0
votes

I am trying to use the trick described by Rob Van Aarle here to execute php pages in "paths not allowed" by default for Synology's web server...

The purpose is to create packages which do not depend on "Init_3rdparty" (this famous package which allows users to run php pages in path like /volumeX/@appstore/ on their Synology)

Basically, Rob suggests to call a script which execute the php page using php-cgi (/usr/local/bin/php56-cgi)

Ex.: call to a cgi like this to execute the page test.php located next to it.

#!/bin/sh
REDIRECT_STATUS=1 export REDIRECT_STATUS
SCRIPT_FILENAME=$(pwd)/test.php export SCRIPT_FILENAME
/usr/bin/php-cgi -d open_basedir=none $SCRIPT_FILENAME 2>&1

This is working fine.

But the complete idea of Rob is to use a .htaccess to redirect calls to any php pages toward a generic cgi script.

.htaccess

# Turn on rewrite engine.
RewriteEngine on

# Rewrite existing php files to the router script.
# Apache on the Synology NAS automatically redirects url
# containing '../' to the corresponding real path, before
# the router script is executed, so it's impossible to
# execute system files.
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^(.*\.php)$ router.cgi [PT,L,QSA,NE]

router.cgi

#!/bin/sh

# Set redirect_status to 1 to get php cgi working.
REDIRECT_STATUS=1 export REDIRECT_STATUS

# Fix several $_SERVER globals.
PHP_SELF=$SCRIPT_URL export PHP_SELF
SCRIPT_NAME=$SCRIPT_URL export SCRIPT_NAME

# Strip web base from SCRIPT_URL, concat it to parent directory
# and apply realpath to construct absolute path to requested script.
WEB_BASE="/webman/3rdparty"
SCRIPT_FILENAME=$(pwd)/..${SCRIPT_URL:${#WEB_BASE}}
SCRIPT_FILENAME=`realpath $SCRIPT_FILENAME`
export SCRIPT_FILENAME

# Execute the requested PHP file.
/usr/local/bin/php56-cgi -d open_basedir=none $SCRIPT_FILENAME 2>&1

I have added traces in the cgi and the problem is that it's never called on my DSM 6.1. So, it seems to me that the .htaccess is not "enabled". Concretely, a call to the php page is downloading that file.

Is an .htaccess assumed to be used on Synology DSM 6.1, when the DSM accesses a php page located in a non allowed path? If it should work, what could be misconfigured on the NAS ?

MANY thx in adv. for sharing your experience on this!

Here is the demo package created by Rob to illustrate his post.

1
probably a better question for serverfault.comuser8011997
Thx, I did try to post there [serverfault.com/questions/892033/…Valery Letroye

1 Answers

0
votes

I finally figure out the problem. The latest versions of DSM are using nginx by default, instead of apache, as a web server. And nginx is not using htaccess files.