Merge pull request #9155 from MrPetovan/bug/9154-forbid-bin

Forbid non-CLI access to command-line scripts
2020-09-07 13:01:10 +02:00 · 2020-09-07 13:01:10 +02:00 · 2f168d17f4
commit 2f168d17f4
parent 6728b518ab ae045eff41
10 changed files with 49 additions and 2 deletions
--- a/.gitignore
+++ b/.gitignore
@ -71,8 +71,8 @@ venv/
 /addons
 /addon

-#ignore .htaccess
-.htaccess
+#ignore base .htaccess
+/.htaccess

 #ignore filesystem storage default path
 /storage
--- a/.htaccess-dist
+++ b/.htaccess-dist
@ -1,3 +1,6 @@
+# This file is meant to be copied to ".htaccess" on Apache-powered web servers.
+# The created .htaccess file can be edited manually and will not be overwritten by Friendica updates.
+
 Options -Indexes
 AddType application/x-java-archive .jar
 AddType audio/ogg .oga
--- a/bin/.htaccess
+++ b/bin/.htaccess
@ -0,0 +1,10 @@
+# This file prevents browser access to Friendica command-line scripts on Apache-powered web servers.
+# It isn't meant to be edited manually, please check the base Friendica folder for the .htaccess-dist file instead.
+
+<IfModule authz_host_module>
+    Require all denied
+</IfModule>
+<IfModule !authz_host_module>
+    Order Allow,Deny
+    Deny from all
+</IfModule>
--- a/bin/auth_ejabberd.php
+++ b/bin/auth_ejabberd.php
@ -51,6 +51,11 @@
 *
 */

+if (php_sapi_name() !== 'cli') {
+	header($_SERVER["SERVER_PROTOCOL"] . ' 403 Forbidden');
+	exit();
+}
+
 use Dice\Dice;
 use Friendica\App\Mode;
 use Friendica\Util\ExAuth;
--- a/bin/console.php
+++ b/bin/console.php
@ -20,6 +20,11 @@
 *
 */

+if (php_sapi_name() !== 'cli') {
+	header($_SERVER["SERVER_PROTOCOL"] . ' 403 Forbidden');
+	exit();
+}
+
 use Dice\Dice;
 use Psr\Log\LoggerInterface;

--- a/bin/daemon.php
+++ b/bin/daemon.php
@ -23,6 +23,11 @@
 * This script was taken from http://php.net/manual/en/function.pcntl-fork.php
 */

+if (php_sapi_name() !== 'cli') {
+	header($_SERVER["SERVER_PROTOCOL"] . ' 403 Forbidden');
+	exit();
+}
+
 use Dice\Dice;
 use Friendica\Core\Logger;
 use Friendica\Core\Worker;
--- a/bin/testargs.php
+++ b/bin/testargs.php
@ -26,6 +26,10 @@
 *
 */

+if (php_sapi_name() !== 'cli') {
+	header($_SERVER["SERVER_PROTOCOL"] . ' 403 Forbidden');
+	exit();
+}

 if (($_SERVER["argc"] > 1) && isset($_SERVER["argv"][1])) {
 	echo $_SERVER["argv"][1];
--- a/bin/wait-for-connection
+++ b/bin/wait-for-connection
@ -24,6 +24,11 @@
 * Usage: php bin/wait-for-connection {HOST} {PORT} [{TIMEOUT}]
 */

+if (php_sapi_name() !== 'cli') {
+	header($_SERVER["SERVER_PROTOCOL"] . ' 403 Forbidden');
+	exit();
+}
+
 $timeout = 60;
 switch ($argc) {
 	case 4:
--- a/bin/worker.php
+++ b/bin/worker.php
@ -21,6 +21,11 @@
 * Starts the background processing
 */

+if (php_sapi_name() !== 'cli') {
+	header($_SERVER["SERVER_PROTOCOL"] . ' 403 Forbidden');
+	exit();
+}
+
 use Dice\Dice;
 use Friendica\App;
 use Friendica\Core\Update;
--- a/mods/sample-nginx.config
+++ b/mods/sample-nginx.config
@ -141,4 +141,9 @@ server {
  location ~ /\. {
    deny all;
  }
+
+  # deny access to the CLI scripts
+  location ^~ /bin {
+    deny all;
+  }
 }