Possible widespread PHP configuration issue - security risk
Boris Dolgov
boris at dolgov.name
Fri Aug 27 21:20:13 MSD 2010
On Fri, Aug 27, 2010 at 9:17 PM, brianmercer <nginx-forum at nginx.us> wrote:
> As you say, your web app should have a plan for mitigating the dangers
> of user uploads. Drupal puts an .htaccess file in the upload directory
> which changes the apache file handler. Of course, that does nothing
> with nginx and so you want something like
>
> location ~ .*/files/.* {
> try_files $uri =404 # or index.php?q=$uri or @drupal depending on your
> config
> }
>
> located before your location ~ .php so you get a match on the files
> directory and you don't execute malicious .php. Or something more
> restrictive when it comes to .php files like specifying the permitted
> executable files explicitly. see
> http://test.brianmercer.com/content/nginx-configuration-drupal
By the way, you can just write:
location ^~ /files/
{
try_files ...;
}
And if the request matches this location, no regular expressions
locations will be tried.
--
Boris Dolgov.
More information about the nginx
mailing list