Possible widespread PHP configuration issue - security risk
Igor Sysoev
igor at sysoev.ru
Fri Aug 27 22:55:01 MSD 2010
On Fri, Aug 27, 2010 at 11:41:38AM -0700, Michael Shadle wrote:
> On Fri, Aug 27, 2010 at 11:39 AM, Igor Sysoev <igor at sysoev.ru> wrote:
>
> > location ~ ^(?<script>.+\.php)(?<path_info>.*)$ {
> > fastcgi_pass 127.0.0.1:11000;
> > fastcgi_param SCRIPT_FILENAME $script;
>
> Doesn't this typically have the $document_root$fastcgi_script_name -
> so the full system path?
You are right:
fastcgi_param SCRIPT_FILENAME /path/to/files$script;
or
fastcgi_param SCRIPT_FILENAME $document_root$script;
> Thanks for the pointers, though.
>
> I will begin adopting this style once I check it quick and pushing it
> on everyone I know...
This way saves one regex execution.
BTW, it's better for perfomance and configuration maintenance reasons
to isolate regex locaitons inside static ones as Maxim has shown:
location / {
location ~ ^(?<script>.+\.php)(?<path_info>.*)$ {
...
}
...
}
location /dir1/ {
...
}
location /dir2/ {
location ~ ^(?<script>.+\.php)(?<path_info>.*)$ {
...
}
...
}
--
Igor Sysoev
http://sysoev.ru/en/
More information about the nginx
mailing list