Add security measures to block PHP execution in storage directory (#641)

jaydrogers · web-flow · commit 919fd470827d · 2026-01-16T13:50:12.000-06:00
Implemented restrictions across Apache, NGINX, and FrankenPHP configurations to prevent the execution of PHP files in the /storage directory, addressing potential vulnerabilities related to arbitrary file uploads (GHSA-29cq-5w36-x7w3).
diff --git a/src/variations/fpm-apache/etc/apache2/conf-available/security.conf b/src/variations/fpm-apache/etc/apache2/conf-available/security.conf
@@ -55,6 +55,12 @@ Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains
 # | File Access Restrictions                                                   |
 # ------------------------------------------------------------------------------
 
+# Block PHP execution in storage directory to prevent uploaded malicious PHP files from running
+# Reference: Livewire arbitrary file upload (GHSA-29cq-5w36-x7w3)
+<LocationMatch "^/storage/.*\.php$">
+    Require all denied
+</LocationMatch>
+
 # Block access to all hidden files and directories (dotfiles)
 # EXCEPT for the "/.well-known/" directory which is required by RFC 8615
 # for ACME challenges, security.txt, and other standardized endpoints.
diff --git a/src/variations/fpm-nginx/etc/nginx/site-opts.d/http.conf.template b/src/variations/fpm-nginx/etc/nginx/site-opts.d/http.conf.template
@@ -30,6 +30,12 @@ location / {
     try_files $uri $uri/ /index.php?$query_string;
 }
 
+# Block PHP execution in storage directory to prevent uploaded malicious PHP files from running
+# Reference: Livewire arbitrary file upload (GHSA-29cq-5w36-x7w3)
+location ~* ^/storage/.*\.php$ {
+    deny all;
+}
+
 # Pass "*.php" files to PHP-FPM
 location ~ \.php$ {
     fastcgi_pass   127.0.0.1:9000;
diff --git a/src/variations/fpm-nginx/etc/nginx/site-opts.d/https.conf.template b/src/variations/fpm-nginx/etc/nginx/site-opts.d/https.conf.template
@@ -36,6 +36,12 @@ location / {
     try_files $uri $uri/ /index.php?$query_string;
 }
 
+# Block PHP execution in storage directory to prevent uploaded malicious PHP files from running
+# Reference: Livewire arbitrary file upload (GHSA-29cq-5w36-x7w3)
+location ~* ^/storage/.*\.php$ {
+    deny all;
+}
+
 # Pass "*.php" files to PHP-FPM
 location ~ \.php$ {
     fastcgi_pass   127.0.0.1:9000;
diff --git a/src/variations/frankenphp/etc/frankenphp/Caddyfile b/src/variations/frankenphp/etc/frankenphp/Caddyfile
@@ -138,6 +138,11 @@ fd00::/8 \
 	#   RFC 8615 - Well-Known URIs
 	#   https://www.rfc-editor.org/rfc/rfc8615
 
+	# Block PHP execution in storage directory to prevent uploaded malicious PHP files from running
+	# Reference: Livewire arbitrary file upload (GHSA-29cq-5w36-x7w3)
+	@storage-php path_regexp ^/storage/.*\.php$
+	respond @storage-php 403
+
 	# Block access to files that may expose sensitive information
 	@rejected {
 		path *.bak *.conf *.config *.dist *.inc *.ini *.log *.sh *.sql *.swp *.swo *~ */.*
