Equivalent of Apache's SetEnv Variable
lists at wildgooses.com
Thu Aug 5 01:44:51 MSD 2010
On 04/08/2010 01:21, Michael Shadle wrote:
> What I've realized over the couple years I've been using nginx is that
> most people overengineer their configuration. I hardly ever need more
> than a few lines of special sauce for anything I've ran in nginx. Of
> course, I'm a minimalist.
However, all the default configs that I have seen for PHP setups on the
wiki, etc, seem insecure to my mind. They nearly all point *all* files
named xx.php to be processed by the your php interpreter. Coupled with
nearly all non trivial applications having some "upload" feature this
allows a gaping potential issue to upload arbitrary files named xx.php
and you are allowing arbitrary code to be uploaded...
I setup my machines to only point files in limited directories to be
processed by the php interpreter. Coupled with specific handling of any
upload/temp/template/public directories or anywhere else that might
accidently contain something it shouldn't..
See, just checked the wiki. Surely this example allows you to
immediately upload a new file with a .php suffix and exploit the server?
Does Drupal allow uploads? If so then good luck...
Surely Dokuwiki allows uploads?
Make your config secure! Don't just trust the upload function parsing
and allowing only certain filename patterns!
More information about the nginx