From b279ad14aa457f1b2ca3509ea8e3423b083987ac Mon Sep 17 00:00:00 2001
From: Jay Rogers <jaydrogers@users.noreply.serversideup.net>
Date: Fri, 16 Jan 2026 11:18:03 -0600
Subject: [PATCH] Add security measures to block PHP execution in storage
 directory

Implemented restrictions across Apache, NGINX, and FrankenPHP configurations to prevent the execution of PHP files in the /storage directory, addressing potential vulnerabilities related to arbitrary file uploads (GHSA-29cq-5w36-x7w3).
---
 .../fpm-apache/etc/apache2/conf-available/security.conf     | 6 ++++++
 .../fpm-nginx/etc/nginx/site-opts.d/http.conf.template      | 6 ++++++
 .../fpm-nginx/etc/nginx/site-opts.d/https.conf.template     | 6 ++++++
 src/variations/frankenphp/etc/frankenphp/Caddyfile          | 5 +++++
 4 files changed, 23 insertions(+)

diff --git a/src/variations/fpm-apache/etc/apache2/conf-available/security.conf b/src/variations/fpm-apache/etc/apache2/conf-available/security.conf
index 990648e7..f572f250 100644
--- a/src/variations/fpm-apache/etc/apache2/conf-available/security.conf
+++ b/src/variations/fpm-apache/etc/apache2/conf-available/security.conf
@@ -55,6 +55,12 @@ Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains
 # | File Access Restrictions                                                   |
 # ------------------------------------------------------------------------------
 
+# Block PHP execution in storage directory to prevent uploaded malicious PHP files from running
+# Reference: Livewire arbitrary file upload (GHSA-29cq-5w36-x7w3)
+<LocationMatch "^/storage/.*\.php$">
+    Require all denied
+</LocationMatch>
+
 # Block access to all hidden files and directories (dotfiles)
 # EXCEPT for the "/.well-known/" directory which is required by RFC 8615
 # for ACME challenges, security.txt, and other standardized endpoints.
diff --git a/src/variations/fpm-nginx/etc/nginx/site-opts.d/http.conf.template b/src/variations/fpm-nginx/etc/nginx/site-opts.d/http.conf.template
index 1d6ee8e6..08a90ff9 100644
--- a/src/variations/fpm-nginx/etc/nginx/site-opts.d/http.conf.template
+++ b/src/variations/fpm-nginx/etc/nginx/site-opts.d/http.conf.template
@@ -30,6 +30,12 @@ location / {
     try_files $uri $uri/ /index.php?$query_string;
 }
 
+# Block PHP execution in storage directory to prevent uploaded malicious PHP files from running
+# Reference: Livewire arbitrary file upload (GHSA-29cq-5w36-x7w3)
+location ~* ^/storage/.*\.php$ {
+    deny all;
+}
+
 # Pass "*.php" files to PHP-FPM
 location ~ \.php$ {
     fastcgi_pass   127.0.0.1:9000;
diff --git a/src/variations/fpm-nginx/etc/nginx/site-opts.d/https.conf.template b/src/variations/fpm-nginx/etc/nginx/site-opts.d/https.conf.template
index 0685ac17..810ff074 100644
--- a/src/variations/fpm-nginx/etc/nginx/site-opts.d/https.conf.template
+++ b/src/variations/fpm-nginx/etc/nginx/site-opts.d/https.conf.template
@@ -36,6 +36,12 @@ location / {
     try_files $uri $uri/ /index.php?$query_string;
 }
 
+# Block PHP execution in storage directory to prevent uploaded malicious PHP files from running
+# Reference: Livewire arbitrary file upload (GHSA-29cq-5w36-x7w3)
+location ~* ^/storage/.*\.php$ {
+    deny all;
+}
+
 # Pass "*.php" files to PHP-FPM
 location ~ \.php$ {
     fastcgi_pass   127.0.0.1:9000;
diff --git a/src/variations/frankenphp/etc/frankenphp/Caddyfile b/src/variations/frankenphp/etc/frankenphp/Caddyfile
index e914049c..50b2158b 100644
--- a/src/variations/frankenphp/etc/frankenphp/Caddyfile
+++ b/src/variations/frankenphp/etc/frankenphp/Caddyfile
@@ -138,6 +138,11 @@ fd00::/8 \
 	#   RFC 8615 - Well-Known URIs
 	#   https://www.rfc-editor.org/rfc/rfc8615
 
+	# Block PHP execution in storage directory to prevent uploaded malicious PHP files from running
+	# Reference: Livewire arbitrary file upload (GHSA-29cq-5w36-x7w3)
+	@storage-php path_regexp ^/storage/.*\.php$
+	respond @storage-php 403
+
 	# Block access to files that may expose sensitive information
 	@rejected {
 		path *.bak *.conf *.config *.dist *.inc *.ini *.log *.sh *.sql *.swp *.swo *~ */.*