Some security vulnerable

Thomas Love tomlove at
Sun Jun 5 17:40:24 MSD 2011

On 5 June 2011 12:01, Kraiser <nginx-forum at> wrote:
> What do you guys think about implement this into nginx just like it is
> in apache?
> if ( $fastcgi_script_name ~ \..*\/.*php ) {
> return 403;
> }
> because without that some servers which allows to upload images are
> vulnerable to external exploits.

They're vulnerable because of bad site design and configuration
(although I do think nginx's location parsing logic makes it
uncomfortably easy to produce insecure configurations). Why not
eliminate the vulnerability instead of hardening against it with more
configuration? The .php match should not be attempted in any untrusted
user-upload directory -- use sub-locations.


More information about the nginx mailing list