Config Problem for Wordpress 2.5

Ed W lists at
Sun Apr 13 03:04:24 MSD 2008

>     location ~ .php$ {

this stuff in an include file for easier maintenance:

>        fastcgi_pass  localhost:9999;
>        fastcgi_index index.php;
>        fastcgi_param SCRIPT_NAME $fastcgi_script_name;
>        fastcgi_param REQUEST_URI $request_uri;
>        fastcgi_param DOCUMENT_URI $document_uri;
>        fastcgi_param DOCUMENT_ROOT $document_root;
>        fastcgi_param REMOTE_ADDR $remote_addr;
>        fastcgi_param REMOTE_PORT $remote_port;
>        fastcgi_param SERVER_ADDR $server_addr;
>        fastcgi_param SERVER_PORT $server_port;
>        fastcgi_param SERVER_NAME $server_name;
>        fastcgi_param SCRIPT_FILENAME
> /var/www/mydomain$fastcgi_script_name;
>        fastcgi_param QUERY_STRING $query_string;
>        fastcgi_param REQUEST_METHOD $request_method;
>        fastcgi_param CONTENT_TYPE $content_type;
>        fastcgi_param CONTENT_LENGTH $content_length;

>     }

And be sure to notice that you just opened up a HUGE hole in that ANY 
.php file on the filesystem is now executable.  This means if you have 
an upload dir then if someone can upload a file with a .php extension to 
it then they can point their browser to it and trigger the rule above to 
execute that file... ugg

Limit the regexp to only trigger on dirs that you expect php scripts to 
be in - OR - setup a location for the upload dir with a break in it to 
take precedence over the .php rule.

The stuff above looks basically ok - you need to post your error 
messages to get more help

Ed W

More information about the nginx mailing list