Possible widespread PHP configuration issue - security risk
Igor Sysoev
igor at sysoev.ru
Fri Aug 27 22:39:01 MSD 2010
On Fri, Aug 27, 2010 at 11:06:00AM -0700, Michael Shadle wrote:
> Let's stop debating and start with a clean fix. It sounds like this is
> all that is needed. Anyone want to verify?
>
> php config:
> cgi.fix_pathinfo=0
>
> then just make sure nginx splits the path info for you in case your
> app needs it with fastcgi_split_path_info:
> location ~ \.php$ {
> fastcgi_pass 127.0.0.1:11000;
> include fastcgi_params;
> fastcgi_split_path_info ^(.+\.php)(.*)$; # just throw this in
> fastcgi_params too, then!
> }
>
> Is this the right solution? Yes or no?
- location ~ \.php$ {
+ location ~ \.php {
BTW, in 0.8.x you may use
location ~ ^(?<script>.+\.php)(?<path_info>.*)$ {
fastcgi_pass 127.0.0.1:11000;
fastcgi_param SCRIPT_FILENAME $script;
fastcgi_param PATH_INFO $path_info;
include fastcgi_params;
}
--
Igor Sysoev
http://sysoev.ru/en/
More information about the nginx
mailing list