Possible widespread PHP configuration issue - security risk

Michael Shadle mike503 at gmail.com
Fri Aug 27 22:06:00 MSD 2010


Let's stop debating and start with a clean fix. It sounds like this is
all that is needed. Anyone want to verify?

php config:
cgi.fix_pathinfo=0

then just make sure nginx splits the path info for you in case your
app needs it with fastcgi_split_path_info:
location ~ \.php$ {
   fastcgi_pass 127.0.0.1:11000;
   include fastcgi_params;
   fastcgi_split_path_info ^(.+\.php)(.*)$; # just throw this in
fastcgi_params too, then!
}

Is this the right solution? Yes or no?



More information about the nginx mailing list