Equivalent of Apache's SetEnv Variable

Grzegorz Nosek grzegorz.nosek at gmail.com
Thu Aug 5 11:17:17 MSD 2010

On śro, sie 04, 2010 at 02:48:07 -0700, Michael Shadle wrote:
> Someone just posted this on my blog:
> location ~ \.php$ {
> ....
> try_files $uri =404;
> ...
> }
> exploit http://site.ru/images/as5df3.jpeg/.php
> might be an interesting approach, haven't tried it yet. would this add
> an additional stat call or two though for every PHP request, Igor?

While we're at it, I had an experimental patch some time ago that
provided location mapping based on file extensions instead of URIs which
would prevent the above exploit.

The config looked like:

types {
  # ...
  application/x-httpd-php php;

location / {
  root /the/document/root;

location @application/x-httpd-php {
  fastcgi_pass ...; # etc.

It never went to production but I guess I could refresh and post it if
there's some interest in it and it has a chance of being accepted
upstream (guarded with some config option, of course).

Best regards,
 Grzegorz Nosek

More information about the nginx mailing list