请求中的正文在响应中返回
The body in request is returned in response
我将 docker 与 ngnix、php 和 mysql 一起使用。我还使用 api 平台版本 2.6.4。在服务器什么都不做之后,然后当我向端点发出请求时,它将 return 正常响应,但 json 也在请求正文中。我试图调试它,但这不是来自代码,它似乎是 ngnix 的形式,或者我不知道。但这发生在服务器空闲一段时间后没有发送请求但是当我发送请求时响应也有请求的主体。但这也不适用于所有请求,有时没有请求主体的响应很好。例如,我发送 post 请求到带有 body
的登录端点
{
"email": "test@test.eu",
"password": "password"
}
并得到响应:
{
"email": "test@test.eu",
"password": "password"
}{"token":"eyJ0eXAiOiOtS4wxOtXAdA..."}
这是错误的,有时我会收到像这样的正常回复:
{"token":"eyJ0eXAiOiOtS4wxOtXAdA..."}
这是我的配置文件。
[mysql]
extension = pdo_mysql
[intl]
extension = intl
[apcu]
extension = apcu
[sodium]
extension = sodium
[zip]
extension = zip
[php]
apc.enable_cli = 1
date.timezone = Europe/Bratislava
session.auto_start = Off
short_open_tag = Off
expose_php = Off
realpath_cache_size = 4096K
realpath_cache_ttl = 600
[opcache]
zend_extension = opcache
opcache.interned_strings_buffer = 16
opcache.max_accelerated_files = 20000
opcache.memory_consumption = 256
opcache.validate_timestamps = 0
opcache.preload_user=www-data
opcache.preload=/var/www/config/preload.php
user nginx;
worker_processes auto;
daemon off;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
sendfile off;
keepalive_timeout 65;
gzip on;
gzip_types text/html application/xml application/ld+json application/json ;
server {
server_name localhost;
root /var/www/public;
location / {
# try to serve file directly, fallback to app.php
try_files $uri /index.php$is_args$args;
}
location ~ ^/index\.php(/|$) {
# optionally set the value of the environment variables used in the application
# fastcgi_param APP_ENV prod;
# When you are using symlinks to link the document root to the current version of your application, you should
# pass the real application path instead of the path to the symlink to PHP FPM. Otherwise, PHP's OPcache may
# not properly detect changes to your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126).
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
# Bigger buffer size to handle cache invalidation headers expansion
fastcgi_buffer_size 32k;
fastcgi_buffers 8 16k;
# Sets the address of a FastCGI server. The address can be specified as a domain name or IP address, and a port
fastcgi_pass php:9000;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
internal;
}
# return 404 for all other php files not matching the front controller
# this prevents access to other php files you don't want to be accessible.
location ~ \.php$ {
return 404;
}
}
}
这适用于所有 PATCH,POST 端点。有人经历过这种行为吗?我确实尝试禁用 opcache 和 apcu,但它没有帮助。
感谢
问题出在我的 php 容器配置中,我确实打开了端口 9000 (-p 9000:9000)。所以任何人都可以在这个请求“POST /usr/local/lib/php/PEAR.php 200”服务器开始执行此操作后进行攻击。修复此配置并重新安装容器后,一切都很好。关闭
我将 docker 与 ngnix、php 和 mysql 一起使用。我还使用 api 平台版本 2.6.4。在服务器什么都不做之后,然后当我向端点发出请求时,它将 return 正常响应,但 json 也在请求正文中。我试图调试它,但这不是来自代码,它似乎是 ngnix 的形式,或者我不知道。但这发生在服务器空闲一段时间后没有发送请求但是当我发送请求时响应也有请求的主体。但这也不适用于所有请求,有时没有请求主体的响应很好。例如,我发送 post 请求到带有 body
的登录端点{
"email": "test@test.eu",
"password": "password"
}
并得到响应:
{
"email": "test@test.eu",
"password": "password"
}{"token":"eyJ0eXAiOiOtS4wxOtXAdA..."}
这是错误的,有时我会收到像这样的正常回复:
{"token":"eyJ0eXAiOiOtS4wxOtXAdA..."}
这是我的配置文件。
[mysql]
extension = pdo_mysql
[intl]
extension = intl
[apcu]
extension = apcu
[sodium]
extension = sodium
[zip]
extension = zip
[php]
apc.enable_cli = 1
date.timezone = Europe/Bratislava
session.auto_start = Off
short_open_tag = Off
expose_php = Off
realpath_cache_size = 4096K
realpath_cache_ttl = 600
[opcache]
zend_extension = opcache
opcache.interned_strings_buffer = 16
opcache.max_accelerated_files = 20000
opcache.memory_consumption = 256
opcache.validate_timestamps = 0
opcache.preload_user=www-data
opcache.preload=/var/www/config/preload.php
user nginx;
worker_processes auto;
daemon off;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
sendfile off;
keepalive_timeout 65;
gzip on;
gzip_types text/html application/xml application/ld+json application/json ;
server {
server_name localhost;
root /var/www/public;
location / {
# try to serve file directly, fallback to app.php
try_files $uri /index.php$is_args$args;
}
location ~ ^/index\.php(/|$) {
# optionally set the value of the environment variables used in the application
# fastcgi_param APP_ENV prod;
# When you are using symlinks to link the document root to the current version of your application, you should
# pass the real application path instead of the path to the symlink to PHP FPM. Otherwise, PHP's OPcache may
# not properly detect changes to your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126).
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
# Bigger buffer size to handle cache invalidation headers expansion
fastcgi_buffer_size 32k;
fastcgi_buffers 8 16k;
# Sets the address of a FastCGI server. The address can be specified as a domain name or IP address, and a port
fastcgi_pass php:9000;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
internal;
}
# return 404 for all other php files not matching the front controller
# this prevents access to other php files you don't want to be accessible.
location ~ \.php$ {
return 404;
}
}
}
这适用于所有 PATCH,POST 端点。有人经历过这种行为吗?我确实尝试禁用 opcache 和 apcu,但它没有帮助。
感谢
问题出在我的 php 容器配置中,我确实打开了端口 9000 (-p 9000:9000)。所以任何人都可以在这个请求“POST /usr/local/lib/php/PEAR.php 200”服务器开始执行此操作后进行攻击。修复此配置并重新安装容器后,一切都很好。关闭