates.
Options -Indexes Options -Indexes
AddType application/x-java-archive .jar AddType application/x-java-archive .jar
AddType audio/ogg .oga AddType audio/ogg .oga

10
bin/.htaccess Normal file
View file

@ -0,0 +1,10 @@
# This file prevents browser access to Friendica command-line scripts on Apache-powered web servers.
# It isn't meant to be edited manually, please check the base Friendica folder for the .htaccess-dist file instead.
<IfModule authz_host_module>
Require all denied
</IfModule>
<IfModule !authz_host_module>
Order Allow,Deny
Deny from all
</IfModule>

View file

@ -51,6 +51,11 @@
* *
*/ */
if (php_sapi_name() !== 'cli') {
header($_SERVER["SERVER_PROTOCOL"] . ' 403 Forbidden');
exit();
}
use Dice\Dice; use Dice\Dice;
use Friendica\App\Mode; use Friendica\App\Mode;
use Friendica\Util\ExAuth; use Friendica\Util\ExAuth;

View file

@ -20,6 +20,11 @@
* *
*/ */
if (php_sapi_name() !== 'cli') {
header($_SERVER["SERVER_PROTOCOL"] . ' 403 Forbidden');
exit();
}
use Dice\Dice; use Dice\Dice;
use Psr\Log\LoggerInterface; use Psr\Log\LoggerInterface;

View file

@ -23,6 +23,11 @@
* This script was taken from http://php.net/manual/en/function.pcntl-fork.php * This script was taken from http://php.net/manual/en/function.pcntl-fork.php
*/ */
if (php_sapi_name() !== 'cli') {
header($_SERVER["SERVER_PROTOCOL"] . ' 403 Forbidden');
exit();
}
use Dice\Dice; use Dice\Dice;
use Friendica\Core\Logger; use Friendica\Core\Logger;
use Friendica\Core\Worker; use Friendica\Core\Worker;

View file

@ -26,6 +26,10 @@
* *
*/ */
if (php_sapi_name() !== 'cli') {
header($_SERVER["SERVER_PROTOCOL"] . ' 403 Forbidden');
exit();
}
if (($_SERVER["argc"] > 1) && isset($_SERVER["argv"][1])) { if (($_SERVER["argc"] > 1) && isset($_SERVER["argv"][1])) {
echo $_SERVER["argv"][1]; echo $_SERVER["argv"][1];

View file

@ -24,6 +24,11 @@
* Usage: php bin/wait-for-connection {HOST} {PORT} [{TIMEOUT}] * Usage: php bin/wait-for-connection {HOST} {PORT} [{TIMEOUT}]
*/ */
if (php_sapi_name() !== 'cli') {
header($_SERVER["SERVER_PROTOCOL"] . ' 403 Forbidden');
exit();
}
$timeout = 60; $timeout = 60;
switch ($argc) { switch ($argc) {
case 4: case 4:

View file

@ -21,6 +21,11 @@
* Starts the background processing * Starts the background processing
*/ */
if (php_sapi_name() !== 'cli') {
header($_SERVER["SERVER_PROTOCOL"] . ' 403 Forbidden');
exit();
}
use Dice\Dice; use Dice\Dice;
use Friendica\App; use Friendica\App;
use Friendica\Core\Update; use Friendica\Core\Update;

View file

@ -141,4 +141,9 @@ server {
location ~ /\. { location ~ /\. {
deny all; deny all;
} }
# deny access to the CLI scripts
location ^~ /bin {
deny all;
}
} }