FastCGI security question

Igor Sysoev igor at
Fri Apr 23 11:00:31 MSD 2010

On Fri, Apr 23, 2010 at 08:42:19AM +0200, Jérôme Loyet wrote:

> Hi guys,
> I'm working on php-fpm and I had an idea for a new feature.
> I'd like to pass fastcgi headers to php-fpm which will set some PHP
> ini defines. It's the same as php_value or php_admin_value from the
> php apache module. I imagine something like:
> fastcgi_param PHP_INI_VALUE "display_errors=off";
> fastcgi_param PHP_ADMIN_INI_VALUE "open_basedir=/var/www:/tmp";
> Even if it sounds great, I wonder if it could be a security breach
> somehow. Is there a way a request can overwrite those parameters by
> forging a particular request ?

No, requests headers are always prefixed with "HTTP_" when they are passed
to FastCGI.

Igor Sysoev

More information about the nginx mailing list