FastCGI security question
jerome at loyet.net
Fri Apr 23 10:42:19 MSD 2010
I'm working on php-fpm and I had an idea for a new feature.
I'd like to pass fastcgi headers to php-fpm which will set some PHP
ini defines. It's the same as php_value or php_admin_value from the
php apache module. I imagine something like:
fastcgi_param PHP_INI_VALUE "display_errors=off";
fastcgi_param PHP_ADMIN_INI_VALUE "open_basedir=/var/www:/tmp";
Even if it sounds great, I wonder if it could be a security breach
somehow. Is there a way a request can overwrite those parameters by
forging a particular request ?
thx for your advices
More information about the nginx