Roberto De Ioris
2018-02-26 18:54:09 UTC
Hi all,
another LTS release is available:
https://github.com/unbit/uwsgi-docs/blob/master/Changelog-2.0.17.rst
it includes an optimization for the Emperor as well as a security
improvement in the PHP plugin.
This bug/security issue has been reported by Marios Nicolaides weeks ago,
but required lot of internal discussions as its fix involved a change in
the default behaviour of an LTS release. The main problem was that the fix
changes the way the --php-docroot option works (without the patch and
without specifying which php extensions are allowed [that every sysadmin
should configure !!!], a malicious user could traverse the document root
and show a file out of it).
After a bunch of discussions we decided to make the option consistent with
the other plugins (like static file serving) where the DOCUMENT_ROOT is
checked multiple times for escaping attempts.
Marios will write a detailed blog post about it. Many thanks to him.
another LTS release is available:
https://github.com/unbit/uwsgi-docs/blob/master/Changelog-2.0.17.rst
it includes an optimization for the Emperor as well as a security
improvement in the PHP plugin.
This bug/security issue has been reported by Marios Nicolaides weeks ago,
but required lot of internal discussions as its fix involved a change in
the default behaviour of an LTS release. The main problem was that the fix
changes the way the --php-docroot option works (without the patch and
without specifying which php extensions are allowed [that every sysadmin
should configure !!!], a malicious user could traverse the document root
and show a file out of it).
After a bunch of discussions we decided to make the option consistent with
the other plugins (like static file serving) where the DOCUMENT_ROOT is
checked multiple times for escaping attempts.
Marios will write a detailed blog post about it. Many thanks to him.
--
Roberto De Ioris
http://unbit.com
Roberto De Ioris
http://unbit.com